Filter: fix regression with flow-limit and no-track

fixes #7456

Filter: fix regression with flow-limit and no-track
fixes #7456
f11784f3 · Kaarle Ritvanen · a9ea2607 · f11784f3 · f11784f3 · f11784f3
Commit f11784f3 authored Jun 29, 2017 by Kaarle Ritvanen
5 changed files
--- a/awall/modules/filter.lua
+++ b/awall/modules/filter.lua
@@ -394,9 +394,9 @@ function Filter:mangleoptfrags(ofrags)
   local limitobj = self:create(FilterLimit, self[limit], 'limit')

   local ofs
-   local conn = limit == 'conn-limit'
+   local final = self:position() == 'append'
   local target = self:target()
-   local ct = conn and target
+   local ft = final and target
   local pl = not target and self.log

   local cofs, sofs = limitobj:recentofrags(limitchain)
@@ -405,7 +405,7 @@ function Filter:mangleoptfrags(ofrags)
      ofs = self:combinelog(cofs, limitlog, 'drop', 'DROP')

      local nxt
-      if ct then
+      if ft then
 	 extend(ofs, self:actofrags(self.log))
 	 nxt = target
      elseif sofs and not (pl and pl:target()) then nxt = false end
@@ -415,7 +415,7 @@ function Filter:mangleoptfrags(ofrags)
      if pl then incompatible('action or log') end

      local limofs = limitobj:limitofrags(limitchain)
-      ofs = ct and Filter.super(self):mangleoptfrags(limofs) or
+      ofs = ft and Filter.super(self):mangleoptfrags(limofs) or
 	 combinations(limofs, {{target='RETURN'}})

      extend(ofs, self:actofrags(limitlog, 'DROP'))

--- a/test/mandatory/filter-limit.json
+++ b/test/mandatory/filter-limit.json
@@ -94,6 +94,208 @@
 	{ "flow-limit": { "count": 30, "log": "none" } },
 	{ "flow-limit": { "count": 30, "log": "none" }, "action": "pass" },
 	{ "flow-limit": { "count": 30, "log": "none" }, "log": true },
-	{ "flow-limit": { "count": 30, "log": "none" }, "log": "none" }
+	{ "flow-limit": { "count": 30, "log": "none" }, "log": "none" },
+
+	{ "in": "A", "out": "_fw", "flow-limit": 1, "no-track": true },
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": 1,
+	    "action": "pass",
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": 1,
+	    "log": true,
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": 1,
+	    "log": true,
+	    "action": "pass",
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": 1,
+	    "log": "none",
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": 1,
+	    "log": "none",
+	    "action": "pass",
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": { "count": 1, "log": false },
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": { "count": 1, "log": false },
+	    "action": "pass",
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": { "count": 1, "log": false },
+	    "log": true,
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": { "count": 1, "log": false },
+	    "log": true,
+	    "action": "pass",
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": { "count": 1, "log": false },
+	    "log": "none",
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": { "count": 1, "log": false },
+	    "log": "none",
+	    "action": "pass",
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": { "count": 1, "log": "none" },
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": { "count": 1, "log": "none" },
+	    "action": "pass",
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": { "count": 1, "log": "none" },
+	    "log": true,
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": { "count": 1, "log": "none" },
+	    "log": true,
+	    "action": "pass",
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": { "count": 1, "log": "none" },
+	    "log": "none",
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": { "count": 1, "log": "none" },
+	    "log": "none",
+	    "action": "pass",
+	    "no-track": true
+	},
+
+	{ "in": "A", "out": "_fw", "flow-limit": 30, "no-track": true },
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": 30,
+	    "action": "pass",
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": 30,
+	    "log": true,
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": 30,
+	    "log": "none",
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": { "count": 30, "log": false },
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": { "count": 30, "log": false },
+	    "action": "pass",
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": { "count": 30, "log": false },
+	    "log": true,
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": { "count": 30, "log": false },
+	    "log": "none",
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": { "count": 30, "log": "none" },
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": { "count": 30, "log": "none" },
+	    "action": "pass",
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": { "count": 30, "log": "none" },
+	    "log": true,
+	    "no-track": true
+	},
+	{
+	    "in": "A",
+	    "out": "_fw",
+	    "flow-limit": { "count": 30, "log": "none" },
+	    "log": "none",
+	    "no-track": true
+	}
    ]
 }
--- a/test/output/dump
+++ b/test/output/dump
@@ -1072,7 +1072,459 @@ Filter 66                         {"flow-limit":{"count":30,"log":"none"},"log":
  inet/filter/OUTPUT              -j ACCEPT
  inet6/filter/OUTPUT             -j ACCEPT

-Filter 67                         {}
+Filter 67                         {"flow-limit":1,"in":"A","no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-60
+  inet6/filter/INPUT              -i eth0 -j limit-60
+  inet/filter/limit-60            -m recent --name limit-60 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-13
+  inet6/filter/limit-60           -m recent --name limit-60 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-13
+  inet/filter/logdrop-13          -m limit --limit 1/second -j LOG
+  inet6/filter/logdrop-13         -m limit --limit 1/second -j LOG
+  inet/filter/logdrop-13          -j DROP
+  inet6/filter/logdrop-13         -j DROP
+  inet/filter/limit-60            -m recent --name limit-60 --rsource --mask 255.255.255.255 --set -j ACCEPT
+  inet6/filter/limit-60           -m recent --name limit-60 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet/raw/OUTPUT                 -o eth0 -j CT --notrack
+  inet6/raw/OUTPUT                -o eth0 -j CT --notrack
+  inet/filter/OUTPUT              -o eth0 -j ACCEPT
+  inet6/filter/OUTPUT             -o eth0 -j ACCEPT
+
+Filter 68                         {"action":"pass","flow-limit":1,"in":"A","no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-61
+  inet6/filter/INPUT              -i eth0 -j limit-61
+  inet/filter/limit-61            -m recent --name limit-61 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-14
+  inet6/filter/limit-61           -m recent --name limit-61 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-14
+  inet/filter/logdrop-14          -m limit --limit 1/second -j LOG
+  inet6/filter/logdrop-14         -m limit --limit 1/second -j LOG
+  inet/filter/logdrop-14          -j DROP
+  inet6/filter/logdrop-14         -j DROP
+  inet/filter/limit-61            -m recent --name limit-61 --rsource --mask 255.255.255.255 --set 
+  inet6/filter/limit-61           -m recent --name limit-61 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+
+Filter 69                         {"flow-limit":1,"in":"A","log":true,"no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-62
+  inet6/filter/INPUT              -i eth0 -j limit-62
+  inet/filter/limit-62            -m recent --name limit-62 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-15
+  inet6/filter/limit-62           -m recent --name limit-62 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-15
+  inet/filter/logdrop-15          -m limit --limit 1/second -j LOG
+  inet6/filter/logdrop-15         -m limit --limit 1/second -j LOG
+  inet/filter/logdrop-15          -j DROP
+  inet6/filter/logdrop-15         -j DROP
+  inet/filter/limit-62            -m limit --limit 1/second -j LOG
+  inet6/filter/limit-62           -m limit --limit 1/second -j LOG
+  inet/filter/limit-62            -m recent --name limit-62 --rsource --mask 255.255.255.255 --set -j ACCEPT
+  inet6/filter/limit-62           -m recent --name limit-62 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet/raw/OUTPUT                 -o eth0 -j CT --notrack
+  inet6/raw/OUTPUT                -o eth0 -j CT --notrack
+  inet/filter/OUTPUT              -o eth0 -j ACCEPT
+  inet6/filter/OUTPUT             -o eth0 -j ACCEPT
+
+Filter 70                         {"action":"pass","flow-limit":1,"in":"A","log":true,"no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-63
+  inet6/filter/INPUT              -i eth0 -j limit-63
+  inet/filter/limit-63            -m recent --name limit-63 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-16
+  inet6/filter/limit-63           -m recent --name limit-63 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-16
+  inet/filter/logdrop-16          -m limit --limit 1/second -j LOG
+  inet6/filter/logdrop-16         -m limit --limit 1/second -j LOG
+  inet/filter/logdrop-16          -j DROP
+  inet6/filter/logdrop-16         -j DROP
+  inet/filter/limit-63            -m recent --name limit-63 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
+  inet6/filter/limit-63           -m recent --name limit-63 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+
+Filter 71                         {"flow-limit":1,"in":"A","log":"none","no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-64
+  inet6/filter/INPUT              -i eth0 -j limit-64
+  inet/filter/limit-64            -m recent --name limit-64 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-17
+  inet6/filter/limit-64           -m recent --name limit-64 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-17
+  inet/filter/logdrop-17          -m limit --limit 1/second -j LOG
+  inet6/filter/logdrop-17         -m limit --limit 1/second -j LOG
+  inet/filter/logdrop-17          -j DROP
+  inet6/filter/logdrop-17         -j DROP
+  inet/filter/limit-64            -m recent --name limit-64 --rsource --mask 255.255.255.255 --set -j ACCEPT
+  inet6/filter/limit-64           -m recent --name limit-64 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet/raw/OUTPUT                 -o eth0 -j CT --notrack
+  inet6/raw/OUTPUT                -o eth0 -j CT --notrack
+  inet/filter/OUTPUT              -o eth0 -j ACCEPT
+  inet6/filter/OUTPUT             -o eth0 -j ACCEPT
+
+Filter 72                         {"action":"pass","flow-limit":1,"in":"A","log":"none","no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-65
+  inet6/filter/INPUT              -i eth0 -j limit-65
+  inet/filter/limit-65            -m recent --name limit-65 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j logdrop-18
+  inet6/filter/limit-65           -m recent --name limit-65 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j logdrop-18
+  inet/filter/logdrop-18          -m limit --limit 1/second -j LOG
+  inet6/filter/logdrop-18         -m limit --limit 1/second -j LOG
+  inet/filter/logdrop-18          -j DROP
+  inet6/filter/logdrop-18         -j DROP
+  inet/filter/limit-65            -m recent --name limit-65 --rsource --mask 255.255.255.255 --set 
+  inet6/filter/limit-65           -m recent --name limit-65 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+
+Filter 73                         {"flow-limit":{"count":1,"log":false},"in":"A","no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-66
+  inet6/filter/INPUT              -i eth0 -j limit-66
+  inet/filter/limit-66            -m recent --name limit-66 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+  inet6/filter/limit-66           -m recent --name limit-66 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+  inet/filter/limit-66            -m recent --name limit-66 --rsource --mask 255.255.255.255 --set -j ACCEPT
+  inet6/filter/limit-66           -m recent --name limit-66 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet/raw/OUTPUT                 -o eth0 -j CT --notrack
+  inet6/raw/OUTPUT                -o eth0 -j CT --notrack
+  inet/filter/OUTPUT              -o eth0 -j ACCEPT
+  inet6/filter/OUTPUT             -o eth0 -j ACCEPT
+
+Filter 74                         {"action":"pass","flow-limit":{"count":1,"log":false},"in":"A","no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-67
+  inet6/filter/INPUT              -i eth0 -j limit-67
+  inet/filter/limit-67            -m recent --name limit-67 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+  inet6/filter/limit-67           -m recent --name limit-67 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+  inet/filter/limit-67            -m recent --name limit-67 --rsource --mask 255.255.255.255 --set 
+  inet6/filter/limit-67           -m recent --name limit-67 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+
+Filter 75                         {"flow-limit":{"count":1,"log":false},"in":"A","log":true,"no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-68
+  inet6/filter/INPUT              -i eth0 -j limit-68
+  inet/filter/limit-68            -m recent --name limit-68 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+  inet6/filter/limit-68           -m recent --name limit-68 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+  inet/filter/limit-68            -m limit --limit 1/second -j LOG
+  inet6/filter/limit-68           -m limit --limit 1/second -j LOG
+  inet/filter/limit-68            -m recent --name limit-68 --rsource --mask 255.255.255.255 --set -j ACCEPT
+  inet6/filter/limit-68           -m recent --name limit-68 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet/raw/OUTPUT                 -o eth0 -j CT --notrack
+  inet6/raw/OUTPUT                -o eth0 -j CT --notrack
+  inet/filter/OUTPUT              -o eth0 -j ACCEPT
+  inet6/filter/OUTPUT             -o eth0 -j ACCEPT
+
+Filter 76                         {"action":"pass","flow-limit":{"count":1,"log":false},"in":"A","log":true,"no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-69
+  inet6/filter/INPUT              -i eth0 -j limit-69
+  inet/filter/limit-69            -m recent --name limit-69 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+  inet6/filter/limit-69           -m recent --name limit-69 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+  inet/filter/limit-69            -m recent --name limit-69 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
+  inet6/filter/limit-69           -m recent --name limit-69 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+
+Filter 77                         {"flow-limit":{"count":1,"log":false},"in":"A","log":"none","no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-70
+  inet6/filter/INPUT              -i eth0 -j limit-70
+  inet/filter/limit-70            -m recent --name limit-70 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+  inet6/filter/limit-70           -m recent --name limit-70 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+  inet/filter/limit-70            -m recent --name limit-70 --rsource --mask 255.255.255.255 --set -j ACCEPT
+  inet6/filter/limit-70           -m recent --name limit-70 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet/raw/OUTPUT                 -o eth0 -j CT --notrack
+  inet6/raw/OUTPUT                -o eth0 -j CT --notrack
+  inet/filter/OUTPUT              -o eth0 -j ACCEPT
+  inet6/filter/OUTPUT             -o eth0 -j ACCEPT
+
+Filter 78                         {"action":"pass","flow-limit":{"count":1,"log":false},"in":"A","log":"none","no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-71
+  inet6/filter/INPUT              -i eth0 -j limit-71
+  inet/filter/limit-71            -m recent --name limit-71 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+  inet6/filter/limit-71           -m recent --name limit-71 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+  inet/filter/limit-71            -m recent --name limit-71 --rsource --mask 255.255.255.255 --set 
+  inet6/filter/limit-71           -m recent --name limit-71 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+
+Filter 79                         {"flow-limit":{"count":1,"log":"none"},"in":"A","no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-72
+  inet6/filter/INPUT              -i eth0 -j limit-72
+  inet/filter/limit-72            -m recent --name limit-72 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+  inet6/filter/limit-72           -m recent --name limit-72 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+  inet/filter/limit-72            -m recent --name limit-72 --rsource --mask 255.255.255.255 --set -j ACCEPT
+  inet6/filter/limit-72           -m recent --name limit-72 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet/raw/OUTPUT                 -o eth0 -j CT --notrack
+  inet6/raw/OUTPUT                -o eth0 -j CT --notrack
+  inet/filter/OUTPUT              -o eth0 -j ACCEPT
+  inet6/filter/OUTPUT             -o eth0 -j ACCEPT
+
+Filter 80                         {"action":"pass","flow-limit":{"count":1,"log":"none"},"in":"A","no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-73
+  inet6/filter/INPUT              -i eth0 -j limit-73
+  inet/filter/limit-73            -m recent --name limit-73 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+  inet6/filter/limit-73           -m recent --name limit-73 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+  inet/filter/limit-73            -m recent --name limit-73 --rsource --mask 255.255.255.255 --set 
+  inet6/filter/limit-73           -m recent --name limit-73 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+
+Filter 81                         {"flow-limit":{"count":1,"log":"none"},"in":"A","log":true,"no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-74
+  inet6/filter/INPUT              -i eth0 -j limit-74
+  inet/filter/limit-74            -m recent --name limit-74 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+  inet6/filter/limit-74           -m recent --name limit-74 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+  inet/filter/limit-74            -m limit --limit 1/second -j LOG
+  inet6/filter/limit-74           -m limit --limit 1/second -j LOG
+  inet/filter/limit-74            -m recent --name limit-74 --rsource --mask 255.255.255.255 --set -j ACCEPT
+  inet6/filter/limit-74           -m recent --name limit-74 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet/raw/OUTPUT                 -o eth0 -j CT --notrack
+  inet6/raw/OUTPUT                -o eth0 -j CT --notrack
+  inet/filter/OUTPUT              -o eth0 -j ACCEPT
+  inet6/filter/OUTPUT             -o eth0 -j ACCEPT
+
+Filter 82                         {"action":"pass","flow-limit":{"count":1,"log":"none"},"in":"A","log":true,"no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-75
+  inet6/filter/INPUT              -i eth0 -j limit-75
+  inet/filter/limit-75            -m recent --name limit-75 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+  inet6/filter/limit-75           -m recent --name limit-75 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+  inet/filter/limit-75            -m recent --name limit-75 --rsource --mask 255.255.255.255 --set -m limit --limit 1/second -j LOG
+  inet6/filter/limit-75           -m recent --name limit-75 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -m limit --limit 1/second -j LOG
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+
+Filter 83                         {"flow-limit":{"count":1,"log":"none"},"in":"A","log":"none","no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-76
+  inet6/filter/INPUT              -i eth0 -j limit-76
+  inet/filter/limit-76            -m recent --name limit-76 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+  inet6/filter/limit-76           -m recent --name limit-76 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+  inet/filter/limit-76            -m recent --name limit-76 --rsource --mask 255.255.255.255 --set -j ACCEPT
+  inet6/filter/limit-76           -m recent --name limit-76 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet/raw/OUTPUT                 -o eth0 -j CT --notrack
+  inet6/raw/OUTPUT                -o eth0 -j CT --notrack
+  inet/filter/OUTPUT              -o eth0 -j ACCEPT
+  inet6/filter/OUTPUT             -o eth0 -j ACCEPT
+
+Filter 84                         {"action":"pass","flow-limit":{"count":1,"log":"none"},"in":"A","log":"none","no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-77
+  inet6/filter/INPUT              -i eth0 -j limit-77
+  inet/filter/limit-77            -m recent --name limit-77 --rsource --mask 255.255.255.255 --update --hitcount 1 --seconds 1 -j DROP
+  inet6/filter/limit-77           -m recent --name limit-77 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 1 --seconds 1 -j DROP
+  inet/filter/limit-77            -m recent --name limit-77 --rsource --mask 255.255.255.255 --set 
+  inet6/filter/limit-77           -m recent --name limit-77 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set 
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+
+Filter 85                         {"flow-limit":30,"in":"A","no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-78
+  inet6/filter/INPUT              -i eth0 -j limit-78
+  inet/filter/limit-78            -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-78 -j ACCEPT
+  inet6/filter/limit-78           -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-78 -j ACCEPT
+  inet/filter/limit-78            -m limit --limit 1/second -j LOG
+  inet6/filter/limit-78           -m limit --limit 1/second -j LOG
+  inet/filter/limit-78            -j DROP
+  inet6/filter/limit-78           -j DROP
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet/raw/OUTPUT                 -o eth0 -j CT --notrack
+  inet6/raw/OUTPUT                -o eth0 -j CT --notrack
+  inet/filter/OUTPUT              -o eth0 -j ACCEPT
+  inet6/filter/OUTPUT             -o eth0 -j ACCEPT
+
+Filter 86                         {"action":"pass","flow-limit":30,"in":"A","no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-79
+  inet6/filter/INPUT              -i eth0 -j limit-79
+  inet/filter/limit-79            -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-79 -j RETURN
+  inet6/filter/limit-79           -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-79 -j RETURN
+  inet/filter/limit-79            -m limit --limit 1/second -j LOG
+  inet6/filter/limit-79           -m limit --limit 1/second -j LOG
+  inet/filter/limit-79            -j DROP
+  inet6/filter/limit-79           -j DROP
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+
+Filter 87                         {"flow-limit":30,"in":"A","log":true,"no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-80
+  inet6/filter/INPUT              -i eth0 -j limit-80
+  inet/filter/limit-80            -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-80 -j logaccept-3
+  inet6/filter/limit-80           -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-80 -j logaccept-3
+  inet/filter/logaccept-3         -m limit --limit 1/second -j LOG
+  inet6/filter/logaccept-3        -m limit --limit 1/second -j LOG
+  inet/filter/logaccept-3         -j ACCEPT
+  inet6/filter/logaccept-3        -j ACCEPT
+  inet/filter/limit-80            -m limit --limit 1/second -j LOG
+  inet6/filter/limit-80           -m limit --limit 1/second -j LOG
+  inet/filter/limit-80            -j DROP
+  inet6/filter/limit-80           -j DROP
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet/raw/OUTPUT                 -o eth0 -j CT --notrack
+  inet6/raw/OUTPUT                -o eth0 -j CT --notrack
+  inet/filter/OUTPUT              -o eth0 -j ACCEPT
+  inet6/filter/OUTPUT             -o eth0 -j ACCEPT
+
+Filter 88                         {"flow-limit":30,"in":"A","log":"none","no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-81
+  inet6/filter/INPUT              -i eth0 -j limit-81
+  inet/filter/limit-81            -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-81 -j ACCEPT
+  inet6/filter/limit-81           -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-81 -j ACCEPT
+  inet/filter/limit-81            -m limit --limit 1/second -j LOG
+  inet6/filter/limit-81           -m limit --limit 1/second -j LOG
+  inet/filter/limit-81            -j DROP
+  inet6/filter/limit-81           -j DROP
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet/raw/OUTPUT                 -o eth0 -j CT --notrack
+  inet6/raw/OUTPUT                -o eth0 -j CT --notrack
+  inet/filter/OUTPUT              -o eth0 -j ACCEPT
+  inet6/filter/OUTPUT             -o eth0 -j ACCEPT
+
+Filter 89                         {"flow-limit":{"count":30,"log":false},"in":"A","no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-82
+  inet6/filter/INPUT              -i eth0 -j limit-82
+  inet/filter/limit-82            -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-82 -j ACCEPT
+  inet6/filter/limit-82           -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-82 -j ACCEPT
+  inet/filter/limit-82            -j DROP
+  inet6/filter/limit-82           -j DROP
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet/raw/OUTPUT                 -o eth0 -j CT --notrack
+  inet6/raw/OUTPUT                -o eth0 -j CT --notrack
+  inet/filter/OUTPUT              -o eth0 -j ACCEPT
+  inet6/filter/OUTPUT             -o eth0 -j ACCEPT
+
+Filter 90                         {"action":"pass","flow-limit":{"count":30,"log":false},"in":"A","no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-83
+  inet6/filter/INPUT              -i eth0 -j limit-83
+  inet/filter/limit-83            -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-83 -j RETURN
+  inet6/filter/limit-83           -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-83 -j RETURN
+  inet/filter/limit-83            -j DROP
+  inet6/filter/limit-83           -j DROP
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+
+Filter 91                         {"flow-limit":{"count":30,"log":false},"in":"A","log":true,"no-track":true,"out":"_fw"}
+(filter-limit)                    
+  inet/filter/INPUT               -i eth0 -j limit-84
+  inet6/filter/INPUT              -i eth0 -j limit-84
+  inet/filter/limit-84            -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name limit-84 -j logaccept-4
+  inet6/filter/limit-84           -m hashlimit --hashlimit-upto 30/second --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-srcmask 128 --hashlimit-name limit-84 -j logaccept-4
+  inet/filter/logaccept-4         -m limit --limit 1/second -j LOG
+  inet6/filter/logaccept-4        -m limit --limit 1/second -j LOG
+  inet/filter/logaccept-4         -j ACCEPT
+  inet6/filter/logaccept-4        -j ACCEPT
+  inet/filter/limit-84            -j DROP
+  inet6/filter/limit-84           -j DROP
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -i eth0 -j CT --notrack
+  inet/raw/OUTPUT                 -o eth0 -j CT --notrack
+  inet6/raw/OUTPUT                -o eth0 -j CT --notrack
+  inet/filter/OUTPUT              -o eth0 -j ACCEPT