Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
10
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Open sidebar
alpine
awall
Commits
f11784f3
Commit
f11784f3
authored
Jun 29, 2017
by
Kaarle Ritvanen
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Filter: fix regression with flow-limit and no-track
fixes #7456
parent
a9ea2607
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
1628 additions
and
94 deletions
+1628
-94
awall/modules/filter.lua
awall/modules/filter.lua
+4
-4
test/mandatory/filter-limit.json
test/mandatory/filter-limit.json
+203
-1
test/output/dump
test/output/dump
+963
-71
test/output/rules-save
test/output/rules-save
+229
-9
test/output/rules6-save
test/output/rules6-save
+229
-9
No files found.
awall/modules/filter.lua
View file @
f11784f3
...
...
@@ -394,9 +394,9 @@ function Filter:mangleoptfrags(ofrags)
local
limitobj
=
self
:
create
(
FilterLimit
,
self
[
limit
],
'limit'
)
local
ofs
local
conn
=
limit
==
'conn-limit
'
local
final
=
self
:
position
()
==
'append
'
local
target
=
self
:
target
()
local
c
t
=
conn
and
target
local
f
t
=
final
and
target
local
pl
=
not
target
and
self
.
log
local
cofs
,
sofs
=
limitobj
:
recentofrags
(
limitchain
)
...
...
@@ -405,7 +405,7 @@ function Filter:mangleoptfrags(ofrags)
ofs
=
self
:
combinelog
(
cofs
,
limitlog
,
'drop'
,
'DROP'
)
local
nxt
if
c
t
then
if
f
t
then
extend
(
ofs
,
self
:
actofrags
(
self
.
log
))
nxt
=
target
elseif
sofs
and
not
(
pl
and
pl
:
target
())
then
nxt
=
false
end
...
...
@@ -415,7 +415,7 @@ function Filter:mangleoptfrags(ofrags)
if
pl
then
incompatible
(
'action or log'
)
end
local
limofs
=
limitobj
:
limitofrags
(
limitchain
)
ofs
=
c
t
and
Filter
.
super
(
self
):
mangleoptfrags
(
limofs
)
or
ofs
=
f
t
and
Filter
.
super
(
self
):
mangleoptfrags
(
limofs
)
or
combinations
(
limofs
,
{{
target
=
'RETURN'
}})
extend
(
ofs
,
self
:
actofrags
(
limitlog
,
'DROP'
))
...
...
test/mandatory/filter-limit.json
View file @
f11784f3
...
...
@@ -94,6 +94,208 @@
{
"flow-limit"
:
{
"count"
:
30
,
"log"
:
"none"
}
},
{
"flow-limit"
:
{
"count"
:
30
,
"log"
:
"none"
},
"action"
:
"pass"
},
{
"flow-limit"
:
{
"count"
:
30
,
"log"
:
"none"
},
"log"
:
true
},
{
"flow-limit"
:
{
"count"
:
30
,
"log"
:
"none"
},
"log"
:
"none"
}
{
"flow-limit"
:
{
"count"
:
30
,
"log"
:
"none"
},
"log"
:
"none"
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
1
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
1
,
"action"
:
"pass"
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
1
,
"log"
:
true
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
1
,
"log"
:
true
,
"action"
:
"pass"
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
1
,
"log"
:
"none"
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
1
,
"log"
:
"none"
,
"action"
:
"pass"
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
{
"count"
:
1
,
"log"
:
false
},
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
{
"count"
:
1
,
"log"
:
false
},
"action"
:
"pass"
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
{
"count"
:
1
,
"log"
:
false
},
"log"
:
true
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
{
"count"
:
1
,
"log"
:
false
},
"log"
:
true
,
"action"
:
"pass"
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
{
"count"
:
1
,
"log"
:
false
},
"log"
:
"none"
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
{
"count"
:
1
,
"log"
:
false
},
"log"
:
"none"
,
"action"
:
"pass"
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
{
"count"
:
1
,
"log"
:
"none"
},
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
{
"count"
:
1
,
"log"
:
"none"
},
"action"
:
"pass"
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
{
"count"
:
1
,
"log"
:
"none"
},
"log"
:
true
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
{
"count"
:
1
,
"log"
:
"none"
},
"log"
:
true
,
"action"
:
"pass"
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
{
"count"
:
1
,
"log"
:
"none"
},
"log"
:
"none"
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
{
"count"
:
1
,
"log"
:
"none"
},
"log"
:
"none"
,
"action"
:
"pass"
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
30
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
30
,
"action"
:
"pass"
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
30
,
"log"
:
true
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
30
,
"log"
:
"none"
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
{
"count"
:
30
,
"log"
:
false
},
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
{
"count"
:
30
,
"log"
:
false
},
"action"
:
"pass"
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
{
"count"
:
30
,
"log"
:
false
},
"log"
:
true
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
{
"count"
:
30
,
"log"
:
false
},
"log"
:
"none"
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
{
"count"
:
30
,
"log"
:
"none"
},
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
{
"count"
:
30
,
"log"
:
"none"
},
"action"
:
"pass"
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
{
"count"
:
30
,
"log"
:
"none"
},
"log"
:
true
,
"no-track"
:
true
},
{
"in"
:
"A"
,
"out"
:
"_fw"
,
"flow-limit"
:
{
"count"
:
30
,
"log"
:
"none"
},
"log"
:
"none"
,
"no-track"
:
true
}
]
}
test/output/dump
View file @
f11784f3
...
...
@@ -1072,7 +1072,459 @@ Filter 66 {"flow-limit":{"count":30,"log":"none"},"log":
inet/filter/OUTPUT -j ACCEPT
inet6/filter/OUTPUT -j ACCEPT
Filter 67 {}
Filter 67 {"flow-limit":1,"in":"A","no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-60
inet6/filter/INPUT -i eth0 -j limit-60
inet/filter/limit-60 -m recent --name limit-60 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-13
inet6/filter/limit-60 -m recent --name limit-60 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-13
inet/filter/logdrop-13 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-13 -m limit --limit 1/second -j LOG
inet/filter/logdrop-13 -j DROP
inet6/filter/logdrop-13 -j DROP
inet/filter/limit-60 -m recent --name limit-60 --rsource --mask 255.255.255.255 --set -j ACCEPT
inet6/filter/limit-60 -m recent --name limit-60 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet/raw/OUTPUT -o eth0 -j CT --notrack
inet6/raw/OUTPUT -o eth0 -j CT --notrack
inet/filter/OUTPUT -o eth0 -j ACCEPT
inet6/filter/OUTPUT -o eth0 -j ACCEPT
Filter 68 {"action":"pass","flow-limit":1,"in":"A","no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-61
inet6/filter/INPUT -i eth0 -j limit-61
inet/filter/limit-61 -m recent --name limit-61 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-14
inet6/filter/limit-61 -m recent --name limit-61 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-14
inet/filter/logdrop-14 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-14 -m limit --limit 1/second -j LOG
inet/filter/logdrop-14 -j DROP
inet6/filter/logdrop-14 -j DROP
inet/filter/limit-61 -m recent --name limit-61 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-61 -m recent --name limit-61 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
Filter 69 {"flow-limit":1,"in":"A","log":true,"no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-62
inet6/filter/INPUT -i eth0 -j limit-62
inet/filter/limit-62 -m recent --name limit-62 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-15
inet6/filter/limit-62 -m recent --name limit-62 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-15
inet/filter/logdrop-15 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-15 -m limit --limit 1/second -j LOG
inet/filter/logdrop-15 -j DROP
inet6/filter/logdrop-15 -j DROP
inet/filter/limit-62 -m limit --limit 1/second -j LOG
inet6/filter/limit-62 -m limit --limit 1/second -j LOG
inet/filter/limit-62 -m recent --name limit-62 --rsource --mask 255.255.255.255 --set -j ACCEPT
inet6/filter/limit-62 -m recent --name limit-62 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet/raw/OUTPUT -o eth0 -j CT --notrack
inet6/raw/OUTPUT -o eth0 -j CT --notrack
inet/filter/OUTPUT -o eth0 -j ACCEPT
inet6/filter/OUTPUT -o eth0 -j ACCEPT
Filter 70 {"action":"pass","flow-limit":1,"in":"A","log":true,"no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-63
inet6/filter/INPUT -i eth0 -j limit-63
inet/filter/limit-63 -m recent --name limit-63 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-16
inet6/filter/limit-63 -m recent --name limit-63 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-16
inet/filter/logdrop-16 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-16 -m limit --limit 1/second -j LOG
inet/filter/logdrop-16 -j DROP
inet6/filter/logdrop-16 -j DROP
inet/filter/limit-63 -m recent --name limit-63 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
inet6/filter/limit-63 -m recent --name limit-63 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
Filter 71 {"flow-limit":1,"in":"A","log":"none","no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-64
inet6/filter/INPUT -i eth0 -j limit-64
inet/filter/limit-64 -m recent --name limit-64 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-17
inet6/filter/limit-64 -m recent --name limit-64 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-17
inet/filter/logdrop-17 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-17 -m limit --limit 1/second -j LOG
inet/filter/logdrop-17 -j DROP
inet6/filter/logdrop-17 -j DROP
inet/filter/limit-64 -m recent --name limit-64 --rsource --mask 255.255.255.255 --set -j ACCEPT
inet6/filter/limit-64 -m recent --name limit-64 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet/raw/OUTPUT -o eth0 -j CT --notrack
inet6/raw/OUTPUT -o eth0 -j CT --notrack
inet/filter/OUTPUT -o eth0 -j ACCEPT
inet6/filter/OUTPUT -o eth0 -j ACCEPT
Filter 72 {"action":"pass","flow-limit":1,"in":"A","log":"none","no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-65
inet6/filter/INPUT -i eth0 -j limit-65
inet/filter/limit-65 -m recent --name limit-65 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-18
inet6/filter/limit-65 -m recent --name limit-65 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-18
inet/filter/logdrop-18 -m limit --limit 1/second -j LOG
inet6/filter/logdrop-18 -m limit --limit 1/second -j LOG
inet/filter/logdrop-18 -j DROP
inet6/filter/logdrop-18 -j DROP
inet/filter/limit-65 -m recent --name limit-65 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-65 -m recent --name limit-65 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
Filter 73 {"flow-limit":{"count":1,"log":false},"in":"A","no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-66
inet6/filter/INPUT -i eth0 -j limit-66
inet/filter/limit-66 -m recent --name limit-66 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-66 -m recent --name limit-66 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-66 -m recent --name limit-66 --rsource --mask 255.255.255.255 --set -j ACCEPT
inet6/filter/limit-66 -m recent --name limit-66 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet/raw/OUTPUT -o eth0 -j CT --notrack
inet6/raw/OUTPUT -o eth0 -j CT --notrack
inet/filter/OUTPUT -o eth0 -j ACCEPT
inet6/filter/OUTPUT -o eth0 -j ACCEPT
Filter 74 {"action":"pass","flow-limit":{"count":1,"log":false},"in":"A","no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-67
inet6/filter/INPUT -i eth0 -j limit-67
inet/filter/limit-67 -m recent --name limit-67 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-67 -m recent --name limit-67 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-67 -m recent --name limit-67 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-67 -m recent --name limit-67 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
Filter 75 {"flow-limit":{"count":1,"log":false},"in":"A","log":true,"no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-68
inet6/filter/INPUT -i eth0 -j limit-68
inet/filter/limit-68 -m recent --name limit-68 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-68 -m recent --name limit-68 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-68 -m limit --limit 1/second -j LOG
inet6/filter/limit-68 -m limit --limit 1/second -j LOG
inet/filter/limit-68 -m recent --name limit-68 --rsource --mask 255.255.255.255 --set -j ACCEPT
inet6/filter/limit-68 -m recent --name limit-68 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet/raw/OUTPUT -o eth0 -j CT --notrack
inet6/raw/OUTPUT -o eth0 -j CT --notrack
inet/filter/OUTPUT -o eth0 -j ACCEPT
inet6/filter/OUTPUT -o eth0 -j ACCEPT
Filter 76 {"action":"pass","flow-limit":{"count":1,"log":false},"in":"A","log":true,"no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-69
inet6/filter/INPUT -i eth0 -j limit-69
inet/filter/limit-69 -m recent --name limit-69 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-69 -m recent --name limit-69 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-69 -m recent --name limit-69 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
inet6/filter/limit-69 -m recent --name limit-69 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
Filter 77 {"flow-limit":{"count":1,"log":false},"in":"A","log":"none","no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-70
inet6/filter/INPUT -i eth0 -j limit-70
inet/filter/limit-70 -m recent --name limit-70 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-70 -m recent --name limit-70 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-70 -m recent --name limit-70 --rsource --mask 255.255.255.255 --set -j ACCEPT
inet6/filter/limit-70 -m recent --name limit-70 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet/raw/OUTPUT -o eth0 -j CT --notrack
inet6/raw/OUTPUT -o eth0 -j CT --notrack
inet/filter/OUTPUT -o eth0 -j ACCEPT
inet6/filter/OUTPUT -o eth0 -j ACCEPT
Filter 78 {"action":"pass","flow-limit":{"count":1,"log":false},"in":"A","log":"none","no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-71
inet6/filter/INPUT -i eth0 -j limit-71
inet/filter/limit-71 -m recent --name limit-71 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-71 -m recent --name limit-71 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-71 -m recent --name limit-71 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-71 -m recent --name limit-71 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
Filter 79 {"flow-limit":{"count":1,"log":"none"},"in":"A","no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-72
inet6/filter/INPUT -i eth0 -j limit-72
inet/filter/limit-72 -m recent --name limit-72 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-72 -m recent --name limit-72 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-72 -m recent --name limit-72 --rsource --mask 255.255.255.255 --set -j ACCEPT
inet6/filter/limit-72 -m recent --name limit-72 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet/raw/OUTPUT -o eth0 -j CT --notrack
inet6/raw/OUTPUT -o eth0 -j CT --notrack
inet/filter/OUTPUT -o eth0 -j ACCEPT
inet6/filter/OUTPUT -o eth0 -j ACCEPT
Filter 80 {"action":"pass","flow-limit":{"count":1,"log":"none"},"in":"A","no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-73
inet6/filter/INPUT -i eth0 -j limit-73
inet/filter/limit-73 -m recent --name limit-73 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-73 -m recent --name limit-73 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-73 -m recent --name limit-73 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-73 -m recent --name limit-73 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
Filter 81 {"flow-limit":{"count":1,"log":"none"},"in":"A","log":true,"no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-74
inet6/filter/INPUT -i eth0 -j limit-74
inet/filter/limit-74 -m recent --name limit-74 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-74 -m recent --name limit-74 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-74 -m limit --limit 1/second -j LOG
inet6/filter/limit-74 -m limit --limit 1/second -j LOG
inet/filter/limit-74 -m recent --name limit-74 --rsource --mask 255.255.255.255 --set -j ACCEPT
inet6/filter/limit-74 -m recent --name limit-74 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet/raw/OUTPUT -o eth0 -j CT --notrack
inet6/raw/OUTPUT -o eth0 -j CT --notrack
inet/filter/OUTPUT -o eth0 -j ACCEPT
inet6/filter/OUTPUT -o eth0 -j ACCEPT
Filter 82 {"action":"pass","flow-limit":{"count":1,"log":"none"},"in":"A","log":true,"no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-75
inet6/filter/INPUT -i eth0 -j limit-75
inet/filter/limit-75 -m recent --name limit-75 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-75 -m recent --name limit-75 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-75 -m recent --name limit-75 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
inet6/filter/limit-75 -m recent --name limit-75 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
Filter 83 {"flow-limit":{"count":1,"log":"none"},"in":"A","log":"none","no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-76
inet6/filter/INPUT -i eth0 -j limit-76
inet/filter/limit-76 -m recent --name limit-76 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-76 -m recent --name limit-76 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-76 -m recent --name limit-76 --rsource --mask 255.255.255.255 --set -j ACCEPT
inet6/filter/limit-76 -m recent --name limit-76 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet/raw/OUTPUT -o eth0 -j CT --notrack
inet6/raw/OUTPUT -o eth0 -j CT --notrack
inet/filter/OUTPUT -o eth0 -j ACCEPT
inet6/filter/OUTPUT -o eth0 -j ACCEPT
Filter 84 {"action":"pass","flow-limit":{"count":1,"log":"none"},"in":"A","log":"none","no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-77
inet6/filter/INPUT -i eth0 -j limit-77
inet/filter/limit-77 -m recent --name limit-77 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
inet6/filter/limit-77 -m recent --name limit-77 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
inet/filter/limit-77 -m recent --name limit-77 --rsource --mask 255.255.255.255 --set
inet6/filter/limit-77 -m recent --name limit-77 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
Filter 85 {"flow-limit":30,"in":"A","no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-78
inet6/filter/INPUT -i eth0 -j limit-78
inet/filter/limit-78 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-78 -j ACCEPT
inet6/filter/limit-78 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-78 -j ACCEPT
inet/filter/limit-78 -m limit --limit 1/second -j LOG
inet6/filter/limit-78 -m limit --limit 1/second -j LOG
inet/filter/limit-78 -j DROP
inet6/filter/limit-78 -j DROP
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet/raw/OUTPUT -o eth0 -j CT --notrack
inet6/raw/OUTPUT -o eth0 -j CT --notrack
inet/filter/OUTPUT -o eth0 -j ACCEPT
inet6/filter/OUTPUT -o eth0 -j ACCEPT
Filter 86 {"action":"pass","flow-limit":30,"in":"A","no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-79
inet6/filter/INPUT -i eth0 -j limit-79
inet/filter/limit-79 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-79 -j RETURN
inet6/filter/limit-79 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-79 -j RETURN
inet/filter/limit-79 -m limit --limit 1/second -j LOG
inet6/filter/limit-79 -m limit --limit 1/second -j LOG
inet/filter/limit-79 -j DROP
inet6/filter/limit-79 -j DROP
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
Filter 87 {"flow-limit":30,"in":"A","log":true,"no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-80
inet6/filter/INPUT -i eth0 -j limit-80
inet/filter/limit-80 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-80 -j logaccept-3
inet6/filter/limit-80 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-80 -j logaccept-3
inet/filter/logaccept-3 -m limit --limit 1/second -j LOG
inet6/filter/logaccept-3 -m limit --limit 1/second -j LOG
inet/filter/logaccept-3 -j ACCEPT
inet6/filter/logaccept-3 -j ACCEPT
inet/filter/limit-80 -m limit --limit 1/second -j LOG
inet6/filter/limit-80 -m limit --limit 1/second -j LOG
inet/filter/limit-80 -j DROP
inet6/filter/limit-80 -j DROP
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet/raw/OUTPUT -o eth0 -j CT --notrack
inet6/raw/OUTPUT -o eth0 -j CT --notrack
inet/filter/OUTPUT -o eth0 -j ACCEPT
inet6/filter/OUTPUT -o eth0 -j ACCEPT
Filter 88 {"flow-limit":30,"in":"A","log":"none","no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-81
inet6/filter/INPUT -i eth0 -j limit-81
inet/filter/limit-81 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-81 -j ACCEPT
inet6/filter/limit-81 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-81 -j ACCEPT
inet/filter/limit-81 -m limit --limit 1/second -j LOG
inet6/filter/limit-81 -m limit --limit 1/second -j LOG
inet/filter/limit-81 -j DROP
inet6/filter/limit-81 -j DROP
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet/raw/OUTPUT -o eth0 -j CT --notrack
inet6/raw/OUTPUT -o eth0 -j CT --notrack
inet/filter/OUTPUT -o eth0 -j ACCEPT
inet6/filter/OUTPUT -o eth0 -j ACCEPT
Filter 89 {"flow-limit":{"count":30,"log":false},"in":"A","no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-82
inet6/filter/INPUT -i eth0 -j limit-82
inet/filter/limit-82 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-82 -j ACCEPT
inet6/filter/limit-82 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-82 -j ACCEPT
inet/filter/limit-82 -j DROP
inet6/filter/limit-82 -j DROP
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet/raw/OUTPUT -o eth0 -j CT --notrack
inet6/raw/OUTPUT -o eth0 -j CT --notrack
inet/filter/OUTPUT -o eth0 -j ACCEPT
inet6/filter/OUTPUT -o eth0 -j ACCEPT
Filter 90 {"action":"pass","flow-limit":{"count":30,"log":false},"in":"A","no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-83
inet6/filter/INPUT -i eth0 -j limit-83
inet/filter/limit-83 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-83 -j RETURN
inet6/filter/limit-83 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-83 -j RETURN
inet/filter/limit-83 -j DROP
inet6/filter/limit-83 -j DROP
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
Filter 91 {"flow-limit":{"count":30,"log":false},"in":"A","log":true,"no-track":true,"out":"_fw"}
(filter-limit)
inet/filter/INPUT -i eth0 -j limit-84
inet6/filter/INPUT -i eth0 -j limit-84
inet/filter/limit-84 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-84 -j logaccept-4
inet6/filter/limit-84 -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-84 -j logaccept-4
inet/filter/logaccept-4 -m limit --limit 1/second -j LOG
inet6/filter/logaccept-4 -m limit --limit 1/second -j LOG
inet/filter/logaccept-4 -j ACCEPT
inet6/filter/logaccept-4 -j ACCEPT
inet/filter/limit-84 -j DROP
inet6/filter/limit-84 -j DROP
inet/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
inet/raw/OUTPUT -o eth0 -j CT --notrack
inet6/raw/OUTPUT -o eth0 -j CT --notrack
inet/filter/OUTPUT -o eth0 -j ACCEPT