holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Implement per-IP log rate limiting

Browse Source
This commit is contained in:
Tom Eastep 2010-07-25 12:42:39 -07:00
parent 9bf06caa35
commit bd5facda30
7 changed files with 117 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
Shorewall/Perl/Shorewall/Config.pm
View File

@ -362,6 +362,7 @@ sub initialize( $ ) {
LOGFILE => undef, LOGFILE => undef,
LOGFORMAT => undef, LOGFORMAT => undef,
LOGTAGONLY => undef, LOGTAGONLY => undef,
LOGLIMIT => undef,
LOGRATE => undef, LOGRATE => undef,
LOGBURST => undef, LOGBURST => undef,
LOGALLNEW => undef, LOGALLNEW => undef,
@ -509,6 +510,7 @@ sub initialize( $ ) {
LOGFILE => undef, LOGFILE => undef,
LOGFORMAT => undef, LOGFORMAT => undef,
LOGTAGONLY => undef, LOGTAGONLY => undef,
LOGLIMIT => undef,
LOGRATE => undef, LOGRATE => undef,
LOGBURST => undef, LOGBURST => undef,
LOGALLNEW => undef, LOGALLNEW => undef,
@ -2847,7 +2849,42 @@ sub get_configuration( $ ) {
$globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH'; $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
if ( $config{LOGRATE} || $config{LOGBURST} ) { if ( my $rate = $config{LOGLIMIT} ) {
require_capability 'HASHLIMIT_MATCH', 'Per-ip log rate limiting' , 's';
my $limit = "-m hashlimit ";
my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
my $units;
if ( $rate =~ /^[sd]:(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
$limit .= "--hashlimit $1 --hashlimit-burst $4 --hashlimit-name lograte --hashlimit-mode ";
$units = $3;
} elsif ( $rate =~ /^[sd]:(\d+(\/(sec|min|hour|day))?)$/ ) {
$limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode ";
$units = $3;
} else {
fatal_error "Invalid rate ($rate)";
}
$limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
if ( $units && $units ne 'sec' ) {
my $expire = 60000; # 1 minute in milliseconds
if ( $units ne 'min' ) {
$expire *= 60; #At least an hour
$expire *= 24 if $units eq 'day';
}
$limit .= "--hashlimit-htable-expire $expire ";
}
$globals{LOGLIMIT} = $limit;
warning_message "LOGRATE Ignored when LOGLIMIT is specified" if $config{LOGRATE};
warning_message "LOGBURST Ignored when LOGLIMIT is specified" if $config{LOGBURST};
} elsif ( $config{LOGRATE} || $config{LOGBURST} ) {
if ( defined $config{LOGRATE} ) { if ( defined $config{LOGRATE} ) {
fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE} =~ /^\d+\/(second|minute)$/; fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE} =~ /^\d+\/(second|minute)$/;
} }

2
Shorewall/changelog.txt
View File

@ -8,6 +8,8 @@ Changes in Shorewall 4.4.12
4) Allow :random to work with REDIRECT 4) Allow :random to work with REDIRECT
5) Add per-ip log rate limiting.
Changes in Shorewall 4.4.11 Changes in Shorewall 4.4.11
1) Apply patch from Gabriel. 1) Apply patch from Gabriel.

18
Shorewall/releasenotes.txt
View File

@ -252,8 +252,24 @@ None.
1) Support has been added for ADD and DEL rules in 1) Support has been added for ADD and DEL rules in
/etc/shorewall/rules. ADD allows either the SOURCE or DESTINATION /etc/shorewall/rules. ADD allows either the SOURCE or DESTINATION
IP address to be added to an ipset; DEL deletes an address IP address to be added to an ipset; DEL deletes an address
previously added. previously added.
2) Per-ip log rate limiting has been added in the form of the LOGLIMIT
option in shorewall.conf. When LOGLIMIT is specified, LOGRATE and
LOGBURST are ignored.
LOGRATE and LOGBURST are now deprecated.
LOGLIMIT value format is [sd:]<rate>[/<unit>][:<burst>]
If the value starts with 's:' then logging is limited per source
IP. If the value starts with 'd:', then logging is limited per
destination IP. Otherwise, the overall logging rate is limited.
<unit> is one of sec, min, hour, day.
If <burst> is not specified, then a value of 5 is assumed.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
I N P R I O R R E L E A S E S I N P R I O R R E L E A S E S

4
manpages/shorewall-rules.xml
View File

@ -898,7 +898,9 @@
role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
role="bold">/</emphasis>{<emphasis role="bold">/</emphasis>{<emphasis
role="bold">sec</emphasis>|<emphasis role="bold">sec</emphasis>|<emphasis
role="bold">min</emphasis>}[:<emphasis>burst</emphasis>]</term> role="bold">min</emphasis>|<emphasis
role="bold">hour</emphasis>|<emphasis
role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</term>
<listitem> <listitem>
<para>You may rate-limit the rule by placing a value in this <para>You may rate-limit the rule by placing a value in this

27
manpages/shorewall.conf.xml
View File

@ -932,6 +932,30 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">LOGLIMIT=[</emphasis>[{<emphasis>s</emphasis>|<emphasis
role="bold">d</emphasis>}:]<emphasis>rate</emphasis><emphasis
role="bold">/</emphasis>{<emphasis
role="bold">sec</emphasis>|<emphasis
role="bold">min</emphasis>|<emphasis
role="bold">hour</emphasis>|<emphasis
role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]]</term>
<listitem>
<para>Added in Shorewall 4.4.12. Limits the logging rate, either
overall, or by source or destination IP address.</para>
<para>If the value starts with 's:' then logging is limited per
source IP. If the value starts with 'd:', then logging is limited
per destination IP. Otherwise, the overall logging rate is limited.
</para>
<para>If <replaceable>burst</replaceable> is not specified, then a
value of 5 is assumed. </para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">LOGBURST=</emphasis>[<emphasis>burst</emphasis>]</term> role="bold">LOGBURST=</emphasis>[<emphasis>burst</emphasis>]</term>
@ -948,6 +972,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">second</emphasis>}]</term> role="bold">second</emphasis>}]</term>
<listitem> <listitem>
<para>Deprecated in Shorewall 4.4.12. These options are ignored when
LOGLIMIT is specified.</para>
<para>These parameters set the match rate and initial burst size for <para>These parameters set the match rate and initial burst size for
logged packets. Please see iptables(8) for a description of the logged packets. Please see iptables(8) for a description of the
behavior of these parameters (the iptables option --limit is set by behavior of these parameters (the iptables option --limit is set by

4
manpages6/shorewall6-rules.xml
View File

@ -668,7 +668,9 @@
role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
role="bold">/</emphasis>{<emphasis role="bold">/</emphasis>{<emphasis
role="bold">sec</emphasis>|<emphasis role="bold">sec</emphasis>|<emphasis
role="bold">min</emphasis>}[:<emphasis>burst</emphasis>]</term> role="bold">min</emphasis>|<emphasis
role="bold">hour</emphasis>|<emphasis
role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</term>
<listitem> <listitem>
<para>You may rate-limit the rule by placing a value in this <para>You may rate-limit the rule by placing a value in this

27
manpages6/shorewall6.conf.xml
View File

@ -809,6 +809,30 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">LOGLIMIT=[</emphasis>[{<emphasis>s</emphasis>|<emphasis
role="bold">d</emphasis>}:]<emphasis>rate</emphasis><emphasis
role="bold">/</emphasis>{<emphasis
role="bold">sec</emphasis>|<emphasis
role="bold">min</emphasis>|<emphasis
role="bold">hour</emphasis>|<emphasis
role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]]</term>
<listitem>
<para>Added in Shorewall 4.4.12. Limits the logging rate, either
overall, or by source or destination IP address.</para>
<para>If the value starts with 's:' then logging is limited per
source IP. If the value starts with 'd:', then logging is limited
per destination IP. Otherwise, the overall logging rate is
limited.</para>
<para>If <replaceable>burst</replaceable> is not specified, then a
value of 5 is assumed.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">LOGBURST=</emphasis>[<emphasis>burst</emphasis>]</term> role="bold">LOGBURST=</emphasis>[<emphasis>burst</emphasis>]</term>
@ -825,6 +849,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">second</emphasis>}]</term> role="bold">second</emphasis>}]</term>
<listitem> <listitem>
<para>As of Shorewall 4.4.12, these parameters are
deprecated.</para>
<para>These parameters set the match rate and initial burst size for <para>These parameters set the match rate and initial burst size for
logged packets. Please see ip6tables(8) for a description of the logged packets. Please see ip6tables(8) for a description of the
behavior of these parameters (the ip6tables option --limit is set by behavior of these parameters (the ip6tables option --limit is set by