Commit 6f98251b authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

Limit.limitofrags: simplify rules on zero limit

parent 6f1fe072
......@@ -786,6 +786,8 @@ function M.Limit:rate() return self.count / self.interval end
function M.Limit:intrate() return math.ceil(self:rate()) end
function M.Limit:limitofrags(name)
if self.count == 0 then return {} end
local rate = self:rate()
local unit
for _, quantum in ipairs{
......
......@@ -247,40 +247,30 @@ Filter 21 {"action":"pass","log":"ulog"}
Filter 22 {"log":"zero"}
(filter-log)
inet/filter/FORWARD -j logaccept-4
inet/filter/INPUT -j logaccept-4
inet/filter/OUTPUT -j logaccept-4
inet/filter/logaccept-4 -m limit --limit 0/day -j LOG
inet/filter/logaccept-4 -j ACCEPT
inet6/filter/FORWARD -j logaccept-4
inet6/filter/INPUT -j logaccept-4
inet6/filter/OUTPUT -j logaccept-4
inet6/filter/logaccept-4 -m limit --limit 0/day -j LOG
inet6/filter/logaccept-4 -j ACCEPT
inet/filter/FORWARD -j ACCEPT
inet/filter/INPUT -j ACCEPT
inet/filter/OUTPUT -j ACCEPT
inet6/filter/FORWARD -j ACCEPT
inet6/filter/INPUT -j ACCEPT
inet6/filter/OUTPUT -j ACCEPT
Filter 23 {"action":"drop","log":"zero"}
(filter-log)
inet/filter/FORWARD -j logdrop-5
inet/filter/INPUT -j logdrop-5
inet/filter/OUTPUT -j logdrop-5
inet/filter/logdrop-5 -m limit --limit 0/day -j LOG
inet/filter/logdrop-5 -j DROP
inet6/filter/FORWARD -j logdrop-5
inet6/filter/INPUT -j logdrop-5
inet6/filter/OUTPUT -j logdrop-5
inet6/filter/logdrop-5 -m limit --limit 0/day -j LOG
inet6/filter/logdrop-5 -j DROP
inet/filter/FORWARD -j DROP
inet/filter/INPUT -j DROP
inet/filter/OUTPUT -j DROP
inet6/filter/FORWARD -j DROP
inet6/filter/INPUT -j DROP
inet6/filter/OUTPUT -j DROP
Filter 24 {"action":"pass","log":"zero"}
(filter-log)
inet/filter/FORWARD -j logpass-4
inet/filter/INPUT -j logpass-4
inet/filter/OUTPUT -j logpass-4
inet/filter/logpass-4 -m limit --limit 0/day -j LOG
inet6/filter/FORWARD -j logpass-4
inet6/filter/INPUT -j logpass-4
inet6/filter/OUTPUT -j logpass-4
inet6/filter/logpass-4 -m limit --limit 0/day -j LOG
inet/filter/FORWARD
inet/filter/INPUT
inet/filter/OUTPUT
inet6/filter/FORWARD
inet6/filter/INPUT
inet6/filter/OUTPUT
Filter 25 {"action":"pass","in":"_fw","log":"ulog"}
(log)
......@@ -725,18 +715,15 @@ hash:net family inet
:logaccept-1 - [0:0]
:logaccept-2 - [0:0]
:logaccept-3 - [0:0]
:logaccept-4 - [0:0]
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logdrop-3 - [0:0]
:logdrop-4 - [0:0]
:logdrop-5 - [0:0]
:logpass-0 - [0:0]
:logpass-1 - [0:0]
:logpass-2 - [0:0]
:logpass-3 - [0:0]
:logpass-4 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -j ACCEPT
-A FORWARD -j logdrop-0
......@@ -759,9 +746,9 @@ hash:net family inet
-A FORWARD -j logaccept-3
-A FORWARD -j logdrop-4
-A FORWARD -j logpass-3
-A FORWARD -j logaccept-4
-A FORWARD -j logdrop-5
-A FORWARD -j logpass-4
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
......@@ -840,9 +827,9 @@ hash:net family inet
-A INPUT -j logaccept-3
-A INPUT -j logdrop-4
-A INPUT -j logpass-3
-A INPUT -j logaccept-4
-A INPUT -j logdrop-5
-A INPUT -j logpass-4
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
......@@ -869,9 +856,9 @@ hash:net family inet
-A OUTPUT -j logaccept-3
-A OUTPUT -j logdrop-4
-A OUTPUT -j logpass-3
-A OUTPUT -j logaccept-4
-A OUTPUT -j logdrop-5
-A OUTPUT -j logpass-4
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
......@@ -888,8 +875,6 @@ hash:net family inet
-A logaccept-2 -j ACCEPT
-A logaccept-3 -m limit --limit 12/minute -j ULOG
-A logaccept-3 -j ACCEPT
-A logaccept-4 -m limit --limit 0/day -j LOG
-A logaccept-4 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
-A logdrop-1 -m limit --limit 1/second -j LOG
......@@ -901,14 +886,11 @@ hash:net family inet
-A logdrop-3 -j DROP
-A logdrop-4 -m limit --limit 12/minute -j ULOG
-A logdrop-4 -j DROP
-A logdrop-5 -m limit --limit 0/day -j LOG
-A logdrop-5 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logpass-1 -j LOG
-A logpass-2 -j TEE --gateway 10.0.0.1
-A logpass-2 -j TEE --gateway 10.0.0.2
-A logpass-3 -m limit --limit 12/minute -j ULOG
-A logpass-4 -m limit --limit 0/day -j LOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
......@@ -957,17 +939,14 @@ COMMIT
:logaccept-1 - [0:0]
:logaccept-2 - [0:0]
:logaccept-3 - [0:0]
:logaccept-4 - [0:0]
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logdrop-3 - [0:0]
:logdrop-4 - [0:0]
:logdrop-5 - [0:0]
:logpass-0 - [0:0]
:logpass-1 - [0:0]
:logpass-2 - [0:0]
:logpass-4 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -j ACCEPT
-A FORWARD -j logdrop-0
......@@ -989,9 +968,9 @@ COMMIT
-A FORWARD
-A FORWARD -j logaccept-3
-A FORWARD -j logdrop-4
-A FORWARD -j logaccept-4
-A FORWARD -j logdrop-5
-A FORWARD -j logpass-4
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
......@@ -1043,9 +1022,9 @@ COMMIT
-A INPUT
-A INPUT -j logaccept-3
-A INPUT -j logdrop-4
-A INPUT -j logaccept-4
-A INPUT -j logdrop-5
-A INPUT -j logpass-4
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
......@@ -1071,9 +1050,9 @@ COMMIT
-A OUTPUT
-A OUTPUT -j logaccept-3
-A OUTPUT -j logdrop-4
-A OUTPUT -j logaccept-4
-A OUTPUT -j logdrop-5
-A OUTPUT -j logpass-4
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
......@@ -1089,8 +1068,6 @@ COMMIT
-A logaccept-2 -j TEE --gateway fc00::2
-A logaccept-2 -j ACCEPT
-A logaccept-3 -j ACCEPT
-A logaccept-4 -m limit --limit 0/day -j LOG
-A logaccept-4 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
-A logdrop-1 -m limit --limit 1/second -j LOG
......@@ -1101,13 +1078,10 @@ COMMIT
-A logdrop-3 -j TEE --gateway fc00::2
-A logdrop-3 -j DROP
-A logdrop-4 -j DROP
-A logdrop-5 -m limit --limit 0/day -j LOG
-A logdrop-5 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logpass-1 -j LOG
-A logpass-1 -j TEE --gateway fc00::1
-A logpass-2 -j TEE --gateway fc00::2
-A logpass-4 -m limit --limit 0/day -j LOG
COMMIT
*mangle
:INPUT ACCEPT [0:0]
......
......@@ -8,18 +8,15 @@
:logaccept-1 - [0:0]
:logaccept-2 - [0:0]
:logaccept-3 - [0:0]
:logaccept-4 - [0:0]
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logdrop-3 - [0:0]
:logdrop-4 - [0:0]
:logdrop-5 - [0:0]
:logpass-0 - [0:0]
:logpass-1 - [0:0]
:logpass-2 - [0:0]
:logpass-3 - [0:0]
:logpass-4 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -j ACCEPT
-A FORWARD -j logdrop-0
......@@ -42,9 +39,9 @@
-A FORWARD -j logaccept-3
-A FORWARD -j logdrop-4
-A FORWARD -j logpass-3
-A FORWARD -j logaccept-4
-A FORWARD -j logdrop-5
-A FORWARD -j logpass-4
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
......@@ -123,9 +120,9 @@
-A INPUT -j logaccept-3
-A INPUT -j logdrop-4
-A INPUT -j logpass-3
-A INPUT -j logaccept-4
-A INPUT -j logdrop-5
-A INPUT -j logpass-4
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
......@@ -152,9 +149,9 @@
-A OUTPUT -j logaccept-3
-A OUTPUT -j logdrop-4
-A OUTPUT -j logpass-3
-A OUTPUT -j logaccept-4
-A OUTPUT -j logdrop-5
-A OUTPUT -j logpass-4
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
......@@ -171,8 +168,6 @@
-A logaccept-2 -j ACCEPT
-A logaccept-3 -m limit --limit 12/minute -j ULOG
-A logaccept-3 -j ACCEPT
-A logaccept-4 -m limit --limit 0/day -j LOG
-A logaccept-4 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
-A logdrop-1 -m limit --limit 1/second -j LOG
......@@ -184,14 +179,11 @@
-A logdrop-3 -j DROP
-A logdrop-4 -m limit --limit 12/minute -j ULOG
-A logdrop-4 -j DROP
-A logdrop-5 -m limit --limit 0/day -j LOG
-A logdrop-5 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logpass-1 -j LOG
-A logpass-2 -j TEE --gateway 10.0.0.1
-A logpass-2 -j TEE --gateway 10.0.0.2
-A logpass-3 -m limit --limit 12/minute -j ULOG
-A logpass-4 -m limit --limit 0/day -j LOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
......
......@@ -8,17 +8,14 @@
:logaccept-1 - [0:0]
:logaccept-2 - [0:0]
:logaccept-3 - [0:0]
:logaccept-4 - [0:0]
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logdrop-3 - [0:0]
:logdrop-4 - [0:0]
:logdrop-5 - [0:0]
:logpass-0 - [0:0]
:logpass-1 - [0:0]
:logpass-2 - [0:0]
:logpass-4 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -j ACCEPT
-A FORWARD -j logdrop-0
......@@ -40,9 +37,9 @@
-A FORWARD
-A FORWARD -j logaccept-3
-A FORWARD -j logdrop-4
-A FORWARD -j logaccept-4
-A FORWARD -j logdrop-5
-A FORWARD -j logpass-4
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
......@@ -94,9 +91,9 @@
-A INPUT
-A INPUT -j logaccept-3
-A INPUT -j logdrop-4
-A INPUT -j logaccept-4
-A INPUT -j logdrop-5
-A INPUT -j logpass-4
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
......@@ -122,9 +119,9 @@
-A OUTPUT
-A OUTPUT -j logaccept-3
-A OUTPUT -j logdrop-4
-A OUTPUT -j logaccept-4
-A OUTPUT -j logdrop-5
-A OUTPUT -j logpass-4
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
......@@ -140,8 +137,6 @@
-A logaccept-2 -j TEE --gateway fc00::2
-A logaccept-2 -j ACCEPT
-A logaccept-3 -j ACCEPT
-A logaccept-4 -m limit --limit 0/day -j LOG
-A logaccept-4 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
-A logdrop-1 -m limit --limit 1/second -j LOG
......@@ -152,13 +147,10 @@
-A logdrop-3 -j TEE --gateway fc00::2
-A logdrop-3 -j DROP
-A logdrop-4 -j DROP
-A logdrop-5 -m limit --limit 0/day -j LOG
-A logdrop-5 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logpass-1 -j LOG
-A logpass-1 -j TEE --gateway fc00::1
-A logpass-2 -j TEE --gateway fc00::2
-A logpass-4 -m limit --limit 0/day -j LOG
COMMIT
*mangle
:INPUT ACCEPT [0:0]
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment