Log syn-flood protection drops

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1799 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

STABLE2/changelog.txt

@@ -99,3 +99,7 @@ Changes in 2.0.12
 Changes in 2.0.13
 
 1) Correct typo in "shorewall add" code.
+
+Changes in 2.0.14
+
+1)  Log drops due to policy rate limiting.

STABLE2/firewall

@@ -1844,8 +1844,9 @@ setup_mac_lists() {
 setup_syn_flood_chain ()
 	# $1 = policy chain
 	# $2 = synparams
+        # $3 = loglevel
 {
-    local chain=$1
+    local chain=@$1
     local limit=$2
     local limit_burst=
 
@@ -1856,9 +1857,11 @@ setup_syn_flood_chain ()
 	    ;;
     esac
 
-    run_iptables -N @$chain
+    run_iptables -N $chain
-    run_iptables -A @$chain -m limit --limit $limit $limit_burst -j RETURN
+    run_iptables -A $chain -m limit --limit $limit $limit_burst -j RETURN
-    run_iptables -A @$chain -j DROP
+    [ -n "$3" ] && \
+	log_rule_limit $3 $chain $chain DROP "-m limit --limit 5/min --limit-burst 5" "" ""
+    run_iptables -A $chain -j DROP
 }
 
 #
@@ -5248,7 +5251,7 @@ apply_policy_rules() {
 	eval loglevel=\$${chain}_loglevel
 	eval synparams=\$${chain}_synparams
 
-	[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams
+	[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel
 
 	if havechain $chain; then
 	    [ -n "$synparams" ] && \

STABLE2/releasenotes.txt

@@ -247,3 +247,11 @@ Problems corrected in 2.0.13
 
    /usr/share/shorewall/firewall: line 1: match_destination_hosts: command 
    not found
+-----------------------------------------------------------------------
+New Features in 2.0.14
+
+1)  Previously, when rate-limiting was specified in
+    /etc/shorewall/policy (LIMIT:BURST column), any traffic which
+    exceeded the specified rate was silently dropped. Now, if a log
+    level is given in the entry (LEVEL column) then drops are logged at
+    that level at a rate of 5/min with a burst of 5.

Shorewall2/changelog.txt

@@ -167,4 +167,7 @@ Changes since 2.0.3
 
 81) Correct OUTPUT handling of dynamic zones.
 
-82) Add adapter statistics to the output of "shorewall status".
+83) Add adapter statistics to the output of "shorewall status".
+
+84) Log drops due to policy rate limiting.
+

Shorewall2/firewall

@@ -2082,8 +2082,9 @@ setup_mac_lists() {
 setup_syn_flood_chain ()
 	# $1 = policy chain
 	# $2 = synparams
+        # $3 = loglevel
 {
-    local chain=$1
+    local chain=@$1
     local limit=$2
     local limit_burst=
 
@@ -2094,9 +2095,11 @@ setup_syn_flood_chain ()
 	    ;;
     esac
 
-    run_iptables -N @$chain
+    run_iptables -N $chain
-    run_iptables -A @$chain -m limit --limit $limit $limit_burst -j RETURN
+    run_iptables -A $chain -m limit --limit $limit $limit_burst -j RETURN
-    run_iptables -A @$chain -j DROP
+    [ -n "$3" ] && \
+	log_rule_limit $3 $chain $chain DROP "-m limit --limit 5/min --limit-burst 5" "" ""
+    run_iptables -A $chain -j DROP
 }
 
 #
@@ -6142,7 +6145,7 @@ apply_policy_rules() {
 	eval loglevel=\$${chain}_loglevel
 	eval synparams=\$${chain}_synparams
 
-	[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams
+	[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel
 
 	if havechain $chain; then
 	    [ -n "$synparams" ] && \

Shorewall2/releasenotes.txt

@@ -770,3 +770,9 @@ New Features:
 33) The output of "shorewall status" now includes the results of "ip
     -stat link ls". This helps diagnose performance problems caused by
     link errors.
+
+34) Previously, when rate-limiting was specified in
+    /etc/shorewall/policy (LIMIT:BURST column), any traffic which
+    exceeded the specified rate was silently dropped. Now, if a log
+    level is given in the entry (LEVEL column) then drops are logged at
+    that level at a rate of 5/min with a burst of 5.