Tom Eastep wrote: > Tom Eastep wrote: > >> Additionally, I don't think the patch is a trivial one. >> > > So the basic patch (attached) *is* pretty trivial but it suffers from one > anomaly. > > If I place this in /etc/shorewall/policy: > > net all DROP info 20/sec:40 > > then I expect to limit the aggregate TCP connection rate from the 'net' zone > to 20/sec with a burst of 40 connections. > > With the attached patch, each individual net->zone connection rate is > limited in that way. > > Fixing that problem is left as an exercise for the reader ;-)
The attached fixes that problem as well as several problems in the original patch. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Index: Shorewall/Chains.pm
===================================================================
--- Shorewall/Chains.pm (revision 6902)
+++ Shorewall/Chains.pm (working copy)
@@ -142,6 +142,7 @@
# policy => <policy>
# loglevel => <level>
# synparams => <burst/limit>
+# synchain => <name of synparam chain>
# default => <default action>
# policy_chain => <ref to policy chain -- self-reference if this is a policy chain>
# loopcount => <number of open loops in runtime commands>
@@ -160,7 +161,7 @@
#
# Only 'referenced' chains get written to the iptables-restore input.
#
-# 'loglevel', 'synparams' and 'default' only apply to policy chains.
+# 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains.
#
our @policy_chains;
our %chain_table;
@@ -687,7 +688,7 @@
if ($sections{RELATED} ) {
if ( $chainref->{is_policy} ) {
if ( $chainref->{synparams} ) {
- my $synchainref = ensure_chain 'filter', "[EMAIL PROTECTED]";
+ my $synchainref = ensure_chain 'filter', syn_chain $chainref->{synchain};
if ( $section eq 'DONE' ) {
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE)$/ ) {
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
@@ -699,7 +700,7 @@
} else {
my $policychainref = $filter_table->{$chainref->{policychain}};
if ( $policychainref->{synparams} ) {
- my $synchainref = ensure_chain 'filter', syn_chain $policychainref->{name};
+ my $synchainref = ensure_chain 'filter', syn_chain $policychainref->{synchain};
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
}
}
Index: Shorewall/Config.pm
===================================================================
--- Shorewall/Config.pm (revision 6902)
+++ Shorewall/Config.pm (working copy)
@@ -288,6 +288,7 @@
OPTIMIZE => undef,
EXPORTPARAMS => undef,
SHOREWALL_COMPILER => undef,
+ EXPAND_POLICIES => undef,
#
# Packet Disposition
#
@@ -1435,6 +1436,7 @@
warning_message 'USE_ACTIONS=No is not supported by Shorewall-perl ' . $globals{VERSION} unless $config{USE_ACTIONS};
default_yes_no 'EXPORTPARAMS' , '';
+ default_yes_no 'EXPAND_POLICIES' , '';
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
Index: Shorewall/Rules.pm
===================================================================
--- Shorewall/Rules.pm (revision 6902)
+++ Shorewall/Rules.pm (working copy)
@@ -280,11 +280,14 @@
my $limit = $chainref->{synparams};
if ( $limit ) {
my $level = $chainref->{loglevel};
- my $synchainref = new_chain 'filter' , syn_chain $chainref->{name};
- add_rule $synchainref , "${limit}-j RETURN";
- log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
- if $level ne '';
- add_rule $synchainref, '-j DROP';
+ my $synchainref = $filter_table->{syn_chain $chainref->{synchain}};
+ unless ( $synchainref ) {
+ my $synchainref = new_chain 'filter' , syn_chain $chainref->{synchain};
+ add_rule $synchainref , "${limit}-j RETURN";
+ log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
+ if $level ne '';
+ add_rule $synchainref, '-j DROP';
+ }
}
}
}
Index: Shorewall/Policy.pm
===================================================================
--- Shorewall/Policy.pm (revision 6902)
+++ Shorewall/Policy.pm (working copy)
@@ -63,7 +63,18 @@
my $chainref1 = $filter_table->{$chain1};
$chainref1 = new_chain 'filter', $chain1 unless $chainref1;
unless ( $chainref1->{policychain} ) {
- $chainref1->{policychain} = $chainref->{name};
+ if ( $config{EXPAND_POLICIES} && $chainref ne $chainref1 ) {
+ $chainref1->{policychain} = $chain1;
+ $chainref1->{loglevel} = $chainref->{loglevel} if defined $chainref->{loglevel};
+ $chainref1->{synparams} = $chainref->{synparams} if defined $chainref->{synparams};
+ $chainref1->{synchain} = $chainref->{name} if defined $chainref->{synparams};
+ $chainref1->{default} = $chainref->{default} if defined $chainref->{default};
+ $chainref1->{is_policy} = 1;
+ push @policy_chains, $chainref1;
+ } else {
+ $chainref1->{policychain} = $chainref->{name};
+ }
+
$chainref1->{policy} = $policy;
}
}
@@ -209,15 +220,20 @@
$chainref->{is_policy} = 1;
$chainref->{policy} = $policy;
$chainref->{policychain} = $chain;
- push @policy_chains, ( $chainref );
+ push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
}
} else {
$chainref = new_policy_chain $chain, $policy, 0;
- push @policy_chains, ( $chainref );
+ push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
}
$chainref->{loglevel} = $loglevel if defined $loglevel && $loglevel ne '';
- $chainref->{synparams} = do_ratelimit $synparams, 'ACCEPT' if $synparams ne '';
+
+ if ( $synparams ne '' ) {
+ $chainref->{synparams} = do_ratelimit $synparams, 'ACCEPT';
+ $chainref->{synchain} = $chain
+ }
+
$chainref->{default} = $default if $default;
if ( $clientwild ) {
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
