Add capability to detect old hashlimit syntax

This commit is contained in:
Tom Eastep 2009-09-23 16:56:31 -04:00
parent 428c3d1e4e
commit d84458518e
5 changed files with 36 additions and 9 deletions

View File

@ -1531,12 +1531,14 @@ sub do_ratelimit( $$ ) {
require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's'; require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
my $limit = "-m hashlimit "; my $limit = "-m hashlimit ";
my $match = $capabilities{OLD_HL_MATCH} ? 'hashlimit' : 'hashlimit-upto';
if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) { if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
$limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name "; $limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name ";
$limit .= $2 ? $2 : 'shorewall'; $limit .= $2 ? $2 : 'shorewall';
$limit .= ' --hashlimit-mode '; $limit .= ' --hashlimit-mode ';
} elsif ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?)$/ ) { } elsif ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?)$/ ) {
$limit .= "--hashlimit-upto $3 --hashlimit-name "; $limit .= "--$match $3 --hashlimit-name ";
$limit .= $2 ? $2 : 'shorewall'; $limit .= $2 ? $2 : 'shorewall';
$limit .= ' --hashlimit-mode '; $limit .= ' --hashlimit-mode ';
} else { } else {

View File

@ -242,6 +242,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
LOGMARK_TARGET => 'LOGMARK Target', LOGMARK_TARGET => 'LOGMARK Target',
IPMARK_TARGET => 'IPMARK Target', IPMARK_TARGET => 'IPMARK Target',
PERSISTENT_SNAT => 'Persistent SNAT', PERSISTENT_SNAT => 'Persistent SNAT',
OLD_HL_MATCH => 'Old Hash Limit Match',
CAPVERSION => 'Capability Version', CAPVERSION => 'Capability Version',
); );
# #
@ -328,7 +329,7 @@ sub initialize( $ ) {
EXPORT => 0, EXPORT => 0,
UNTRACKED => 0, UNTRACKED => 0,
VERSION => "4.4.2", VERSION => "4.4.2",
CAPVERSION => 40401 , CAPVERSION => 40402 ,
); );
# #
@ -566,7 +567,7 @@ sub initialize( $ ) {
NONE => '', NONE => '',
NFLOG => 'NFLOG', NFLOG => 'NFLOG',
LOGMARK => 'LOGMARK' ); LOGMARK => 'LOGMARK' );
} }
# #
# From parsing the capabilities file # From parsing the capabilities file
# #
@ -614,6 +615,7 @@ sub initialize( $ ) {
IPMARK_TARGET => undef, IPMARK_TARGET => undef,
LOG_TARGET => 1, # Assume that we have it. LOG_TARGET => 1, # Assume that we have it.
PERSISTENT_SNAT => undef, PERSISTENT_SNAT => undef,
OLD_HL_MATCH => undef,
CAPVERSION => undef, CAPVERSION => undef,
); );
# #
@ -2027,6 +2029,15 @@ sub determine_capabilities( $ ) {
$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" ); $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
$capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) ); $capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
$capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
if ( $capabilities{HASHLIMIT_MATCH} ) {
$capabilities{OLD_HL_MATCH} = '';
} else {
$capabilities{OLD_HL_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
$capabilities{HASHLIMIT_MATCH} = $capabilities{OLD_HL_MATCH};
}
if ( $capabilities{MANGLE_ENABLED} ) { if ( $capabilities{MANGLE_ENABLED} ) {
qt1( "$iptables -t mangle -N $sillyname" ); qt1( "$iptables -t mangle -N $sillyname" );
@ -2071,7 +2082,6 @@ sub determine_capabilities( $ ) {
$capabilities{USEPKTTYPE} = qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" ); $capabilities{USEPKTTYPE} = qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
$capabilities{ADDRTYPE} = qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" ); $capabilities{ADDRTYPE} = qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
$capabilities{TCPMSS_MATCH} = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" ); $capabilities{TCPMSS_MATCH} = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
$capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" );
$capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" ); $capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
$capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" ); $capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" );
$capabilities{HELPER_MATCH} = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" ); $capabilities{HELPER_MATCH} = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );

View File

@ -30,7 +30,7 @@
# #
SHOREWALL_LIBVERSION=40000 SHOREWALL_LIBVERSION=40000
SHOREWALL_CAPVERSION=40401 SHOREWALL_CAPVERSION=40402
[ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@ -945,7 +945,11 @@ determine_capabilities() {
qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes qt $IPTABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
if [ -z "$HASHLIMIT_MATCH" ]; then
qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && NEW_HL_MATCH=Yes
HASHLIMIT_MATCH=$OLD_HL_MATCH
fi
qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@ -1011,6 +1015,7 @@ report_capabilities() {
report_capability "Address Type Match" $ADDRTYPE report_capability "Address Type Match" $ADDRTYPE
report_capability "TCPMSS Match" $TCPMSS_MATCH report_capability "TCPMSS Match" $TCPMSS_MATCH
report_capability "Hashlimit Match" $HASHLIMIT_MATCH report_capability "Hashlimit Match" $HASHLIMIT_MATCH
report_capability "Old Hashlimit Match" $OLD_HL_MATCH
report_capability "NFQUEUE Target" $NFQUEUE_TARGET report_capability "NFQUEUE Target" $NFQUEUE_TARGET
report_capability "Realm Match" $REALM_MATCH report_capability "Realm Match" $REALM_MATCH
report_capability "Helper Match" $HELPER_MATCH report_capability "Helper Match" $HELPER_MATCH
@ -1069,6 +1074,7 @@ report_capabilities1() {
report_capability1 ADDRTYPE report_capability1 ADDRTYPE
report_capability1 TCPMSS_MATCH report_capability1 TCPMSS_MATCH
report_capability1 HASHLIMIT_MATCH report_capability1 HASHLIMIT_MATCH
report_capability1 OLD_HL_MATCH
report_capability1 NFQUEUE_TARGET report_capability1 NFQUEUE_TARGET
report_capability1 REALM_MATCH report_capability1 REALM_MATCH
report_capability1 HELPER_MATCH report_capability1 HELPER_MATCH

View File

@ -215,7 +215,10 @@ Shorewall 4.4.2
correctly with no PATH. correctly with no PATH.
8) The new per-IP LIMIT feature now works with ancient iptables 8) The new per-IP LIMIT feature now works with ancient iptables
releases (e.g., 1.3.5 as found on RHEL 5). releases (e.g., 1.3.5 as found on RHEL 5). This change required
testing for an additional capability which means that those who use
a capabilities file should regenerate that file after installing
4.4.2.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G K N O W N P R O B L E M S R E M A I N I N G

View File

@ -33,7 +33,7 @@
# #
SHOREWALL_LIBVERSION=40300 SHOREWALL_LIBVERSION=40300
SHOREWALL_CAPVERSION=40401 SHOREWALL_CAPVERSION=40402
[ -n "${VARDIR:=/var/lib/shorewall6}" ] [ -n "${VARDIR:=/var/lib/shorewall6}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ] [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@ -853,7 +853,11 @@ determine_capabilities() {
qt $IP6TABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes qt $IP6TABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
qt $IP6TABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes qt $IP6TABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
qt $IP6TABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes qt $IP6TABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes qt $IP6TABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
if [ -z "$HASHLIMIT_MATCH" ]; then
qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
HASHLIMIT_MATCH=$OLD_HL_MATCH
fi
qt $IP6TABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes qt $IP6TABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
qt $IP6TABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes qt $IP6TABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
qt $IP6TABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes qt $IP6TABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@ -917,6 +921,7 @@ report_capabilities() {
report_capability "Address Type Match" $ADDRTYPE report_capability "Address Type Match" $ADDRTYPE
report_capability "TCPMSS Match" $TCPMSS_MATCH report_capability "TCPMSS Match" $TCPMSS_MATCH
report_capability "Hashlimit Match" $HASHLIMIT_MATCH report_capability "Hashlimit Match" $HASHLIMIT_MATCH
report_capability "Old Hashlimit Match" $OLD_HL_MATCH
report_capability "NFQUEUE Target" $NFQUEUE_TARGET report_capability "NFQUEUE Target" $NFQUEUE_TARGET
report_capability "Realm Match" $REALM_MATCH report_capability "Realm Match" $REALM_MATCH
report_capability "Helper Match" $HELPER_MATCH report_capability "Helper Match" $HELPER_MATCH
@ -972,6 +977,7 @@ report_capabilities1() {
report_capability1 ADDRTYPE report_capability1 ADDRTYPE
report_capability1 TCPMSS_MATCH report_capability1 TCPMSS_MATCH
report_capability1 HASHLIMIT_MATCH report_capability1 HASHLIMIT_MATCH
report_capability1 OLD_HL_MATCH
report_capability1 NFQUEUE_TARGET report_capability1 NFQUEUE_TARGET
report_capability1 REALM_MATCH report_capability1 REALM_MATCH
report_capability1 HELPER_MATCH report_capability1 HELPER_MATCH