Tom Eastep wrote: > > Additionally, I don't think the patch is a trivial one. >
So the basic patch (attached) *is* pretty trivial but it suffers from one
anomaly.
If I place this in /etc/shorewall/policy:
net all DROP info 20/sec:40
then I expect to limit the aggregate TCP connection rate from the 'net' zone
to 20/sec with a burst of 40 connections.
With the attached patch, each individual net->zone connection rate is
limited in that way.
Fixing that problem is left as an exercise for the reader ;-)
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Index: Shorewall/Config.pm
===================================================================
--- Shorewall/Config.pm (revision 6893)
+++ Shorewall/Config.pm (working copy)
@@ -288,6 +288,7 @@
OPTIMIZE => undef,
EXPORTPARAMS => undef,
SHOREWALL_COMPILER => undef,
+ EXPAND_POLICIES => undef,
#
# Packet Disposition
#
Index: Shorewall/Policy.pm
===================================================================
--- Shorewall/Policy.pm (revision 6893)
+++ Shorewall/Policy.pm (working copy)
@@ -63,7 +63,16 @@
my $chainref1 = $filter_table->{$chain1};
$chainref1 = new_chain 'filter', $chain1 unless $chainref1;
unless ( $chainref1->{policychain} ) {
- $chainref1->{policychain} = $chainref->{name};
+
+ if ( $config{EXPAND_POLICIES} && $chainref ne $chainref1 ) {
+ $chainref1->{policychain} = $chain1;
+ $chainref1->{loglevel} = $chainref->{loglevel} if defined $chainref->{loglevel};
+ $chainref1->{synparams} = $chainref->{synparams} if defined $chainref->{synparams};
+ $chainref1->{default} = $chainref->{default} if defined $chainref->{default};
+ } else {
+ $chainref1->{policychain} = $chainref->{name};
+ }
+
$chainref1->{policy} = $policy;
}
}
@@ -209,11 +218,11 @@
$chainref->{is_policy} = 1;
$chainref->{policy} = $policy;
$chainref->{policychain} = $chain;
- push @policy_chains, ( $chainref );
+ push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
}
} else {
$chainref = new_policy_chain $chain, $policy, 0;
- push @policy_chains, ( $chainref );
+ push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
}
$chainref->{loglevel} = $loglevel if defined $loglevel && $loglevel ne '';
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
