Gozem a �crit :
>
> I have been writing on a new match "superlimit" with uses the existing limit
> match as base. To be short this new match limits based on pair of
> source/mask and dest/mask.
Why not combining "-s source/mask" and "--limit" ?
> Anyhow, i found a couple of strange things in the
> existing limit:
>
> 1. The lock is ONE global lock. Used for all instances of limit. Why is it
> so? Just a "bug"? It should be in the ipt_ratelimti stuct and have one lock
> for each instance of limit.
You're right.
>
> 2. The burst argument is as far as i can see and understand the algorithm a
> multiplyer for the normal --limit argument. Look at this example:
Yes, it's a multilpier. The doc need update.
> 4. This is more of features that i'm about to add:
> - An inverter so u can match inverted:
> iptables -A INPUT -m limit --limit ! 40/s -j DRP
Yes, the inverse flags doesn't work (and i used it in my exemple as if
it works !). I 've send the enclosed patch a moment ago. They have not
been integrated because they modify kernel header and can cause
incompatibility problem with previous version. I have not yet had the
time to correct them. You can pick my patch, correct it and re-post them
to maintainers.
Happy hacking,
j.
--
J�r�me de Vivie
diff -urN linux/include/linux/netfilter_ipv4/ipt_limit.h
linux-ok/include/linux/netfilter_ipv4/ipt_limit.h
--- linux/include/linux/netfilter_ipv4/ipt_limit.h Fri Mar 17 19:56:20 2000
+++ linux-ok/include/linux/netfilter_ipv4/ipt_limit.h Wed Nov 7 00:04:03 2001
@@ -9,6 +9,7 @@
struct ipt_rateinfo {
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
+ u_int32_t inv; /* Logic to match. */
/* Used internally by the kernel */
unsigned long prev;
diff -urN linux/include/linux/netfilter_ipv6/ip6t_limit.h
linux-ok/include/linux/netfilter_ipv6/ip6t_limit.h
--- linux/include/linux/netfilter_ipv6/ip6t_limit.h Tue Jun 20 23:32:27 2000
+++ linux-ok/include/linux/netfilter_ipv6/ip6t_limit.h Wed Nov 7 00:03:53 2001
@@ -9,6 +9,7 @@
struct ip6t_rateinfo {
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
+ u_int32_t inv; /* Logic to match. */
/* Used internally by the kernel */
unsigned long prev;
diff -urN linux/net/ipv4/netfilter/ipt_limit.c linux-ok/net/ipv4/netfilter/ipt_limit.c
--- linux/net/ipv4/netfilter/ipt_limit.c Thu Aug 10 21:35:15 2000
+++ linux-ok/net/ipv4/netfilter/ipt_limit.c Wed Nov 7 00:11:49 2001
@@ -1,6 +1,6 @@
/* Kernel module to control the rate
*
- * J�r�me de Vivie <[EMAIL PROTECTED]>
+ * J�r�me de Vivie <[EMAIL PROTECTED]>
* Herv� Eychenne <[EMAIL PROTECTED]>
*
* 2 September 1999: Changed from the target RATE to the match
@@ -63,11 +63,11 @@
/* We're not limited. */
r->credit -= r->cost;
spin_unlock_bh(&limit_lock);
- return 1;
+ return ! r->inv;
}
spin_unlock_bh(&limit_lock);
- return 0;
+ return r->inv;
}
/* Precision saver. */
diff -urN linux/net/ipv6/netfilter/ip6t_limit.c
linux-ok/net/ipv6/netfilter/ip6t_limit.c
--- linux/net/ipv6/netfilter/ip6t_limit.c Mon May 22 18:50:55 2000
+++ linux-ok/net/ipv6/netfilter/ip6t_limit.c Wed Nov 7 00:14:24 2001
@@ -1,6 +1,6 @@
/* Kernel module to control the rate
*
- * J�r�me de Vivie <[EMAIL PROTECTED]>
+ * J�r�me de Vivie <[EMAIL PROTECTED]>
* Herv� Eychenne <[EMAIL PROTECTED]>
*
* 2 September 1999: Changed from the target RATE to the match
@@ -63,11 +63,11 @@
/* We're not limited. */
r->credit -= r->cost;
spin_unlock_bh(&limit_lock);
- return 1;
+ return ! r->inv;
}
spin_unlock_bh(&limit_lock);
- return 0;
+ return r->inv;
}
/* Precision saver. */
diff -urN iptables-1.2.4/extensions/libip6t_limit.c
iptables-1.2.4-ok/extensions/libip6t_limit.c
--- iptables-1.2.4/extensions/libip6t_limit.c Mon Aug 6 10:53:41 2001
+++ iptables-1.2.4-ok/extensions/libip6t_limit.c Wed Nov 7 00:59:50 2001
@@ -1,6 +1,6 @@
/* Shared library add-on to iptables to add limit support.
*
- * J�r�me de Vivie <[EMAIL PROTECTED]>
+ * J�r�me de Vivie <[EMAIL PROTECTED]>
* Herv� Eychenne <[EMAIL PROTECTED]>
*/
#include <stdio.h>
@@ -21,7 +21,7 @@
{
printf(
"limit v%s options:\n"
-"--limit avg max average match rate: default "IP6T_LIMIT_AVG"\n"
+"--limit [!] avg max average match rate: default
+"IP6T_LIMIT_AVG"\n"
" [Packets per second unless followed by \n"
" /sec /minute /hour /day postfixes]\n"
"--limit-burst number number to match in a burst, default %u\n"
@@ -100,6 +100,8 @@
struct ip6t_rateinfo *r = (struct ip6t_rateinfo *)(*match)->data;
unsigned int num;
+ r->inv = invert;
+
switch(c) {
case '%':
if (check_inverse(optarg, &invert))
@@ -162,7 +164,10 @@
int numeric)
{
struct ip6t_rateinfo *r = (struct ip6t_rateinfo *)match->data;
- printf("limit: avg "); print_rate(r->avg);
+ printf("limit: avg ");
+ if(r->inv)
+ printf("! ");
+ print_rate(r->avg);
printf("burst %u ", r->burst);
}
@@ -171,7 +176,10 @@
{
struct ip6t_rateinfo *r = (struct ip6t_rateinfo *)match->data;
- printf("--limit "); print_rate(r->avg);
+ printf("--limit ");
+ if(r->inv)
+ printf("! ");
+ print_rate(r->avg);
if (r->burst != IP6T_LIMIT_BURST)
printf("--limit-burst %u ", r->burst);
}
diff -urN iptables-1.2.4/extensions/libipt_limit.c
iptables-1.2.4-ok/extensions/libipt_limit.c
--- iptables-1.2.4/extensions/libipt_limit.c Tue Oct 16 10:40:04 2001
+++ iptables-1.2.4-ok/extensions/libipt_limit.c Wed Nov 7 01:00:42 2001
@@ -1,6 +1,6 @@
/* Shared library add-on to iptables to add limit support.
*
- * J�r�me de Vivie <[EMAIL PROTECTED]>
+ * J�r�me de Vivie <[EMAIL PROTECTED]>
* Herv� Eychenne <[EMAIL PROTECTED]>
*/
#include <stdio.h>
@@ -21,7 +21,7 @@
{
printf(
"limit v%s options:\n"
-"--limit avg max average match rate: default "IPT_LIMIT_AVG"\n"
+"[!] --limit avg max average match rate: default
+"IPT_LIMIT_AVG"\n"
" [Packets per second unless followed by \n"
" /sec /minute /hour /day postfixes]\n"
"--limit-burst number number to match in a burst, default %u\n"
@@ -100,11 +100,14 @@
struct ipt_rateinfo *r = (struct ipt_rateinfo *)(*match)->data;
unsigned int num;
+ r->inv = invert;
+
switch(c) {
case '%':
if (check_inverse(optarg, &invert))
exit_error(PARAMETER_PROBLEM,
"Unexpected `!' after --limit");
+
if (!parse_rate(optarg, &r->avg))
exit_error(PARAMETER_PROBLEM,
"bad rate `%s'", optarg);
@@ -162,7 +165,10 @@
int numeric)
{
struct ipt_rateinfo *r = (struct ipt_rateinfo *)match->data;
- printf("limit: avg "); print_rate(r->avg);
+ printf("limit: avg ");
+ if(r->inv)
+ printf("! ");
+ print_rate(r->avg);
printf("burst %u ", r->burst);
}
@@ -171,7 +177,10 @@
{
struct ipt_rateinfo *r = (struct ipt_rateinfo *)match->data;
- printf("--limit "); print_rate(r->avg);
+ printf("--limit ");
+ if(r->inv)
+ printf("! ");
+ print_rate(r->avg);
if (r->burst != IPT_LIMIT_BURST)
printf("--limit-burst %u ", r->burst);
}
--- packet-filtering-HOWTO.linuxdoc.sgml Tue Nov 6 22:56:45 2001
+++ packet-filtering-HOWTO.linuxdoc.sgml-ok Wed Nov 7 01:08:43 2001
@@ -744,17 +744,17 @@
<p>Syn-flood protection:
<tscreen><verb>
-# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
+# iptables -A FORWARD -p tcp --syn -m limit \! --limit 1/s -j DROP
</verb></tscreen>
Furtive port scanner:
<tscreen><verb>
-# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j
ACCEPT
+# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit \! --limit 1/s
+-j DROP
</verb></tscreen>
Ping of death:
<tscreen><verb>
-# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
+# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit \! --limit 1/s -j DROP
</verb></tscreen>
This module works like a "hysteresis door", as shown in the graph
