Commit 0a9a8db2 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

Limit: split mask attribute

parent aaececd5
......@@ -209,18 +209,17 @@ default value is 1.
The maximum rate defined by a limit may be absolute or specific to
blocks of IP addresses or pairs thereof. The number of most
significant bits taken into account when mapping the source and
destination IP addresses to blocks can be specified with the **mask**
attribute. The **mask** attribute is an object with two attributes
defining the prefix lengths, named **src** and
**dest**. Alternatively, the **mask** object may have object
attributes named **inet** and **inet6** which contain address
family–specific prefix length pairs. If **mask** is defined as
an integer, it is interpreted as the source address prefix length.
The default value for **mask** depends on the type of the enclosing
object. For [filters](#filter), the default behavior is to apply the
limit for each source address separately. For [logging classes](#log),
the limit is considered absolute by default.
destination IP addresses to blocks can be specified with the
**src-mask** and **dest-mask** attributes, respectively. If set to
**true** (boolean), all bits are considered. The value of **false**
causes the respective address to be ignored. Address
family–specific prefix lengths can be set by defining the mask
as an object with attributes named **inet** and **inet6**.
The default behavior with respect to the masks depends on the type of
the enclosing object. For [filters](#filter), the default behavior is
to apply the limit for each source address separately. For [logging
classes](#log), the limit is considered absolute by default.
### <a name="log"></a>Logging Classes
......
......@@ -690,28 +690,48 @@ function M.Limit:init(...)
setdefault(self, 'interval', 1)
if type(setdefault(self, 'mask', {})) == 'number' then
self.mask = {src=self.mask}
-- alpine v3.5 compatibility
if self.mask then
self:warning(
"'mask' attribute is deprecated, please use 'src-mask' and 'dest-mask'"
)
self['src-mask'] = {}
self['dest-mask'] = {}
if type(self.mask) == 'number' then self.mask = {src=self.mask} end
for _, family in ipairs{'inet', 'inet6'} do
setdefault(self.mask, family, util.copy(self.mask))
for _, attr in ipairs{'src', 'dest'} do
self[attr..'-mask'][family] = self.mask[family][attr] or
({src=({inet=32, inet6=128})[family], dest=0})[attr]
end
end
end
for _, family in ipairs{'inet', 'inet6'} do
setdefault(self.mask, family, util.copy(self.mask))
for _, attr in ipairs{'src', 'dest'} do
setdefault(
self.mask[family],
attr,
({src=({inet=32, inet6=128})[family], dest=0})[attr]
)
setdefault(self, 'src-mask', not self['dest-mask'])
setdefault(self, 'dest-mask', false)
for _, addr in ipairs{'src', 'dest'} do
local mask = addr..'-mask'
if type(self[mask]) ~= 'table' then
self[mask] = {inet=self[mask], inet6=self[mask]}
end
for _, family in ipairs{'inet', 'inet6'} do
local value = self[mask][family]
if not value then self[mask][family] = 0
elseif value == true then
self[mask][family] = ({inet=32, inet6=128})[family]
end
end
end
end
function M.Limit:maskmode(family)
local res
for _, attr in ipairs{'src', 'dest'} do
local mask = self.mask[family][attr]
for _, addr in ipairs{'src', 'dest'} do
local mask = self[addr..'-mask'][family]
if mask > 0 then
if res then return end
res = {attr, mask}
res = {addr, mask}
end
end
if res then return table.unpack(res) end
......@@ -738,10 +758,10 @@ function M.Limit:limitofrags(name)
for _, family in ipairs{'inet', 'inet6'} do
local keys = {}
local maskopts = ''
for _, attr in ipairs{'src', 'dest'} do
local mask = self.mask[family][attr]
for _, addr in ipairs{'src', 'dest'} do
local mask = self[addr..'-mask'][family]
if mask > 0 then
local opt = ({src='src', dest='dst'})[attr]
local opt = ({src='src', dest='dst'})[addr]
table.insert(keys, opt..'ip')
maskopts = maskopts..' --hashlimit-'..opt..'mask '..mask
end
......
--[[
Packet logging module for Alpine Wall
Copyright (C) 2012-2016 Kaarle Ritvanen
Copyright (C) 2012-2017 Kaarle Ritvanen
See LICENSE file for license details
]]--
......@@ -15,7 +15,7 @@ local setdefault = require('awall.util').setdefault
local LogLimit = class(model.Limit)
function LogLimit:init(...)
setdefault(self, 'mask', 0)
setdefault(self, 'src-mask', false)
LogLimit.super(self):init(...)
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment