Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
awall
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
7
Issues
7
List
Boards
Labels
Service Desk
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
alpine
awall
Commits
4b838acf
Commit
4b838acf
authored
Jan 09, 2017
by
Kaarle Ritvanen
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Filter: named limits
parent
0a9a8db2
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
38 additions
and
1 deletion
+38
-1
README.md
README.md
+13
-0
awall/model.lua
awall/model.lua
+4
-0
awall/modules/filter.lua
awall/modules/filter.lua
+21
-1
No files found.
README.md
View file @
4b838acf
...
...
@@ -221,6 +221,19 @@ the enclosing object. For [filters](#filter), the default behavior is
to apply the limit for each source address separately. For
[
logging
classes
](
#log
)
, the limit is considered absolute by default.
The packet rates contributing to the limit may be summed over multiple
[
filters
](
#filter
)
. This can be achieved by setting the optional
**name**
attribute to equal values among the related limits. Named
limits may be specific only to fixed-size blocks of either the source
or the destination address, not both. However, the address to be
considered may vary among the rules using the limit and may be
selected by setting an attribute named
**addr**
to either
**src**
(default) or
**dest**
. By default, all bits of the selected address
are taken into account, but address family
–
specific prefix
lengths can be set via the top-level
**limit**
dictionary, where the
keys correspond to limit names and values follow the syntax of
**src-mask**
and
**dest-mask**
.
### <a name="log"></a>Logging Classes
A
*logging class*
specifies how packets matching certain rules are
...
...
awall/model.lua
View file @
4b838acf
...
...
@@ -707,6 +707,10 @@ function M.Limit:init(...)
end
end
self
:
initmask
()
end
function
M
.
Limit
:
initmask
()
setdefault
(
self
,
'src-mask'
,
not
self
[
'dest-mask'
])
setdefault
(
self
,
'dest-mask'
,
false
)
...
...
awall/modules/filter.lua
View file @
4b838acf
...
...
@@ -24,6 +24,25 @@ local RECENT_MAX_COUNT = 20
local
FilterLimit
=
class
(
model
.
Limit
)
function
FilterLimit
:
initmask
()
if
self
.
name
then
for
_
,
attr
in
ipairs
{
'src-mask'
,
'dest-mask'
}
do
if
self
[
attr
]
then
self
:
error
(
'Attribute not allowed with a named limit: '
..
attr
)
end
end
local
limits
=
self
.
root
.
limit
self
[(
self
.
addr
or
'src'
)
..
'-mask'
]
=
limits
and
limits
[
self
.
name
]
or
true
end
FilterLimit
.
super
(
self
):
initmask
()
if
self
.
name
and
not
self
:
recentofrags
()
then
self
:
error
(
'Attribute allowed only with low-rate limits: name'
)
end
end
function
FilterLimit
:
recentofrags
(
name
)
local
count
=
self
.
count
local
interval
=
self
.
interval
...
...
@@ -66,7 +85,8 @@ function FilterLimit:recentofrags(name)
local
rec
=
{
{
family
=
family
,
match
=
'-m recent --name '
..
name
..
' --r'
..
match
=
'-m recent --name '
..
(
self
.
name
and
'user:'
..
self
.
name
or
name
)
..
' --r'
..
({
src
=
'source'
,
dest
=
'dest'
})[
attr
]
..
' --mask '
..
mask
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment