From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 10 Sep 2014 15:24:24 +0000 (+0200)
Subject: rules.pl: Add conn/rate limit options
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=947a699c658be99b4d851ddba1ec851151d964fd;p=people%2Fms%2Fipfire-2.x.git

rules.pl: Add conn/rate limit options
---

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index aa8870cdc4..5e602b9bbe 100755
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -268,6 +268,33 @@ sub buildrules {
 			}
 		}
 
+		# Concurrent connection limit
+		my @ratelimit_options = ();
+		if ($$hash{$key}[32] eq 'ON') {
+			my $conn_limit = $$hash{$key}[33];
+
+			if ($conn_limit ge 1) {
+				push(@ratelimit_options, ("-m", "connlimit"));
+
+				# Use the the entire source IP address
+				push(@ratelimit_options, "--connlimit-saddr");
+				push(@ratelimit_options, ("--connlimit-mask", "32"));
+
+				# Apply the limit
+				push(@ratelimit_options, ("--connlimit-upto", $conn_limit));
+			}
+		}
+
+		# Ratelimit
+		if ($$hash{$key}[34] eq 'ON') {
+			my $rate_limit = "$$hash{$key}[35]/$$hash{$key}[36]";
+
+			if ($rate_limit) {
+				push(@ratelimit_options, ("-m", "limit"));
+				push(@ratelimit_options, ("--limit", $rate_limit));
+			}
+		}
+
 		# Check which protocols are used in this rule and so that we can
 		# later group rules by protocols.
 		my @protocols = &get_protocols($hash, $key);
@@ -336,6 +363,9 @@ sub buildrules {
 					# Add time constraint options.
 					push(@options, @time_options);
 
+					# Add ratelimiting option
+					push(@options, @ratelimit_options);
+
 					my $firewall_is_in_source_subnet = 1;
 					if ($source) {
 						$firewall_is_in_source_subnet = &firewall_is_in_subnet($source);