On 11/3/2013 10:21 AM, Stefan Behte wrote: > Hi, > >> What percentage of the incoming packets in your test matched the DROP >> rule? > > 100% in my testing environment. In production during DDoS, probably 99% or so. > >> What other rules do you have in the mangle table? > > None (except the ones shorewall created). >
Attached is a patch which allows DROP rules to be defined in the tcrules file. That will have to do. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 04bcb1d..486028f 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -304,7 +304,13 @@ our %tccmd;
mark => NOMARK,
mask => '',
connmark => 0,
- }
+ },
+ DROP => { match => sub( $ ) { $_[0] eq 'DROP' },
+ target => 'DROP',
+ mark => NOMARK,
+ mask => '',
+ connmark => 0
+ },
);
}
@@ -559,7 +565,13 @@ our %tccmd;
}
$cmd = '';
- }
+ },
+ DROP => sub()
+ {
+ assert ( $cmd eq 'DROP' );
+ $target = 'DROP';
+ $cmd = '';
+ },
);
if ( $source ) {
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
