Commit cd613355 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

support for TARPIT target

automatic logging, handling of non-TCP packets, and connection tracking bypass
parent 1ecedaa7
......@@ -77,6 +77,8 @@ function Filter:trules()
extrarules('dnat', {['ip-range']=dnataddr, out=nil})
end
if self.action == 'tarpit' then extrarules('no-track') end
awall.util.extend(res, model.Rule.trules(self))
return res
......@@ -132,10 +134,11 @@ classes = {{'filter', Filter},
defrules = {pre={}, ['post-filter']={}}
local limitedlog = '-m limit --limit 1/second -j LOG'
for i, family in ipairs({'inet', 'inet6'}) do
for i, target in ipairs({'drop', 'reject'}) do
for i, opts in ipairs({'-m limit --limit 1/second -j LOG',
'-j '..string.upper(target)}) do
for i, opts in ipairs({limitedlog, '-j '..string.upper(target)}) do
table.insert(defrules.pre,
{family=family,
table='filter',
......@@ -144,6 +147,11 @@ for i, family in ipairs({'inet', 'inet6'}) do
end
end
for i, opts in ipairs({limitedlog, '-p tcp -j TARPIT', '-j DROP'}) do
table.insert(defrules.pre,
{family=family, table='filter', chain='tarpit', opts=opts})
end
for i, chain in ipairs({'FORWARD', 'INPUT', 'OUTPUT'}) do
table.insert(defrules.pre,
{family=family,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment