Skip to content

GitLab

Commit 7bb0674c authored by Kaarle Ritvanen's avatar Kaarle Ritvanen
Browse files
Options

Log: new mode: none

parent 06591454
Hide whitespace changes
Inline Side-by-side
Showing with 2237 additions and 611 deletions
README.md
View file @ 7bb0674c
......@@ -244,7 +244,8 @@ logging class names to setting objects.
A setting object may have an attribute named **mode**, which specifies
which logging facility to use. Allowed values are **log**, **nflog**,
and **ulog**. The default is **log**, i.e. in-kernel logging.
**ulog**, and **none**. The default is **log**, i.e. in-kernel
logging.
The following table shows the optional attributes valid for all
logging modes:
......
awall/modules/filter.lua
View file @ 7bb0674c
......@@ -177,7 +177,8 @@ end
function LoggingRule:combinelog(ofrags, log, action, target)
local actions = self:actofrags(log, target)
return actions[1] and
self:combine(ofrags, actions, 'log'..action, log) or ofrags
self:combine(ofrags, actions, 'log'..action, log and log:target()) or
ofrags
end
function LoggingRule:mangleoptfrags(ofrags)
......@@ -407,7 +408,7 @@ function Filter:mangleoptfrags(ofrags)
if ct then
extend(ofs, self:actofrags(self.log))
nxt = target
elseif sofs and not pl then nxt = false end
elseif sofs and not (pl and pl:target()) then nxt = false end
extend(ofs, combinations(sofs, self:actofrags(pl, nxt)))
else
......
awall/modules/log.lua
View file @ 7bb0674c
......@@ -70,6 +70,7 @@ function Log:target()
}
local mode = self.mode or 'log'
if mode == 'none' then return end
if not optmap[mode] then self:error('Invalid logging mode: '..mode) end
local res = mode:upper()
......@@ -84,7 +85,8 @@ function Log:target()
end
function Log:optfrags()
return combinations(self:matchofrags(), {{target=self:target()}})
local target = self:target()
return combinations(self:matchofrags(), {target and {target=target}})
end
function Log.get(rule, spec, default)
......
test/mandatory/filter-limit.json
View file @ 7bb0674c
......@@ -4,6 +4,8 @@
{ "conn-limit": 1, "action": "pass" },
{ "conn-limit": 1, "log": true },
{ "conn-limit": 1, "log": true, "action": "pass" },
{ "conn-limit": 1, "log": "none" },
{ "conn-limit": 1, "log": "none", "action": "pass" },
{ "conn-limit": { "count": 1, "log": false } },
{ "conn-limit": { "count": 1, "log": false }, "action": "pass" },
{ "conn-limit": { "count": 1, "log": false }, "log": true },
......@@ -12,17 +14,46 @@
"log": true,
"action": "pass"
},
{ "conn-limit": { "count": 1, "log": false }, "log": "none" },
{
"conn-limit": { "count": 1, "log": false },
"log": "none",
"action": "pass"
},
{ "conn-limit": { "count": 1, "log": "none" } },
{ "conn-limit": { "count": 1, "log": "none" }, "action": "pass" },
{ "conn-limit": { "count": 1, "log": "none" }, "log": true },
{
"conn-limit": { "count": 1, "log": "none" },
"log": true,
"action": "pass"
},
{ "conn-limit": { "count": 1, "log": "none" }, "log": "none" },
{
"conn-limit": { "count": 1, "log": "none" },
"log": "none",
"action": "pass"
},
{ "conn-limit": 30 },
{ "conn-limit": 30, "action": "pass" },
{ "conn-limit": 30, "log": true },
{ "conn-limit": 30, "log": "none" },
{ "conn-limit": { "count": 30, "log": false } },
{ "conn-limit": { "count": 30, "log": false }, "action": "pass" },
{ "conn-limit": { "count": 30, "log": false }, "log": true },
{ "conn-limit": { "count": 30, "log": false }, "log": "none" },
{ "conn-limit": { "count": 30, "log": "none" } },
{ "conn-limit": { "count": 30, "log": "none" }, "action": "pass" },
{ "conn-limit": { "count": 30, "log": "none" }, "log": true },
{ "conn-limit": { "count": 30, "log": "none" }, "log": "none" },
{ "flow-limit": 1 },
{ "flow-limit": 1, "action": "pass" },
{ "flow-limit": 1, "log": true },
{ "flow-limit": 1, "log": true, "action": "pass" },
{ "flow-limit": 1, "log": "none" },
{ "flow-limit": 1, "log": "none", "action": "pass" },
{ "flow-limit": { "count": 1, "log": false } },
{ "flow-limit": { "count": 1, "log": false }, "action": "pass" },
{ "flow-limit": { "count": 1, "log": false }, "log": true },
......@@ -31,11 +62,38 @@
"log": true,
"action": "pass"
},
{ "flow-limit": { "count": 1, "log": false }, "log": "none" },
{
"flow-limit": { "count": 1, "log": false },
"log": "none",
"action": "pass"
},
{ "flow-limit": { "count": 1, "log": "none" } },
{ "flow-limit": { "count": 1, "log": "none" }, "action": "pass" },
{ "flow-limit": { "count": 1, "log": "none" }, "log": true },
{
"flow-limit": { "count": 1, "log": "none" },
"log": true,
"action": "pass"
},
{ "flow-limit": { "count": 1, "log": "none" }, "log": "none" },
{
"flow-limit": { "count": 1, "log": "none" },
"log": "none",
"action": "pass"
},
{ "flow-limit": 30 },
{ "flow-limit": 30, "action": "pass" },
{ "flow-limit": 30, "log": true },
{ "flow-limit": 30, "log": "none" },
{ "flow-limit": { "count": 30, "log": false } },
{ "flow-limit": { "count": 30, "log": false }, "action": "pass" },
{ "flow-limit": { "count": 30, "log": false }, "log": true }
{ "flow-limit": { "count": 30, "log": false }, "log": true },
{ "flow-limit": { "count": 30, "log": false }, "log": "none" },
{ "flow-limit": { "count": 30, "log": "none" } },
{ "flow-limit": { "count": 30, "log": "none" }, "action": "pass" },
{ "flow-limit": { "count": 30, "log": "none" }, "log": true },
{ "flow-limit": { "count": 30, "log": "none" }, "log": "none" }
]
}
test/mandatory/log.json
View file @ 7bb0674c
{
"log": { "none": { "mode": "none" } },
"filter": [
{},
{ "action": "drop" },
......@@ -8,6 +9,9 @@
{ "log": false, "action": "pass" },
{ "log": true },
{ "log": true, "action": "drop" },
{ "log": true, "action": "pass" }
{ "log": true, "action": "pass" },
{ "log": "none" },
{ "log": "none", "action": "drop" },
{ "log": "none", "action": "pass" }
]
}
test/output/dump
View file @ 7bb0674c
......@@ -138,7 +138,7 @@ Filter 10 {"action":"pass","conn-limit":1,"log":true}
inet/filter/limit-3 -m recent --name limit-3 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
inet6/filter/limit-3 -m recent --name limit-3 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
Filter 11 {"conn-limit":{"count":1,"log":false}}
Filter 11 {"conn-limit":1,"log":"none"}
(filter-limit)
inet/filter/FORWARD -j limit-4
inet6/filter/FORWARD -j limit-4
......@@ -146,12 +146,16 @@ Filter 11 {"conn-limit":{"count":1,"log":false}}
inet6/filter/INPUT -j limit-4
inet/filter/OUTPUT -j limit-4
inet6/filter/OUTPUT -j limit-4
inet/filter/limit-4 -m recent --name limit-4 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-4 -m recent --name limit-4 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-4 -m recent --name limit-4 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-5
inet6/filter/limit-4 -m recent --name limit-4 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-5
inet/filter/logdrop-5 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-5 -m limit --limit 1/second -j LOG
inet/filter/logdrop-5 -j DROP
inet6/filter/logdrop-5 -j DROP
inet/filter/limit-4 -m recent --name limit-4 --rsource --mask 255.255.255.255 --set -j ACCEPT
inet6/filter/limit-4 -m recent --name limit-4 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
Filter 12 {"action":"pass","conn-limit":{"count":1,"log":false}}
Filter 12 {"action":"pass","conn-limit":1,"log":"none"}
(filter-limit)
inet/filter/FORWARD -j limit-5
inet6/filter/FORWARD -j limit-5
......@@ -159,12 +163,16 @@ Filter 12 {"action":"pass","conn-limit":{"count":1,"log"
inet6/filter/INPUT -j limit-5
inet/filter/OUTPUT -j limit-5
inet6/filter/OUTPUT -j limit-5
inet/filter/limit-5 -m recent --name limit-5 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-5 -m recent --name limit-5 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-5 -m recent --name limit-5 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-6
inet6/filter/limit-5 -m recent --name limit-5 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-6
inet/filter/logdrop-6 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-6 -m limit --limit 1/second -j LOG
inet/filter/logdrop-6 -j DROP
inet6/filter/logdrop-6 -j DROP
inet/filter/limit-5 -m recent --name limit-5 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-5 -m recent --name limit-5 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
Filter 13 {"conn-limit":{"count":1,"log":false},"log":true}
Filter 13 {"conn-limit":{"count":1,"log":false}}
(filter-limit)
inet/filter/FORWARD -j limit-6
inet6/filter/FORWARD -j limit-6
......@@ -174,12 +182,10 @@ Filter 13 {"conn-limit":{"count":1,"log":false},"log":tr
inet6/filter/OUTPUT -j limit-6
inet/filter/limit-6 -m recent --name limit-6 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-6 -m recent --name limit-6 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-6 -m limit --limit 1/second -j LOG
inet6/filter/limit-6 -m limit --limit 1/second -j LOG
inet/filter/limit-6 -m recent --name limit-6 --rsource --mask 255.255.255.255 --set -j ACCEPT
inet6/filter/limit-6 -m recent --name limit-6 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
Filter 14 {"action":"pass","conn-limit":{"count":1,"log":false},"log":true}
Filter 14 {"action":"pass","conn-limit":{"count":1,"log":false}}
(filter-limit)
inet/filter/FORWARD -j limit-7
inet6/filter/FORWARD -j limit-7
......@@ -189,10 +195,10 @@ Filter 14 {"action":"pass","conn-limit":{"count":1,"log"
inet6/filter/OUTPUT -j limit-7
inet/filter/limit-7 -m recent --name limit-7 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-7 -m recent --name limit-7 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-7 -m recent --name limit-7 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
inet6/filter/limit-7 -m recent --name limit-7 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
inet/filter/limit-7 -m recent --name limit-7 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-7 -m recent --name limit-7 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
Filter 15 {"conn-limit":30}
Filter 15 {"conn-limit":{"count":1,"log":false},"log":true}
(filter-limit)
inet/filter/FORWARD -j limit-8
inet6/filter/FORWARD -j limit-8
......@@ -200,14 +206,14 @@ Filter 15 {"conn-limit":30}
inet6/filter/INPUT -j limit-8
inet/filter/OUTPUT -j limit-8
inet6/filter/OUTPUT -j limit-8
inet/filter/limit-8 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-8 -j ACCEPT
inet6/filter/limit-8 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-8 -j ACCEPT
inet/filter/limit-8 -m recent --name limit-8 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-8 -m recent --name limit-8 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-8 -m limit --limit 1/second -j LOG
inet6/filter/limit-8 -m limit --limit 1/second -j LOG
inet/filter/limit-8 -j DROP
inet6/filter/limit-8 -j DROP
inet/filter/limit-8 -m recent --name limit-8 --rsource --mask 255.255.255.255 --set -j ACCEPT
inet6/filter/limit-8 -m recent --name limit-8 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
Filter 16 {"action":"pass","conn-limit":30}
Filter 16 {"action":"pass","conn-limit":{"count":1,"log":false},"log":true}
(filter-limit)
inet/filter/FORWARD -j limit-9
inet6/filter/FORWARD -j limit-9
......@@ -215,14 +221,12 @@ Filter 16 {"action":"pass","conn-limit":30}
inet6/filter/INPUT -j limit-9
inet/filter/OUTPUT -j limit-9
inet6/filter/OUTPUT -j limit-9
inet/filter/limit-9 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-9 -j RETURN
inet6/filter/limit-9 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-9 -j RETURN
inet/filter/limit-9 -m limit --limit 1/second -j LOG
inet6/filter/limit-9 -m limit --limit 1/second -j LOG
inet/filter/limit-9 -j DROP
inet6/filter/limit-9 -j DROP
Filter 17 {"conn-limit":30,"log":true}
inet/filter/limit-9 -m recent --name limit-9 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-9 -m recent --name limit-9 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-9 -m recent --name limit-9 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
inet6/filter/limit-9 -m recent --name limit-9 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
Filter 17 {"conn-limit":{"count":1,"log":false},"log":"none"}
(filter-limit)
inet/filter/FORWARD -j limit-10
inet6/filter/FORWARD -j limit-10
......@@ -230,18 +234,12 @@ Filter 17 {"conn-limit":30,"log":true}
inet6/filter/INPUT -j limit-10
inet/filter/OUTPUT -j limit-10
inet6/filter/OUTPUT -j limit-10
inet/filter/limit-10 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-10 -j logaccept-0
inet6/filter/limit-10 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-10 -j logaccept-0
inet/filter/logaccept-0 -m limit --limit 1/second -j LOG
inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG
inet/filter/logaccept-0 -j ACCEPT
inet6/filter/logaccept-0 -j ACCEPT
inet/filter/limit-10 -m limit --limit 1/second -j LOG
inet6/filter/limit-10 -m limit --limit 1/second -j LOG
inet/filter/limit-10 -j DROP
inet6/filter/limit-10 -j DROP
inet/filter/limit-10 -m recent --name limit-10 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-10 -m recent --name limit-10 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-10 -m recent --name limit-10 --rsource --mask 255.255.255.255 --set -j ACCEPT
inet6/filter/limit-10 -m recent --name limit-10 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
Filter 18 {"conn-limit":{"count":30,"log":false}}
Filter 18 {"action":"pass","conn-limit":{"count":1,"log":false},"log":"none"}
(filter-limit)
inet/filter/FORWARD -j limit-11
inet6/filter/FORWARD -j limit-11
......@@ -249,12 +247,12 @@ Filter 18 {"conn-limit":{"count":30,"log":false}}
inet6/filter/INPUT -j limit-11
inet/filter/OUTPUT -j limit-11
inet6/filter/OUTPUT -j limit-11
inet/filter/limit-11 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-11 -j ACCEPT
inet6/filter/limit-11 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-11 -j ACCEPT
inet/filter/limit-11 -j DROP
inet6/filter/limit-11 -j DROP
inet/filter/limit-11 -m recent --name limit-11 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-11 -m recent --name limit-11 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-11 -m recent --name limit-11 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-11 -m recent --name limit-11 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
Filter 19 {"action":"pass","conn-limit":{"count":30,"log":false}}
Filter 19 {"conn-limit":{"count":1,"log":"none"}}
(filter-limit)
inet/filter/FORWARD -j limit-12
inet6/filter/FORWARD -j limit-12
......@@ -262,12 +260,12 @@ Filter 19 {"action":"pass","conn-limit":{"count":30,"log
inet6/filter/INPUT -j limit-12
inet/filter/OUTPUT -j limit-12
inet6/filter/OUTPUT -j limit-12
inet/filter/limit-12 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-12 -j RETURN
inet6/filter/limit-12 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-12 -j RETURN
inet/filter/limit-12 -j DROP
inet6/filter/limit-12 -j DROP
inet/filter/limit-12 -m recent --name limit-12 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-12 -m recent --name limit-12 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-12 -m recent --name limit-12 --rsource --mask 255.255.255.255 --set -j ACCEPT
inet6/filter/limit-12 -m recent --name limit-12 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
Filter 20 {"conn-limit":{"count":30,"log":false},"log":true}
Filter 20 {"action":"pass","conn-limit":{"count":1,"log":"none"}}
(filter-limit)
inet/filter/FORWARD -j limit-13
inet6/filter/FORWARD -j limit-13
......@@ -275,16 +273,12 @@ Filter 20 {"conn-limit":{"count":30,"log":false},"log":t
inet6/filter/INPUT -j limit-13
inet/filter/OUTPUT -j limit-13
inet6/filter/OUTPUT -j limit-13
inet/filter/limit-13 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-13 -j logaccept-1
inet6/filter/limit-13 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-13 -j logaccept-1
inet/filter/logaccept-1 -m limit --limit 1/second -j LOG
inet6/filter/logaccept-1 -m limit --limit 1/second -j LOG
inet/filter/logaccept-1 -j ACCEPT
inet6/filter/logaccept-1 -j ACCEPT
inet/filter/limit-13 -j DROP
inet6/filter/limit-13 -j DROP
inet/filter/limit-13 -m recent --name limit-13 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-13 -m recent --name limit-13 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-13 -m recent --name limit-13 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-13 -m recent --name limit-13 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
Filter 21 {"flow-limit":1}
Filter 21 {"conn-limit":{"count":1,"log":"none"},"log":true}
(filter-limit)
inet/filter/FORWARD -j limit-14
inet6/filter/FORWARD -j limit-14
......@@ -292,22 +286,14 @@ Filter 21 {"flow-limit":1}
inet6/filter/INPUT -j limit-14
inet/filter/OUTPUT -j limit-14
inet6/filter/OUTPUT -j limit-14
inet/filter/limit-14 -m recent --name limit-14 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-5
inet6/filter/limit-14 -m recent --name limit-14 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-5
inet/filter/logdrop-5 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-5 -m limit --limit 1/second -j LOG
inet/filter/logdrop-5 -j DROP
inet6/filter/logdrop-5 -j DROP
inet/filter/limit-14 -m recent --name limit-14 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-14 -m recent --name limit-14 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
inet/filter/FORWARD -j ACCEPT
inet6/filter/FORWARD -j ACCEPT
inet/filter/INPUT -j ACCEPT
inet6/filter/INPUT -j ACCEPT
inet/filter/OUTPUT -j ACCEPT
inet6/filter/OUTPUT -j ACCEPT
Filter 22 {"action":"pass","flow-limit":1}
inet/filter/limit-14 -m recent --name limit-14 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-14 -m recent --name limit-14 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-14 -m limit --limit 1/second -j LOG
inet6/filter/limit-14 -m limit --limit 1/second -j LOG
inet/filter/limit-14 -m recent --name limit-14 --rsource --mask 255.255.255.255 --set -j ACCEPT
inet6/filter/limit-14 -m recent --name limit-14 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
Filter 22 {"action":"pass","conn-limit":{"count":1,"log":"none"},"log":true}
(filter-limit)
inet/filter/FORWARD -j limit-15
inet6/filter/FORWARD -j limit-15
......@@ -315,16 +301,12 @@ Filter 22 {"action":"pass","flow-limit":1}
inet6/filter/INPUT -j limit-15
inet/filter/OUTPUT -j limit-15
inet6/filter/OUTPUT -j limit-15
inet/filter/limit-15 -m recent --name limit-15 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-6
inet6/filter/limit-15 -m recent --name limit-15 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-6
inet/filter/logdrop-6 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-6 -m limit --limit 1/second -j LOG
inet/filter/logdrop-6 -j DROP
inet6/filter/logdrop-6 -j DROP
inet/filter/limit-15 -m recent --name limit-15 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-15 -m recent --name limit-15 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
inet/filter/limit-15 -m recent --name limit-15 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-15 -m recent --name limit-15 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-15 -m recent --name limit-15 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
inet6/filter/limit-15 -m recent --name limit-15 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
Filter 23 {"flow-limit":1,"log":true}
Filter 23 {"conn-limit":{"count":1,"log":"none"},"log":"none"}
(filter-limit)
inet/filter/FORWARD -j limit-16
inet6/filter/FORWARD -j limit-16
......@@ -332,26 +314,12 @@ Filter 23 {"flow-limit":1,"log":true}
inet6/filter/INPUT -j limit-16
inet/filter/OUTPUT -j limit-16
inet6/filter/OUTPUT -j limit-16
inet/filter/limit-16 -m recent --name limit-16 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-7
inet6/filter/limit-16 -m recent --name limit-16 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-7
inet/filter/logdrop-7 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-7 -m limit --limit 1/second -j LOG
inet/filter/logdrop-7 -j DROP
inet6/filter/logdrop-7 -j DROP
inet/filter/limit-16 -m recent --name limit-16 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-16 -m recent --name limit-16 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
inet/filter/FORWARD -j logaccept-final-0
inet6/filter/FORWARD -j logaccept-final-0
inet/filter/INPUT -j logaccept-final-0
inet6/filter/INPUT -j logaccept-final-0
inet/filter/OUTPUT -j logaccept-final-0
inet6/filter/OUTPUT -j logaccept-final-0
inet/filter/logaccept-final-0 -m limit --limit 1/second -j LOG
inet6/filter/logaccept-final-0 -m limit --limit 1/second -j LOG
inet/filter/logaccept-final-0 -j ACCEPT
inet6/filter/logaccept-final-0 -j ACCEPT
inet/filter/limit-16 -m recent --name limit-16 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-16 -m recent --name limit-16 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-16 -m recent --name limit-16 --rsource --mask 255.255.255.255 --set -j ACCEPT
inet6/filter/limit-16 -m recent --name limit-16 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
Filter 24 {"action":"pass","flow-limit":1,"log":true}
Filter 24 {"action":"pass","conn-limit":{"count":1,"log":"none"},"log":"none"}
(filter-limit)
inet/filter/FORWARD -j limit-17
inet6/filter/FORWARD -j limit-17
......@@ -359,16 +327,12 @@ Filter 24 {"action":"pass","flow-limit":1,"log":true}
inet6/filter/INPUT -j limit-17
inet/filter/OUTPUT -j limit-17
inet6/filter/OUTPUT -j limit-17
inet/filter/limit-17 -m recent --name limit-17 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-8
inet6/filter/limit-17 -m recent --name limit-17 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-8
inet/filter/logdrop-8 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-8 -m limit --limit 1/second -j LOG
inet/filter/logdrop-8 -j DROP
inet6/filter/logdrop-8 -j DROP
inet/filter/limit-17 -m recent --name limit-17 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
inet6/filter/limit-17 -m recent --name limit-17 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
inet/filter/limit-17 -m recent --name limit-17 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-17 -m recent --name limit-17 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-17 -m recent --name limit-17 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-17 -m recent --name limit-17 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
Filter 25 {"flow-limit":{"count":1,"log":false}}
Filter 25 {"conn-limit":30}
(filter-limit)
inet/filter/FORWARD -j limit-18
inet6/filter/FORWARD -j limit-18
......@@ -376,18 +340,14 @@ Filter 25 {"flow-limit":{"count":1,"log":false}}
inet6/filter/INPUT -j limit-18
inet/filter/OUTPUT -j limit-18
inet6/filter/OUTPUT -j limit-18
inet/filter/limit-18 -m recent --name limit-18 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-18 -m recent --name limit-18 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-18 -m recent --name limit-18 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-18 -m recent --name limit-18 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
inet/filter/FORWARD -j ACCEPT
inet6/filter/FORWARD -j ACCEPT
inet/filter/INPUT -j ACCEPT
inet6/filter/INPUT -j ACCEPT
inet/filter/OUTPUT -j ACCEPT
inet6/filter/OUTPUT -j ACCEPT
Filter 26 {"action":"pass","flow-limit":{"count":1,"log":false}}
inet/filter/limit-18 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-18 -j ACCEPT
inet6/filter/limit-18 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-18 -j ACCEPT
inet/filter/limit-18 -m limit --limit 1/second -j LOG
inet6/filter/limit-18 -m limit --limit 1/second -j LOG
inet/filter/limit-18 -j DROP
inet6/filter/limit-18 -j DROP
Filter 26 {"action":"pass","conn-limit":30}
(filter-limit)
inet/filter/FORWARD -j limit-19
inet6/filter/FORWARD -j limit-19
......@@ -395,12 +355,14 @@ Filter 26 {"action":"pass","flow-limit":{"count":1,"log"
inet6/filter/INPUT -j limit-19
inet/filter/OUTPUT -j limit-19
inet6/filter/OUTPUT -j limit-19
inet/filter/limit-19 -m recent --name limit-19 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-19 -m recent --name limit-19 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-19 -m recent --name limit-19 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-19 -m recent --name limit-19 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
Filter 27 {"flow-limit":{"count":1,"log":false},"log":true}
inet/filter/limit-19 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-19 -j RETURN
inet6/filter/limit-19 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-19 -j RETURN
inet/filter/limit-19 -m limit --limit 1/second -j LOG
inet6/filter/limit-19 -m limit --limit 1/second -j LOG
inet/filter/limit-19 -j DROP
inet6/filter/limit-19 -j DROP
Filter 27 {"conn-limit":30,"log":true}
(filter-limit)
inet/filter/FORWARD -j limit-20
inet6/filter/FORWARD -j limit-20
......@@ -408,22 +370,18 @@ Filter 27 {"flow-limit":{"count":1,"log":false},"log":tr
inet6/filter/INPUT -j limit-20
inet/filter/OUTPUT -j limit-20
inet6/filter/OUTPUT -j limit-20
inet/filter/limit-20 -m recent --name limit-20 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-20 -m recent --name limit-20 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-20 -m recent --name limit-20 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-20 -m recent --name limit-20 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
inet/filter/FORWARD -j logaccept-final-1
inet6/filter/FORWARD -j logaccept-final-1
inet/filter/INPUT -j logaccept-final-1
inet6/filter/INPUT -j logaccept-final-1
inet/filter/OUTPUT -j logaccept-final-1
inet6/filter/OUTPUT -j logaccept-final-1
inet/filter/logaccept-final-1 -m limit --limit 1/second -j LOG
inet6/filter/logaccept-final-1 -m limit --limit 1/second -j LOG
inet/filter/logaccept-final-1 -j ACCEPT
inet6/filter/logaccept-final-1 -j ACCEPT
inet/filter/limit-20 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-20 -j logaccept-0
inet6/filter/limit-20 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-20 -j logaccept-0
inet/filter/logaccept-0 -m limit --limit 1/second -j LOG
inet6/filter/logaccept-0 -m limit --limit 1/second -j LOG
inet/filter/logaccept-0 -j ACCEPT
inet6/filter/logaccept-0 -j ACCEPT
inet/filter/limit-20 -m limit --limit 1/second -j LOG
inet6/filter/limit-20 -m limit --limit 1/second -j LOG
inet/filter/limit-20 -j DROP
inet6/filter/limit-20 -j DROP
Filter 28 {"action":"pass","flow-limit":{"count":1,"log":false},"log":true}
Filter 28 {"conn-limit":30,"log":"none"}
(filter-limit)
inet/filter/FORWARD -j limit-21
inet6/filter/FORWARD -j limit-21
......@@ -431,12 +389,14 @@ Filter 28 {"action":"pass","flow-limit":{"count":1,"log"
inet6/filter/INPUT -j limit-21
inet/filter/OUTPUT -j limit-21
inet6/filter/OUTPUT -j limit-21
inet/filter/limit-21 -m recent --name limit-21 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-21 -m recent --name limit-21 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-21 -m recent --name limit-21 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
inet6/filter/limit-21 -m recent --name limit-21 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
Filter 29 {"flow-limit":30}
inet/filter/limit-21 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-21 -j ACCEPT
inet6/filter/limit-21 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-21 -j ACCEPT
inet/filter/limit-21 -m limit --limit 1/second -j LOG
inet6/filter/limit-21 -m limit --limit 1/second -j LOG
inet/filter/limit-21 -j DROP
inet6/filter/limit-21 -j DROP
Filter 29 {"conn-limit":{"count":30,"log":false}}
(filter-limit)
inet/filter/FORWARD -j limit-22
inet6/filter/FORWARD -j limit-22
......@@ -444,20 +404,12 @@ Filter 29 {"flow-limit":30}
inet6/filter/INPUT -j limit-22
inet/filter/OUTPUT -j limit-22
inet6/filter/OUTPUT -j limit-22
inet/filter/limit-22 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-22 -j RETURN
inet6/filter/limit-22 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-22 -j RETURN
inet/filter/limit-22 -m limit --limit 1/second -j LOG
inet6/filter/limit-22 -m limit --limit 1/second -j LOG
inet/filter/limit-22 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-22 -j ACCEPT
inet6/filter/limit-22 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-22 -j ACCEPT
inet/filter/limit-22 -j DROP
inet6/filter/limit-22 -j DROP
inet/filter/FORWARD -j ACCEPT
inet6/filter/FORWARD -j ACCEPT
inet/filter/INPUT -j ACCEPT
inet6/filter/INPUT -j ACCEPT
inet/filter/OUTPUT -j ACCEPT
inet6/filter/OUTPUT -j ACCEPT
Filter 30 {"action":"pass","flow-limit":30}
Filter 30 {"action":"pass","conn-limit":{"count":30,"log":false}}
(filter-limit)
inet/filter/FORWARD -j limit-23
inet6/filter/FORWARD -j limit-23
......@@ -467,12 +419,10 @@ Filter 30 {"action":"pass","flow-limit":30}
inet6/filter/OUTPUT -j limit-23
inet/filter/limit-23 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-23 -j RETURN
inet6/filter/limit-23 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-23 -j RETURN
inet/filter/limit-23 -m limit --limit 1/second -j LOG
inet6/filter/limit-23 -m limit --limit 1/second -j LOG
inet/filter/limit-23 -j DROP
inet6/filter/limit-23 -j DROP
Filter 31 {"flow-limit":30,"log":true}
Filter 31 {"conn-limit":{"count":30,"log":false},"log":true}
(filter-limit)
inet/filter/FORWARD -j limit-24
inet6/filter/FORWARD -j limit-24
......@@ -480,24 +430,16 @@ Filter 31 {"flow-limit":30,"log":true}
inet6/filter/INPUT -j limit-24
inet/filter/OUTPUT -j limit-24
inet6/filter/OUTPUT -j limit-24
inet/filter/limit-24 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-24 -j RETURN
inet6/filter/limit-24 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-24 -j RETURN
inet/filter/limit-24 -m limit --limit 1/second -j LOG
inet6/filter/limit-24 -m limit --limit 1/second -j LOG
inet/filter/limit-24 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-24 -j logaccept-1
inet6/filter/limit-24 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-24 -j logaccept-1
inet/filter/logaccept-1 -m limit --limit 1/second -j LOG
inet6/filter/logaccept-1 -m limit --limit 1/second -j LOG
inet/filter/logaccept-1 -j ACCEPT
inet6/filter/logaccept-1 -j ACCEPT
inet/filter/limit-24 -j DROP
inet6/filter/limit-24 -j DROP
inet/filter/FORWARD -j logaccept-final-2
inet6/filter/FORWARD -j logaccept-final-2
inet/filter/INPUT -j logaccept-final-2
inet6/filter/INPUT -j logaccept-final-2
inet/filter/OUTPUT -j logaccept-final-2
inet6/filter/OUTPUT -j logaccept-final-2
inet/filter/logaccept-final-2 -m limit --limit 1/second -j LOG
inet6/filter/logaccept-final-2 -m limit --limit 1/second -j LOG
inet/filter/logaccept-final-2 -j ACCEPT
inet6/filter/logaccept-final-2 -j ACCEPT
Filter 32 {"flow-limit":{"count":30,"log":false}}
Filter 32 {"