Commit d59b05d5 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

apply prior drop/reject rules to accept rules with flow-limit

parent 96170d14
......@@ -82,12 +82,16 @@ function M.Config:init(policyconfig)
local function insertrules(trules)
for i, trule in ipairs(trules) do
local t = self.iptables.config[trule.family][trule.table][trule.chain]
local opts = (trule.opts and trule.opts..' ' or '')..'-j '..trule.target
local acfrag = {family=trule.family,
table=trule.table,
chain=trule.target}
acfrags[optfrag.location(acfrag)] = acfrag
local opts = optfrag.command(trule)
if trule.target then
local acfrag = {
family=trule.family,
table=trule.table,
chain=trule.target
}
acfrags[optfrag.location(acfrag)] = acfrag
end
if trule.position == 'prepend' then
table.insert(t, 1, opts)
......
......@@ -61,13 +61,7 @@ function M.ConfigObject:trules() return {} end
function M.ConfigObject:info()
local res = {}
for i, trule in ipairs(self:trules()) do
table.insert(
res,
{
' '..optfrag.location(trule),
(trule.opts and trule.opts..' ' or '')..'-j '..trule.target
}
)
table.insert(res, {' '..optfrag.location(trule), optfrag.command(trule)})
end
return res
end
......
......@@ -43,7 +43,9 @@ local LoggingRule = class(TranslatingRule)
function LoggingRule:init(...)
LoggingRule.super(self):init(...)
if not self.action then self.action = 'accept' end
self.log = loadclass('log').get(self, self.log, self.action ~= 'accept')
if type(self.log) ~= 'table' then
self.log = loadclass('log').get(self, self.log, self.action ~= 'accept')
end
end
function LoggingRule:actiontarget() return 'ACCEPT' end
......@@ -165,6 +167,10 @@ function Filter:trules()
extend(res, Filter.super(self):trules())
if self.action == 'accept' then
if self:position() == 'prepend' then
extrarules(LoggingRule, {log=self.log})
end
local nr = #res
if self.related then
......@@ -238,9 +244,15 @@ function Filter:extraoptfrags()
interval = 1
end
local ofrags, logch, limitofs
local ofrags = {}
local logch, limitofs
local accept = self:position() == 'append'
if count > RECENT_MAX_COUNT then
ofrags, logch = self:logchain(self.log, 'accept', 'ACCEPT')
if accept then
ofrags, logch = self:logchain(self.log, 'accept', 'ACCEPT')
else logch = 'RETURN' end
limitofs = {
{
opts='-m hashlimit --hashlimit-upto '..count..'/second --hashlimit-burst '..count..' --hashlimit-mode srcip --hashlimit-name '..limitchain,
......@@ -249,8 +261,10 @@ function Filter:extraoptfrags()
{target='DROP'}
}
if limitlog then table.insert(limitofs, 2, limitlog:optfrag()) end
else
ofrags, logch = self:logchain(limitlog, 'drop', 'DROP')
limitofs = combinations(
{{opts='-m recent --name '..limitchain}},
{
......@@ -258,10 +272,12 @@ function Filter:extraoptfrags()
opts='--update --hitcount '..count..' --seconds '..interval,
target=logch
},
{opts='--set', target='ACCEPT'}
{opts='--set', target=accept and 'ACCEPT' or nil}
}
)
if self.log then table.insert(limitofs, 2, self.log:optfrag()) end
if accept and self.log then
table.insert(limitofs, 2, self.log:optfrag())
end
end
extend(ofrags, combinations({{chain=limitchain}}, limitofs))
......
......@@ -53,4 +53,9 @@ end
function M.location(of) return of.family..'/'..of.table..'/'..of.chain end
function M.command(of)
return (of.opts and of.opts..' ' or '')..
(of.target and '-j '..of.target or '')
end
return M
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment