rules.pl: Make rate limiting rules work for REJECT and DROP targets

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 7a62bb432171ebc53f91f4ddd479fec653458290..876076396f3591791212cce68a237565b730aa8a 100755 (executable)
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -281,7 +281,11 @@ sub buildrules {
                                push(@ratelimit_options, ("--connlimit-mask", "32"));
 
                                # Apply the limit
-                               push(@ratelimit_options, ("--connlimit-upto", $conn_limit));
+                               if ($target eq "ACCEPT") {
+                                       push(@ratelimit_options, ("--connlimit-upto", $conn_limit));
+                               } else {
+                                       push(@ratelimit_options, ("--connlimit-above", $conn_limit));
+                               }
                        }
                }
 
@@ -294,7 +298,11 @@ sub buildrules {
                                push(@ratelimit_options, ("--hashlimit-name", "rule-$key"));
                                push(@ratelimit_options, ("--hashlimit-mode", "srcip"));
 
-                               push(@ratelimit_options, ("--hashlimit-upto", $rate_limit));
+                               if ($target eq "ACCEPT") {
+                                       push(@ratelimit_options, ("--hashlimit-upto", $rate_limit));
+                               } else {
+                                       push(@ratelimit_options, ("--hashlimit-above", $rate_limit));
+                               }
                        }
                }