forked from extern/shorewall_code
Add capability to detect old hashlimit syntax
This commit is contained in:
parent
428c3d1e4e
commit
d84458518e
@ -1531,12 +1531,14 @@ sub do_ratelimit( $$ ) {
|
|||||||
require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
|
require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
|
||||||
|
|
||||||
my $limit = "-m hashlimit ";
|
my $limit = "-m hashlimit ";
|
||||||
|
my $match = $capabilities{OLD_HL_MATCH} ? 'hashlimit' : 'hashlimit-upto';
|
||||||
|
|
||||||
if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
|
if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
|
||||||
$limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name ";
|
$limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name ";
|
||||||
$limit .= $2 ? $2 : 'shorewall';
|
$limit .= $2 ? $2 : 'shorewall';
|
||||||
$limit .= ' --hashlimit-mode ';
|
$limit .= ' --hashlimit-mode ';
|
||||||
} elsif ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?)$/ ) {
|
} elsif ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?)$/ ) {
|
||||||
$limit .= "--hashlimit-upto $3 --hashlimit-name ";
|
$limit .= "--$match $3 --hashlimit-name ";
|
||||||
$limit .= $2 ? $2 : 'shorewall';
|
$limit .= $2 ? $2 : 'shorewall';
|
||||||
$limit .= ' --hashlimit-mode ';
|
$limit .= ' --hashlimit-mode ';
|
||||||
} else {
|
} else {
|
||||||
|
@ -242,6 +242,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
|||||||
LOGMARK_TARGET => 'LOGMARK Target',
|
LOGMARK_TARGET => 'LOGMARK Target',
|
||||||
IPMARK_TARGET => 'IPMARK Target',
|
IPMARK_TARGET => 'IPMARK Target',
|
||||||
PERSISTENT_SNAT => 'Persistent SNAT',
|
PERSISTENT_SNAT => 'Persistent SNAT',
|
||||||
|
OLD_HL_MATCH => 'Old Hash Limit Match',
|
||||||
CAPVERSION => 'Capability Version',
|
CAPVERSION => 'Capability Version',
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
@ -328,7 +329,7 @@ sub initialize( $ ) {
|
|||||||
EXPORT => 0,
|
EXPORT => 0,
|
||||||
UNTRACKED => 0,
|
UNTRACKED => 0,
|
||||||
VERSION => "4.4.2",
|
VERSION => "4.4.2",
|
||||||
CAPVERSION => 40401 ,
|
CAPVERSION => 40402 ,
|
||||||
);
|
);
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -566,7 +567,7 @@ sub initialize( $ ) {
|
|||||||
NONE => '',
|
NONE => '',
|
||||||
NFLOG => 'NFLOG',
|
NFLOG => 'NFLOG',
|
||||||
LOGMARK => 'LOGMARK' );
|
LOGMARK => 'LOGMARK' );
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
# From parsing the capabilities file
|
# From parsing the capabilities file
|
||||||
#
|
#
|
||||||
@ -614,6 +615,7 @@ sub initialize( $ ) {
|
|||||||
IPMARK_TARGET => undef,
|
IPMARK_TARGET => undef,
|
||||||
LOG_TARGET => 1, # Assume that we have it.
|
LOG_TARGET => 1, # Assume that we have it.
|
||||||
PERSISTENT_SNAT => undef,
|
PERSISTENT_SNAT => undef,
|
||||||
|
OLD_HL_MATCH => undef,
|
||||||
CAPVERSION => undef,
|
CAPVERSION => undef,
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
@ -2027,6 +2029,15 @@ sub determine_capabilities( $ ) {
|
|||||||
$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
|
$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
|
||||||
$capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
|
$capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
|
||||||
|
|
||||||
|
$capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
|
||||||
|
|
||||||
|
if ( $capabilities{HASHLIMIT_MATCH} ) {
|
||||||
|
$capabilities{OLD_HL_MATCH} = '';
|
||||||
|
} else {
|
||||||
|
$capabilities{OLD_HL_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
|
||||||
|
$capabilities{HASHLIMIT_MATCH} = $capabilities{OLD_HL_MATCH};
|
||||||
|
}
|
||||||
|
|
||||||
if ( $capabilities{MANGLE_ENABLED} ) {
|
if ( $capabilities{MANGLE_ENABLED} ) {
|
||||||
qt1( "$iptables -t mangle -N $sillyname" );
|
qt1( "$iptables -t mangle -N $sillyname" );
|
||||||
|
|
||||||
@ -2071,7 +2082,6 @@ sub determine_capabilities( $ ) {
|
|||||||
$capabilities{USEPKTTYPE} = qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
|
$capabilities{USEPKTTYPE} = qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
|
||||||
$capabilities{ADDRTYPE} = qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
|
$capabilities{ADDRTYPE} = qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
|
||||||
$capabilities{TCPMSS_MATCH} = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
|
$capabilities{TCPMSS_MATCH} = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
|
||||||
$capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" );
|
|
||||||
$capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
|
$capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
|
||||||
$capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" );
|
$capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" );
|
||||||
$capabilities{HELPER_MATCH} = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
|
$capabilities{HELPER_MATCH} = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
|
||||||
|
@ -30,7 +30,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
SHOREWALL_LIBVERSION=40000
|
SHOREWALL_LIBVERSION=40000
|
||||||
SHOREWALL_CAPVERSION=40401
|
SHOREWALL_CAPVERSION=40402
|
||||||
|
|
||||||
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
||||||
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
||||||
@ -945,7 +945,11 @@ determine_capabilities() {
|
|||||||
qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
|
qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
|
||||||
qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
|
qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
|
||||||
qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
|
qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
|
||||||
qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
|
qt $IPTABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
|
||||||
|
if [ -z "$HASHLIMIT_MATCH" ]; then
|
||||||
|
qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && NEW_HL_MATCH=Yes
|
||||||
|
HASHLIMIT_MATCH=$OLD_HL_MATCH
|
||||||
|
fi
|
||||||
qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
|
qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
|
||||||
qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
|
qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
|
||||||
qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
|
qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
|
||||||
@ -1011,6 +1015,7 @@ report_capabilities() {
|
|||||||
report_capability "Address Type Match" $ADDRTYPE
|
report_capability "Address Type Match" $ADDRTYPE
|
||||||
report_capability "TCPMSS Match" $TCPMSS_MATCH
|
report_capability "TCPMSS Match" $TCPMSS_MATCH
|
||||||
report_capability "Hashlimit Match" $HASHLIMIT_MATCH
|
report_capability "Hashlimit Match" $HASHLIMIT_MATCH
|
||||||
|
report_capability "Old Hashlimit Match" $OLD_HL_MATCH
|
||||||
report_capability "NFQUEUE Target" $NFQUEUE_TARGET
|
report_capability "NFQUEUE Target" $NFQUEUE_TARGET
|
||||||
report_capability "Realm Match" $REALM_MATCH
|
report_capability "Realm Match" $REALM_MATCH
|
||||||
report_capability "Helper Match" $HELPER_MATCH
|
report_capability "Helper Match" $HELPER_MATCH
|
||||||
@ -1069,6 +1074,7 @@ report_capabilities1() {
|
|||||||
report_capability1 ADDRTYPE
|
report_capability1 ADDRTYPE
|
||||||
report_capability1 TCPMSS_MATCH
|
report_capability1 TCPMSS_MATCH
|
||||||
report_capability1 HASHLIMIT_MATCH
|
report_capability1 HASHLIMIT_MATCH
|
||||||
|
report_capability1 OLD_HL_MATCH
|
||||||
report_capability1 NFQUEUE_TARGET
|
report_capability1 NFQUEUE_TARGET
|
||||||
report_capability1 REALM_MATCH
|
report_capability1 REALM_MATCH
|
||||||
report_capability1 HELPER_MATCH
|
report_capability1 HELPER_MATCH
|
||||||
|
@ -215,7 +215,10 @@ Shorewall 4.4.2
|
|||||||
correctly with no PATH.
|
correctly with no PATH.
|
||||||
|
|
||||||
8) The new per-IP LIMIT feature now works with ancient iptables
|
8) The new per-IP LIMIT feature now works with ancient iptables
|
||||||
releases (e.g., 1.3.5 as found on RHEL 5).
|
releases (e.g., 1.3.5 as found on RHEL 5). This change required
|
||||||
|
testing for an additional capability which means that those who use
|
||||||
|
a capabilities file should regenerate that file after installing
|
||||||
|
4.4.2.
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
K N O W N P R O B L E M S R E M A I N I N G
|
K N O W N P R O B L E M S R E M A I N I N G
|
||||||
|
@ -33,7 +33,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
SHOREWALL_LIBVERSION=40300
|
SHOREWALL_LIBVERSION=40300
|
||||||
SHOREWALL_CAPVERSION=40401
|
SHOREWALL_CAPVERSION=40402
|
||||||
|
|
||||||
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
|
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
|
||||||
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
|
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
|
||||||
@ -853,7 +853,11 @@ determine_capabilities() {
|
|||||||
qt $IP6TABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
|
qt $IP6TABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
|
||||||
qt $IP6TABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
|
qt $IP6TABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
|
||||||
qt $IP6TABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
|
qt $IP6TABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
|
||||||
qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
|
qt $IP6TABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
|
||||||
|
if [ -z "$HASHLIMIT_MATCH" ]; then
|
||||||
|
qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
|
||||||
|
HASHLIMIT_MATCH=$OLD_HL_MATCH
|
||||||
|
fi
|
||||||
qt $IP6TABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
|
qt $IP6TABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
|
||||||
qt $IP6TABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
|
qt $IP6TABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
|
||||||
qt $IP6TABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
|
qt $IP6TABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
|
||||||
@ -917,6 +921,7 @@ report_capabilities() {
|
|||||||
report_capability "Address Type Match" $ADDRTYPE
|
report_capability "Address Type Match" $ADDRTYPE
|
||||||
report_capability "TCPMSS Match" $TCPMSS_MATCH
|
report_capability "TCPMSS Match" $TCPMSS_MATCH
|
||||||
report_capability "Hashlimit Match" $HASHLIMIT_MATCH
|
report_capability "Hashlimit Match" $HASHLIMIT_MATCH
|
||||||
|
report_capability "Old Hashlimit Match" $OLD_HL_MATCH
|
||||||
report_capability "NFQUEUE Target" $NFQUEUE_TARGET
|
report_capability "NFQUEUE Target" $NFQUEUE_TARGET
|
||||||
report_capability "Realm Match" $REALM_MATCH
|
report_capability "Realm Match" $REALM_MATCH
|
||||||
report_capability "Helper Match" $HELPER_MATCH
|
report_capability "Helper Match" $HELPER_MATCH
|
||||||
@ -972,6 +977,7 @@ report_capabilities1() {
|
|||||||
report_capability1 ADDRTYPE
|
report_capability1 ADDRTYPE
|
||||||
report_capability1 TCPMSS_MATCH
|
report_capability1 TCPMSS_MATCH
|
||||||
report_capability1 HASHLIMIT_MATCH
|
report_capability1 HASHLIMIT_MATCH
|
||||||
|
report_capability1 OLD_HL_MATCH
|
||||||
report_capability1 NFQUEUE_TARGET
|
report_capability1 NFQUEUE_TARGET
|
||||||
report_capability1 REALM_MATCH
|
report_capability1 REALM_MATCH
|
||||||
report_capability1 HELPER_MATCH
|
report_capability1 HELPER_MATCH
|
||||||
|
Loading…
Reference in New Issue
Block a user