From d55bcfca0b927d7524e27ea7648e13df617f8526 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 13 Aug 2003 21:31:02 +0000
Subject: [PATCH] Rate Limiting in Rules - Part 7

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@711 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/changelog.txt    |  2 ++
 Shorewall/firewall         | 24 ++++++++++++++++++------
 Shorewall/releasenotes.txt |  6 ++++--
 3 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index ff7354a42..3c342acc2 100755
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -45,3 +45,5 @@ Changes since 1.4.6
 20) Bridge interfaces (br[0-9]) can now be used in /etc/shorewall/maclist.
 
 21) Rate-limited rules added.
+
+22) Make burst optional in rate limited rules and policies.
diff --git a/Shorewall/firewall b/Shorewall/firewall
index 6b406c85c..4bb5cce78 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -1466,13 +1466,18 @@ setup_syn_flood_chain ()
 	# $2 = synparams
 {
     local chain=$1
-    local limit=${2%:*}
-    local limit_burst=${2#*:}
+    local limit=$2
+    local limit_burst=
+
+    case $limit in
+	*:*)
+	    limit_burst="--limit-burst ${limit#*:}"
+	    limit=${limit%:*}
+	    ;;
+    esac
 
     run_iptables -N @$chain
-    run_iptables -A @$chain \
-	-m limit --limit $limit --limit-burst $limit_burst \
-	-j RETURN
+    run_iptables -A @$chain -m limit --limit $limit $limit_burst -j RETURN
     run_iptables -A @$chain -j DROP
 }
 
@@ -2454,7 +2459,14 @@ process_rule() # $1 = target
 	ratelimit="${ratelimit%>*}"
 	target="${target%<*}${target#*>}"
 	expandv ratelimit
-	ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}"
+	case $ratelimit in
+	    *:*)
+		ratelimit="-m limit --limit ${ratelimit%:*} --limit-burst ${ratelimit#*:}"
+		;;
+	    *)
+		ratelimit="-m limit --limit $ratelimit"
+		;;
+	esac
     fi
 
     # Isolate log level
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index f1a76c889..eacc1f7c7 100755
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -261,13 +261,14 @@ New Features:
    To specify a rate limit, follow ACCEPT, DNAT[-], REDIRECT[-] or LOG
    with
 
-      < <rate>/<interval>:<burst> >
+      < <rate>/<interval>[:<burst>] >
 
    where
 
       <rate> is the sustained rate per <interval>
       <interval> is "sec" or "min"
-      <burst> is the largest burst accepted within an <interval>
+      <burst> is the largest burst accepted within an <interval>. If
+              not given, the default of 5 is assumed.
 
    There may be no white space between the ACTION and "<" nor there may
    be any white space within the burst specification. If you want to
@@ -292,4 +293,5 @@ New Features:
    zones individually rather than as a single limit for all pairs of
    zones covered by the rule.
 
+