diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index d88f50701..8e441e61b 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -1531,12 +1531,14 @@ sub do_ratelimit( $$ ) { require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's'; my $limit = "-m hashlimit "; + my $match = $capabilities{OLD_HL_MATCH} ? 'hashlimit' : 'hashlimit-upto'; + if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) { $limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name "; $limit .= $2 ? $2 : 'shorewall'; $limit .= ' --hashlimit-mode '; } elsif ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?)$/ ) { - $limit .= "--hashlimit-upto $3 --hashlimit-name "; + $limit .= "--$match $3 --hashlimit-name "; $limit .= $2 ? $2 : 'shorewall'; $limit .= ' --hashlimit-mode '; } else { diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 3c2e9d153..07eb93767 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -242,6 +242,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT', LOGMARK_TARGET => 'LOGMARK Target', IPMARK_TARGET => 'IPMARK Target', PERSISTENT_SNAT => 'Persistent SNAT', + OLD_HL_MATCH => 'Old Hash Limit Match', CAPVERSION => 'Capability Version', ); # @@ -328,7 +329,7 @@ sub initialize( $ ) { EXPORT => 0, UNTRACKED => 0, VERSION => "4.4.2", - CAPVERSION => 40401 , + CAPVERSION => 40402 , ); # @@ -566,7 +567,7 @@ sub initialize( $ ) { NONE => '', NFLOG => 'NFLOG', LOGMARK => 'LOGMARK' ); - } + } # # From parsing the capabilities file # @@ -614,6 +615,7 @@ sub initialize( $ ) { IPMARK_TARGET => undef, LOG_TARGET => 1, # Assume that we have it. PERSISTENT_SNAT => undef, + OLD_HL_MATCH => undef, CAPVERSION => undef, ); # @@ -2027,6 +2029,15 @@ sub determine_capabilities( $ ) { $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" ); $capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) ); + $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" ); + + if ( $capabilities{HASHLIMIT_MATCH} ) { + $capabilities{OLD_HL_MATCH} = ''; + } else { + $capabilities{OLD_HL_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" ); + $capabilities{HASHLIMIT_MATCH} = $capabilities{OLD_HL_MATCH}; + } + if ( $capabilities{MANGLE_ENABLED} ) { qt1( "$iptables -t mangle -N $sillyname" ); @@ -2071,7 +2082,6 @@ sub determine_capabilities( $ ) { $capabilities{USEPKTTYPE} = qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" ); $capabilities{ADDRTYPE} = qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" ); $capabilities{TCPMSS_MATCH} = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" ); - $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" ); $capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" ); $capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" ); $capabilities{HELPER_MATCH} = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" ); diff --git a/Shorewall/lib.base b/Shorewall/lib.base index 1f149fc6d..ebcabc735 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -30,7 +30,7 @@ # SHOREWALL_LIBVERSION=40000 -SHOREWALL_CAPVERSION=40401 +SHOREWALL_CAPVERSION=40402 [ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ] @@ -945,7 +945,11 @@ determine_capabilities() { qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes - qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes + qt $IPTABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes + if [ -z "$HASHLIMIT_MATCH" ]; then + qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && NEW_HL_MATCH=Yes + HASHLIMIT_MATCH=$OLD_HL_MATCH + fi qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes @@ -1011,6 +1015,7 @@ report_capabilities() { report_capability "Address Type Match" $ADDRTYPE report_capability "TCPMSS Match" $TCPMSS_MATCH report_capability "Hashlimit Match" $HASHLIMIT_MATCH + report_capability "Old Hashlimit Match" $OLD_HL_MATCH report_capability "NFQUEUE Target" $NFQUEUE_TARGET report_capability "Realm Match" $REALM_MATCH report_capability "Helper Match" $HELPER_MATCH @@ -1069,6 +1074,7 @@ report_capabilities1() { report_capability1 ADDRTYPE report_capability1 TCPMSS_MATCH report_capability1 HASHLIMIT_MATCH + report_capability1 OLD_HL_MATCH report_capability1 NFQUEUE_TARGET report_capability1 REALM_MATCH report_capability1 HELPER_MATCH diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 7c847ad8b..86e929bc9 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -215,7 +215,10 @@ Shorewall 4.4.2 correctly with no PATH. 8) The new per-IP LIMIT feature now works with ancient iptables - releases (e.g., 1.3.5 as found on RHEL 5). + releases (e.g., 1.3.5 as found on RHEL 5). This change required + testing for an additional capability which means that those who use + a capabilities file should regenerate that file after installing + 4.4.2. ---------------------------------------------------------------------------- K N O W N P R O B L E M S R E M A I N I N G diff --git a/Shorewall6/lib.base b/Shorewall6/lib.base index c5747cf5a..8e846624b 100644 --- a/Shorewall6/lib.base +++ b/Shorewall6/lib.base @@ -33,7 +33,7 @@ # SHOREWALL_LIBVERSION=40300 -SHOREWALL_CAPVERSION=40401 +SHOREWALL_CAPVERSION=40402 [ -n "${VARDIR:=/var/lib/shorewall6}" ] [ -n "${SHAREDIR:=/usr/share/shorewall6}" ] @@ -853,7 +853,11 @@ determine_capabilities() { qt $IP6TABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes qt $IP6TABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes qt $IP6TABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes - qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes + qt $IP6TABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes + if [ -z "$HASHLIMIT_MATCH" ]; then + qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes + HASHLIMIT_MATCH=$OLD_HL_MATCH + fi qt $IP6TABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes qt $IP6TABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes qt $IP6TABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes @@ -917,6 +921,7 @@ report_capabilities() { report_capability "Address Type Match" $ADDRTYPE report_capability "TCPMSS Match" $TCPMSS_MATCH report_capability "Hashlimit Match" $HASHLIMIT_MATCH + report_capability "Old Hashlimit Match" $OLD_HL_MATCH report_capability "NFQUEUE Target" $NFQUEUE_TARGET report_capability "Realm Match" $REALM_MATCH report_capability "Helper Match" $HELPER_MATCH @@ -972,6 +977,7 @@ report_capabilities1() { report_capability1 ADDRTYPE report_capability1 TCPMSS_MATCH report_capability1 HASHLIMIT_MATCH + report_capability1 OLD_HL_MATCH report_capability1 NFQUEUE_TARGET report_capability1 REALM_MATCH report_capability1 HELPER_MATCH