diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index c82cc04f9..94639126c 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -48,4 +48,7 @@ Changes since 1.4.6 22) Make burst optional in rate limited rules and policies. -23) Allow display of multiple chains in one "shorewall show" command. \ No newline at end of file +23) Allow display of multiple chains in one "shorewall show" command. + +24) Add "RATE LIMIT" column for those who prefer their config files to + be wide but normalized. diff --git a/Shorewall/firewall b/Shorewall/firewall index a009f353e..8d3a3a941 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -2440,6 +2440,7 @@ process_rule() # $1 = target # $5 = ports # $6 = cports # $7 = address + # $8 = ratelimit { local target="$1" local clients="$2" @@ -2448,17 +2449,21 @@ process_rule() # $1 = target local ports="$5" local cports="$6" local address="$7" + local ratelimit="$8" local rule="`echo $target $clients $servers $protocol $ports $cports $address`" # Function Body - isolate rate limit - if [ "$target" = "${target%<*}" ]; then - ratelimit= - else - ratelimit="${target#*<}" - ratelimit="${ratelimit%>*}" - target="${target%<*}${target#*>}" - expandv ratelimit + if [ -z "$ratelimit" ]; then + if [ "$target" != "${target%<*}" ]; then + ratelimit="${target#*<}" + ratelimit="${ratelimit%>*}" + target="${target%<*}${target#*>}" + expandv ratelimit + fi + fi + + if [ -n "$ratelimit" ]; then case $ratelimit in *:*) ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}" @@ -2716,17 +2721,17 @@ process_rules() # $1 = name of rules file for yclients in $xclients; do for yservers in $xservers; do if [ "${yclients}" != "${yservers}" ] ; then - process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress + process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit fi done done } - while read xtarget xclients xservers xprotocol xports xcports xaddress; do + while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit; do temp="${xtarget%:*}" case "${temp%<*}" in ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE) - expandv xclients xservers xprotocol xports xcports xaddress + expandv xclients xservers xprotocol xports xcports xaddress xratelimit if [ "x$xclients" = xall ]; then xclients="$zones $FW" @@ -2743,10 +2748,10 @@ process_rules() # $1 = name of rules file continue fi - process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress + process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit ;; *) - rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`" + rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit`" fatal_error "Invalid Action in rule \"$rule\"" ;; diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 57379ce81..fcc230a5d 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -258,23 +258,33 @@ New Features: to create two rules; a DNAT- rule and an ACCEPT rule which can be rate-limited separately. - To specify a rate limit, follow ACCEPT, DNAT[-], REDIRECT[-] or LOG - with + To specify a rate limit, you can follow one of two approaches: - < /[:] > + a) You may follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with - where + < /[:] > - is the sustained rate per - is "sec" or "min" - is the largest burst accepted within an . If - not given, the default of 5 is assumed. + where - There may be no white space between the ACTION and "<" nor there may - be any white space within the burst specification. If you want to - specify logging of a rate-limited rule, the ":" and log level comes - after the ">" (e.g., ACCEPT<2/sec:4>:info ). + is the sustained rate per + is "sec" or "min" + is the largest burst accepted within an + . If not given, the default of 5 is + assumed. + There may be no white space between the ACTION and "<" nor there + may be any white space within the burst specification. If you want + to specify logging of a rate-limited rule, the ":" and log level + comes after the ">" (e.g., ACCEPT<2/sec:4>:info ). + + b) There is a new RATE LIMIT column at the far right of the + file (beyond column 80). You may place the rate limit there in + the format: + + /[:] + + where , and are as above. + Let's take an example: ACCEPT<2/sec:4> net dmz tcp 80 @@ -295,4 +305,3 @@ New Features: 10) Multiple chains may now be displayed in one "shorewall show" command (e.g., shorewall show INPUT FORWARD OUTPUT). - diff --git a/Shorewall/rules b/Shorewall/rules index 0b375acf1..656ed7de5 100755 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -50,11 +50,12 @@ # You may rate-limit the rule by optionally # following ACCEPT, DNAT[-], REDIRECT[-] or LOG with # -# < /: > +# < /[:] > # # where is the number of connections per # ("sec" or "min") and is the -# largest burst permitted. There may be +# largest burst permitted. If no is given, +# a value of 5 is assumed. There may be no # no whitespace embedded in the specification. # # Example: ACCEPT<10/sec:20> @@ -64,6 +65,11 @@ # DNAT<4/sec:8>:debugging). This causes the packet to be # logged at the specified level. # +# NOTE: For those of you who prefer to place the +# rate limit in a separate column, see the RATE LIMIT +# column below. If you specify a value in that column, +# you must not include a rate limit in the ACTION column +# # You may also specify ULOG (must be in upper case) as a # log level.This will log to the ULOG target for routing # to a separate log through use of ulogd @@ -206,6 +212,22 @@ # If no source IP address is given, the original source # address is not altered. # +# RATE LIMIT You may rate-limit the rule by placing a value in +# this colume: +# +# /[:] +# +# where is the number of connections per +# ("sec" or "min") and is the +# largest burst permitted. If no is given, +# a value of 5 is assumed. There may be no +# no whitespace embedded in the specification. +# +# Example: 10/sec:20 +# +# If you place a rate limit in this column, you may not +# place a similar limit in the ACTION column. +# # Example: Accept SMTP requests from the DMZ to the internet # # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL @@ -249,7 +271,7 @@ # # PORT PORT(S) DEST # ACCEPT net:130.252.100.69,130.252.100.70 \ # tcp 22 -############################################################################## -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# PORT PORT(S) DEST +######################################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE +# PORT PORT(S) DEST LIMIT #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/shorewall b/Shorewall/shorewall index d511a04ed..ad516600f 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -786,9 +786,13 @@ case "$1" in echo "Shorewall-$version `[ $# -gt 1 ] && echo Chains || echo Chain` $* at $HOSTNAME - `date`" echo show_reset - for chain in $*; do - iptables -L $chain -n -v - done + if [ $# -gt 0 ]; then + for chain in $*; do + iptables -L $chain -n -v + done + else + iptables -L -n -v + fi ;; esac ;;