On 7/29/10 3:18 PM, Steven Jan Springl wrote: > If LOGLIMIT=4/sec:8 is specified then the following message is produced: > > ERROR: Invalid rate (4/sec:8)
Brain cramp -- I decided to deprecate LOGRATE and LOGBURST but didn't add the code to allow this form for LOGLIMIT. > > If LOGLIMT=s:0/sec:8 is specified then the following messge is produced: > > iptables-restore v1.4.8: hashlimit: Bad value for "--hashlimit-upto" > option: "0/sec" > > If LOGLIMIT=s:4/sec:0 is specified then the following messages are produced: > > iptables: Numerical result out of range. > ERROR: Command "/usr/local/sbin/iptables -A log49 -m hashlimit --hashlimit > 4/sec --hashlimit-burst 0 --hashlimit-name lograte --hashlimit-mode srcip -j > NFLOG --nflog-prefix "Shorewall:wan_dnat:DNAT:" -m comment --comment "LOTS > OF BRIDGE RULES"" Failed Editing of values has been improved. Please try the attached patch. Thanks for testing, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Config.pm
b/Shorewall/Perl/Shorewall/Config.pm
index a6d47a8..dda4985 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -2850,33 +2850,51 @@ sub get_configuration( $ ) {
$globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability
'CONNTRACK_MATCH';
if ( my $rate = $config{LOGLIMIT} ) {
- require_capability 'HASHLIMIT_MATCH', 'Per-ip log rate limiting' , 's';
-
- my $limit = "-m hashlimit ";
- my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' :
'hashlimit-upto';
- my $units;
-
- if ( $rate =~ /^[sd]:(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
- $limit .= "--hashlimit $1 --hashlimit-burst $4 --hashlimit-name
lograte --hashlimit-mode ";
- $units = $3;
- } elsif ( $rate =~ /^[sd]:(\d+(\/(sec|min|hour|day))?)$/ ) {
- $limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode ";
- $units = $3;
- } else {
- fatal_error "Invalid rate ($rate)";
- }
+ my $limit;
- $limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
+ if ( $rate =~ /^[sd]:/ ) {
+ require_capability 'HASHLIMIT_MATCH', 'Per-ip log rate limiting' ,
's';
- if ( $units && $units ne 'sec' ) {
- my $expire = 60000; # 1 minute in milliseconds
+ $limit = "-m hashlimit ";
- if ( $units ne 'min' ) {
- $expire *= 60; #At least an hour
- $expire *= 24 if $units eq 'day';
+ my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' :
'hashlimit-upto';
+ my $units;
+
+ if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
+ fatal_error "Invalid rate ($1)" unless $2;
+ fatal_error "Invalid burst value ($5)" unless $5;
+
+ $limit .= "--hashlimit $1 --hashlimit-burst $5 --hashlimit-name
lograte --hashlimit-mode ";
+ $units = $4;
+ } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))?)$/ ) {
+ fatal_error "Invalid rate ($1)" unless $2;
+ $limit .= "--$match $1 --hashlimit-name lograte
--hashlimit-mode ";
+ $units = $4;
+ } else {
+ fatal_error "Invalid rate ($rate)";
}
- $limit .= "--hashlimit-htable-expire $expire ";
+ $limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
+
+ if ( $units && $units ne 'sec' ) {
+ my $expire = 60000; # 1 minute in milliseconds
+
+ if ( $units ne 'min' ) {
+ $expire *= 60; #At least an hour
+ $expire *= 24 if $units eq 'day';
+ }
+
+ $limit .= "--hashlimit-htable-expire $expire ";
+ }
+ } elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
+ fatal_error "Invalid rate ($1)" unless $2;
+ fatal_error "Invalid burst value ($5)" unless $5;
+ $limit = "-m limit --limit $1 --limit-burst $5 ";
+ } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ ) {
+ fatal_error "Invalid rate (${1}${2})" unless $1;
+ $limit = "-m limit --limit $rate ";
+ } else {
+ fatal_error "Invalid rate ($rate)";
}
$globals{LOGLIMIT} = $limit;
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
