Commit f11784f3 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen
Browse files

Filter: fix regression with flow-limit and no-track

fixes #7456
parent a9ea2607
......@@ -394,9 +394,9 @@ function Filter:mangleoptfrags(ofrags)
local limitobj = self:create(FilterLimit, self[limit], 'limit')
local ofs
local conn = limit == 'conn-limit'
local final = self:position() == 'append'
local target = self:target()
local ct = conn and target
local ft = final and target
local pl = not target and self.log
local cofs, sofs = limitobj:recentofrags(limitchain)
......@@ -405,7 +405,7 @@ function Filter:mangleoptfrags(ofrags)
ofs = self:combinelog(cofs, limitlog, 'drop', 'DROP')
local nxt
if ct then
if ft then
extend(ofs, self:actofrags(self.log))
nxt = target
elseif sofs and not (pl and pl:target()) then nxt = false end
......@@ -415,7 +415,7 @@ function Filter:mangleoptfrags(ofrags)
if pl then incompatible('action or log') end
local limofs = limitobj:limitofrags(limitchain)
ofs = ct and Filter.super(self):mangleoptfrags(limofs) or
ofs = ft and Filter.super(self):mangleoptfrags(limofs) or
combinations(limofs, {{target='RETURN'}})
extend(ofs, self:actofrags(limitlog, 'DROP'))
......
......@@ -94,6 +94,208 @@
{ "flow-limit": { "count": 30, "log": "none" } },
{ "flow-limit": { "count": 30, "log": "none" }, "action": "pass" },
{ "flow-limit": { "count": 30, "log": "none" }, "log": true },
{ "flow-limit": { "count": 30, "log": "none" }, "log": "none" }
{ "flow-limit": { "count": 30, "log": "none" }, "log": "none" },
{ "in": "A", "out": "_fw", "flow-limit": 1, "no-track": true },
{
"in": "A",
"out": "_fw",
"flow-limit": 1,
"action": "pass",
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": 1,
"log": true,
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": 1,
"log": true,
"action": "pass",
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": 1,
"log": "none",
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": 1,
"log": "none",
"action": "pass",
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": { "count": 1, "log": false },
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": { "count": 1, "log": false },
"action": "pass",
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": { "count": 1, "log": false },
"log": true,
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": { "count": 1, "log": false },
"log": true,
"action": "pass",
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": { "count": 1, "log": false },
"log": "none",
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": { "count": 1, "log": false },
"log": "none",
"action": "pass",
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": { "count": 1, "log": "none" },
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": { "count": 1, "log": "none" },
"action": "pass",
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": { "count": 1, "log": "none" },
"log": true,
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": { "count": 1, "log": "none" },
"log": true,
"action": "pass",
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": { "count": 1, "log": "none" },
"log": "none",
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": { "count": 1, "log": "none" },
"log": "none",
"action": "pass",
"no-track": true
},
{ "in": "A", "out": "_fw", "flow-limit": 30, "no-track": true },
{
"in": "A",
"out": "_fw",
"flow-limit": 30,
"action": "pass",
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": 30,
"log": true,
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": 30,
"log": "none",
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": { "count": 30, "log": false },
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": { "count": 30, "log": false },
"action": "pass",
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": { "count": 30, "log": false },
"log": true,
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": { "count": 30, "log": false },
"log": "none",
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": { "count": 30, "log": "none" },
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": { "count": 30, "log": "none" },
"action": "pass",
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": { "count": 30, "log": "none" },
"log": true,
"no-track": true
},
{
"in": "A",
"out": "_fw",
"flow-limit": { "count": 30, "log": "none" },
"log": "none",
"no-track": true
}
]
}
This diff is collapsed.
......@@ -61,13 +61,46 @@
:limit-58 - [0:0]
:limit-59 - [0:0]
:limit-6 - [0:0]
:limit-60 - [0:0]
:limit-61 - [0:0]
:limit-62 - [0:0]
:limit-63 - [0:0]
:limit-64 - [0:0]
:limit-65 - [0:0]
:limit-66 - [0:0]
:limit-67 - [0:0]
:limit-68 - [0:0]
:limit-69 - [0:0]
:limit-7 - [0:0]
:limit-70 - [0:0]
:limit-71 - [0:0]
:limit-72 - [0:0]
:limit-73 - [0:0]
:limit-74 - [0:0]
:limit-75 - [0:0]
:limit-76 - [0:0]
:limit-77 - [0:0]
:limit-78 - [0:0]
:limit-79 - [0:0]
:limit-8 - [0:0]
:limit-80 - [0:0]
:limit-81 - [0:0]
:limit-82 - [0:0]
:limit-83 - [0:0]
:limit-84 - [0:0]
:limit-85 - [0:0]
:limit-86 - [0:0]
:limit-87 - [0:0]
:limit-88 - [0:0]
:limit-89 - [0:0]
:limit-9 - [0:0]
:logaccept-0 - [0:0]
:logaccept-1 - [0:0]
:logaccept-2 - [0:0]
:logaccept-3 - [0:0]
:logaccept-4 - [0:0]
:logaccept-5 - [0:0]
:logaccept-6 - [0:0]
:logaccept-final-0 - [0:0]
:logaccept-final-1 - [0:0]
:logaccept-final-2 - [0:0]
......@@ -81,7 +114,13 @@
:logdrop-12 - [0:0]
:logdrop-13 - [0:0]
:logdrop-14 - [0:0]
:logdrop-15 - [0:0]
:logdrop-16 - [0:0]
:logdrop-17 - [0:0]
:logdrop-18 - [0:0]
:logdrop-19 - [0:0]
:logdrop-2 - [0:0]
:logdrop-20 - [0:0]
:logdrop-3 - [0:0]
:logdrop-4 - [0:0]
:logdrop-5 - [0:0]
......@@ -179,13 +218,13 @@
-A FORWARD -j logaccept-final-5
-A FORWARD -j ACCEPT
-A FORWARD -j ACCEPT
-A FORWARD -j logdrop-13
-A FORWARD -j logdrop-19
-A FORWARD
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-3
-A FORWARD -j logdrop-14
-A FORWARD -j logaccept-6
-A FORWARD -j logdrop-20
-A FORWARD -j logpass-0
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
......@@ -332,14 +371,44 @@
-A INPUT -j ACCEPT
-A INPUT -j logaccept-final-5
-A INPUT -j ACCEPT
-A INPUT -i eth0 -j limit-60
-A INPUT -i eth0 -j limit-61
-A INPUT -i eth0 -j limit-62
-A INPUT -i eth0 -j limit-63
-A INPUT -i eth0 -j limit-64
-A INPUT -i eth0 -j limit-65
-A INPUT -i eth0 -j limit-66
-A INPUT -i eth0 -j limit-67
-A INPUT -i eth0 -j limit-68
-A INPUT -i eth0 -j limit-69
-A INPUT -i eth0 -j limit-70
-A INPUT -i eth0 -j limit-71
-A INPUT -i eth0 -j limit-72
-A INPUT -i eth0 -j limit-73
-A INPUT -i eth0 -j limit-74
-A INPUT -i eth0 -j limit-75
-A INPUT -i eth0 -j limit-76
-A INPUT -i eth0 -j limit-77
-A INPUT -i eth0 -j limit-78
-A INPUT -i eth0 -j limit-79
-A INPUT -i eth0 -j limit-80
-A INPUT -i eth0 -j limit-81
-A INPUT -i eth0 -j limit-82
-A INPUT -i eth0 -j limit-83
-A INPUT -i eth0 -j limit-84
-A INPUT -i eth0 -j limit-85
-A INPUT -i eth0 -j limit-86
-A INPUT -i eth0 -j limit-87
-A INPUT -i eth0 -j limit-88
-A INPUT -i eth0 -j limit-89
-A INPUT -j ACCEPT
-A INPUT -j logdrop-13
-A INPUT -j logdrop-19
-A INPUT
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-3
-A INPUT -j logdrop-14
-A INPUT -j logaccept-6
-A INPUT -j logdrop-20
-A INPUT -j logpass-0
-A INPUT -j ACCEPT
-A INPUT -j DROP
......@@ -442,14 +511,32 @@
-A OUTPUT -j ACCEPT
-A OUTPUT -j logaccept-final-5
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -j logdrop-13
-A OUTPUT -j logdrop-19
-A OUTPUT
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-3
-A OUTPUT -j logdrop-14
-A OUTPUT -j logaccept-6
-A OUTPUT -j logdrop-20
-A OUTPUT -j logpass-0
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
......@@ -593,11 +680,78 @@
-A limit-59 -j DROP
-A limit-6 -m recent --name limit-6 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
-A limit-6 -m recent --name limit-6 --rsource --mask 255.255.255.255 --set -j ACCEPT
-A limit-60 -m recent --name limit-60 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-13
-A limit-60 -m recent --name limit-60 --rsource --mask 255.255.255.255 --set -j ACCEPT
-A limit-61 -m recent --name limit-61 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-14
-A limit-61 -m recent --name limit-61 --rsource --mask 255.255.255.255 --set
-A limit-62 -m recent --name limit-62 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-15
-A limit-62 -m limit --limit 1/second -j LOG
-A limit-62 -m recent --name limit-62 --rsource --mask 255.255.255.255 --set -j ACCEPT
-A limit-63 -m recent --name limit-63 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-16
-A limit-63 -m recent --name limit-63 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
-A limit-64 -m recent --name limit-64 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-17
-A limit-64 -m recent --name limit-64 --rsource --mask 255.255.255.255 --set -j ACCEPT
-A limit-65 -m recent --name limit-65 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-18
-A limit-65 -m recent --name limit-65 --rsource --mask 255.255.255.255 --set
-A limit-66 -m recent --name limit-66 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
-A limit-66 -m recent --name limit-66 --rsource --mask 255.255.255.255 --set -j ACCEPT
-A limit-67 -m recent --name limit-67 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
-A limit-67 -m recent --name limit-67 --rsource --mask 255.255.255.255 --set
-A limit-68 -m recent --name limit-68 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
-A limit-68 -m limit --limit 1/second -j LOG
-A limit-68 -m recent --name limit-68 --rsource --mask 255.255.255.255 --set -j ACCEPT
-A limit-69 -m recent --name limit-69 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
-A limit-69 -m recent --name limit-69 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
-A limit-7 -m recent --name limit-7 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
-A limit-7 -m recent --name limit-7 --rsource --mask 255.255.255.255 --set
-A limit-70 -m recent --name limit-70 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
-A limit-70 -m recent --name limit-70 --rsource --mask 255.255.255.255 --set -j ACCEPT
-A limit-71 -m recent --name limit-71 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
-A limit-71 -m recent --name limit-71 --rsource --mask 255.255.255.255 --set
-A limit-72 -m recent --name limit-72 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
-A limit-72 -m recent --name limit-72 --rsource --mask 255.255.255.255 --set -j ACCEPT
-A limit-73 -m recent --name limit-73 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
-A limit-73 -m recent --name limit-73 --rsource --mask 255.255.255.255 --set
-A limit-74 -m recent --name limit-74 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
-A limit-74 -m limit --limit 1/second -j LOG
-A limit-74 -m recent --name limit-74 --rsource --mask 255.255.255.255 --set -j ACCEPT
-A limit-75 -m recent --name limit-75 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
-A limit-75 -m recent --name limit-75 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
-A limit-76 -m recent --name limit-76 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
-A limit-76 -m recent --name limit-76 --rsource --mask 255.255.255.255 --set -j ACCEPT
-A limit-77 -m recent --name limit-77 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
-A limit-77 -m recent --name limit-77 --rsource --mask 255.255.255.255 --set
-A limit-78 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-78 -j ACCEPT
-A limit-78 -m limit --limit 1/second -j LOG
-A limit-78 -j DROP
-A limit-79 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-79 -j RETURN
-A limit-79 -m limit --limit 1/second -j LOG
-A limit-79 -j DROP
-A limit-8 -m recent --name limit-8 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
-A limit-8 -m limit --limit 1/second -j LOG
-A limit-8 -m recent --name limit-8 --rsource --mask 255.255.255.255 --set -j ACCEPT
-A limit-80 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-80 -j logaccept-3
-A limit-80 -m limit --limit 1/second -j LOG
-A limit-80 -j DROP
-A limit-81 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-81 -j ACCEPT
-A limit-81 -m limit --limit 1/second -j LOG
-A limit-81 -j DROP
-A limit-82 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-82 -j ACCEPT
-A limit-82 -j DROP
-A limit-83 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-83 -j RETURN
-A limit-83 -j DROP
-A limit-84 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-84 -j logaccept-4
-A limit-84 -j DROP
-A limit-85 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-85 -j ACCEPT
-A limit-85 -j DROP
-A limit-86 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-86 -j ACCEPT
-A limit-86 -j DROP
-A limit-87 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-87 -j RETURN
-A limit-87 -j DROP
-A limit-88 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-88 -j logaccept-5
-A limit-88 -j DROP
-A limit-89 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-89 -j ACCEPT
-A limit-89 -j DROP
-A limit-9 -m recent --name limit-9 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
-A limit-9 -m recent --name limit-9 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
-A logaccept-0 -m limit --limit 1/second -j LOG
......@@ -608,6 +762,12 @@
-A logaccept-2 -j ACCEPT
-A logaccept-3 -m limit --limit 1/second -j LOG
-A logaccept-3 -j ACCEPT
-A logaccept-4 -m limit --limit 1/second -j LOG
-A logaccept-4 -j ACCEPT
-A logaccept-5 -m limit --limit 1/second -j LOG
-A logaccept-5 -j ACCEPT
-A logaccept-6 -m limit --limit 1/second -j LOG
-A logaccept-6 -j ACCEPT
-A logaccept-final-0 -m limit --limit 1/second -j LOG
-A logaccept-final-0 -j ACCEPT
-A logaccept-final-1 -m limit --limit 1/second -j LOG
......@@ -634,8 +794,20 @@
-A logdrop-13 -j DROP
-A logdrop-14 -m limit --limit 1/second -j LOG
-A logdrop-14 -j DROP
-A logdrop-15 -m limit --limit 1/second -j LOG
-A logdrop-15 -j DROP
-A logdrop-16 -m limit --limit 1/second -j LOG
-A logdrop-16 -j DROP
-A logdrop-17 -m limit --limit 1/second -j LOG
-A logdrop-17 -j DROP
-A logdrop-18 -m limit --limit 1/second -j LOG
-A logdrop-18 -j DROP
-A logdrop-19 -m limit --limit 1/second -j LOG
-A logdrop-19 -j DROP
-A logdrop-2 -m limit --limit 1/second -j LOG
-A logdrop-2 -j DROP
-A logdrop-20 -m limit --limit 1/second -j LOG
-A logdrop-20 -j DROP
-A logdrop-3 -m limit --limit 1/second -j LOG
-A logdrop-3 -j DROP
-A logdrop-4 -m limit --limit 1/second -j LOG
......@@ -689,6 +861,24 @@ COMMIT
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
-A OUTPUT -j CT --notrack
-A OUTPUT -o eth0 -j CT --notrack
-A OUTPUT -o eth0 -j CT --notrack
-A OUTPUT -o eth0 -j CT --notrack
-A OUTPUT -o eth0 -j CT --notrack
-A OUTPUT -o eth0 -j CT --notrack
-A OUTPUT -o eth0 -j CT --notrack
-A OUTPUT -o eth0 -j CT --notrack
-A OUTPUT -o eth0 -j CT --notrack
-A OUTPUT -o eth0 -j CT --notrack
-A OUTPUT -o eth0 -j CT --notrack
-A OUTPUT -o eth0 -j CT --notrack
-A OUTPUT -o eth0 -j CT --notrack
-A OUTPUT -o eth0 -j CT --notrack
-A OUTPUT -o eth0 -j CT --notrack
-A OUTPUT -o eth0 -j CT --notrack
-A OUTPUT -o eth0 -j CT --notrack
-A OUTPUT -o eth0 -j CT --notrack
-A OUTPUT -o eth0 -j CT --notrack
-A OUTPUT -p tcp --dport 80 -j CT --notrack
-A OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
-A OUTPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
......@@ -700,6 +890,36 @@ COMMIT
-A OUTPUT -p udp -m multiport --sports 500,4500 -j CT --notrack
-A OUTPUT -j CT --notrack
-A PREROUTING -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -p tcp --sport 80 -j CT --notrack
-A PREROUTING -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
-A PREROUTING -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
......
......@@ -61,13 +61,46 @@
:limit-58 - [0:0]
:limit-59 - [0:0]
:limit-6 - [0:0]
:limit-60 - [0:0]
:limit-61 - [0:0]
:limit-62 - [0:0]
:limit-63 - [0:0]
:limit-64 - [0:0]
:limit-65 - [0:0]
:limit-66 - [0:0]
:limit-67 - [0:0]
:limit-68 - [0:0]
:limit-69 - [0:0]
:limit-7 - [0:0]
:limit-70 - [0:0]
:limit-71 - [0:0]
:limit-72 - [0:0]
:limit-73 - [0:0]
:limit-74 - [0:0]
:limit-75 - [0:0]
:limit-76 - [0:0]
:limit-77 - [0:0]
:limit-78 - [0:0]
:limit-79 - [0:0]
:limit-8 - [0:0]
:limit-80 - [0:0]
:limit-81 - [0:0]
:limit-82 - [0:0]
:limit-83 - [0:0]
:limit-84 - [0:0]
:limit-85 - [0:0]
:limit-86 - [0:0]
:limit-87 - [0:0]
:limit-88 - [0:0]
:limit-89 - [0:0]
:limit-9 - [0:0]
:logaccept-0 - [0:0]
:logaccept-1 - [0:0]
:logaccept-2 - [0:0]
:logaccept-3 - [0:0]
:logaccept-4 - [0:0]
:logaccept-5 - [0:0]
:logaccept-6 - [0:0]
:logaccept-final-0 - [0:0]
:logaccept-final-1 - [0:0]
:logaccept-final-2 - [0:0]
......@@ -81,7 +114,13 @@
:logdrop-12 - [0:0]
:logdrop-13 - [0:0]
:logdrop-14 - [0:0]
:logdrop-15 - [0:0]
:logdrop-16 - [0:0]
:logdrop-17 - [0:0]
:logdrop-18 - [0:0]
:logdrop-19 - [0:0]
:logdrop-2 - [0:0]
:logdrop-20 - [0:0]
:logdrop-3 - [0:0]