Filter: named limits

4b838acf · Kaarle Ritvanen · 0a9a8db2 · 4b838acf · 4b838acf · 4b838acf
Commit 4b838acf authored Jan 09, 2017 by Kaarle Ritvanen
Hide whitespace changes
Inline Side-by-side

Showing with 38 additions and 1 deletion

README.md README.md +13 -0

awall/model.lua awall/model.lua +4 -0

awall/modules/filter.lua awall/modules/filter.lua +21 -1

No files found.
--- a/README.md
+++ b/README.md
@@ -221,6 +221,19 @@ the enclosing object. For [filters](#filter), the default behavior is
 to apply the limit for each source address separately. For [logging
 classes](#log), the limit is considered absolute by default.

+The packet rates contributing to the limit may be summed over multiple
+[filters](#filter). This can be achieved by setting the optional
+**name** attribute to equal values among the related limits. Named
+limits may be specific only to fixed-size blocks of either the source
+or the destination address, not both. However, the address to be
+considered may vary among the rules using the limit and may be
+selected by setting an attribute named **addr** to either **src**
+(default) or **dest**. By default, all bits of the selected address
+are taken into account, but address family&ndash;specific prefix
+lengths can be set via the top-level **limit** dictionary, where the
+keys correspond to limit names and values follow the syntax of
+**src-mask** and **dest-mask**.
+
 ### <a name="log"></a>Logging Classes

 A *logging class* specifies how packets matching certain rules are

--- a/awall/model.lua
+++ b/awall/model.lua
@@ -707,6 +707,10 @@ function M.Limit:init(...)
      end
   end

+   self:initmask()
+end
+
+function M.Limit:initmask()
   setdefault(self, 'src-mask', not self['dest-mask'])
   setdefault(self, 'dest-mask', false)


--- a/awall/modules/filter.lua
+++ b/awall/modules/filter.lua
@@ -24,6 +24,25 @@ local RECENT_MAX_COUNT = 20

 local FilterLimit = class(model.Limit)

+function FilterLimit:initmask()
+   if self.name then
+      for _, attr in ipairs{'src-mask', 'dest-mask'} do
+        if self[attr] then
+           self:error('Attribute not allowed with a named limit: '..attr)
+        end
+      end
+
+      local limits = self.root.limit
+      self[(self.addr or 'src')..'-mask'] = limits and limits[self.name] or true
+   end
+
+   FilterLimit.super(self):initmask()
+
+   if self.name and not self:recentofrags() then
+      self:error('Attribute allowed only with low-rate limits: name')
+   end
+end
+
 function FilterLimit:recentofrags(name)
   local count = self.count
   local interval = self.interval
@@ -66,7 +85,8 @@ function FilterLimit:recentofrags(name)
      local rec = {
 	 {
 	    family=family,
-	    match='-m recent --name '..name..' --r'..
+	    match='-m recent --name '..
+	       (self.name and 'user:'..self.name or name)..' --r'..
 	       ({src='source', dest='dest'})[attr]..' --mask '..mask
 	 }
      }