Rate Limiting in Rules - Part 3

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@707 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2003-08-13 18:48:28 +00:00 · 2003-08-13 18:48:28 +00:00 · e454c7fe73
commit e454c7fe73
parent ec4c44a162
4 changed files with 41 additions and 2 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -43,3 +43,5 @@ Changes since 1.4.6
    "shorewall monitor".

 20) Bridge interfaces (br[0-9]) can now be used in /etc/shorewall/maclist.
+
+21) Rate-limited rules added.
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -2510,7 +2510,7 @@ process_rule() # $1 = target
 		servers="$FW::$servers"
 	    fi
 	    ;;
-	ACCEPT)
+	ACCEPT|LOG)
 	    ;;
 	*)
 	    [ -n "$ratelimit" ] && fatal_error \
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -249,3 +249,40 @@ New Features:
        
 
 8) Bridge interfaces (br[0-9]) may now be used in /etc/shorewall/maclist.					       
+
+9) ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
+   /etc/shorewall/rules may now be rate-limited. For DNAT and
+   REDIRECT rules, rate limiting occurs in the nat table DNAT rule; the
+   corresponding ACCEPT rule in the filter table is not rate
+   limited. If you want to limit the filter table rule, you will need
+   to create two rules; a DNAT- rule and an ACCEPT rule which can be
+   rate-limited separately.
+
+   To specify a rate limit, follow ACCEPT, DNAT[-], REDIRECT[-] or LOG
+   with
+
+      < <rate>/<interval>:<burst> >
+
+   where
+
+      <rate> is the sustained rate per <interval>
+      <interval> is "sec" or "min"
+      <burst> is the largest burst accepted within an <interval>
+
+   There may be no white space between the ACTION and "<" nor there may
+   be any white space within the burst specification. If you want to
+   specify logging of a rate-limited rule, the ":" and log level comes
+   after the ">" (e.g., ACCEPT<2/sec:4>:info ).
+
+   Let's take an example:
+
+	 ACCEPT<2/sec:4>	net	dmz	tcp	80
+   
+   The first time this rule is reached, the packet will be accepted; in
+   fact, since the burst is 4, the first four packets will be
+   accepted. After this, it will be 500ms (1 second divided by the rate
+   of 2) before a packet will be accepted from this rule, regardless of
+   how many packets reach it. Also, every 500ms which passes without
+   matching a packet, one of the bursts will be regained; if no packets
+   hit the rule for 2 second, the burst will be fully recharged;
+   back where we started.
--- a/Shorewall/rules
+++ b/Shorewall/rules
@ -48,7 +48,7 @@
 #				LOG      -- Simply log the packet and continue.
 #
 #			You may rate-limit the rule by optionally
-#			following ACCEPT,DNAT[-] or REDIRECT[-] with
+#			following ACCEPT, DNAT[-], REDIRECT[-] or LOG with
 # 
 #				< <rate>/<interval>:<burst> >
 #