From: Alexander Marx <amarx@ipfire.org>
Date: Thu, 11 Sep 2014 12:01:28 +0000 (+0200)
Subject: BUG10615 part3: adapt rules.pl to use connectionlimit and ratelimit
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d2793ea80576ac5200f62c911b9492a5c102a81b;p=people%2Fms%2Fipfire-2.x.git

BUG10615 part3: adapt rules.pl to use connectionlimit and ratelimit
---

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index aa8870cdc4..30d3a3c3db 100755
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -268,6 +268,33 @@ sub buildrules {
 			}
 		}
 
+		# Concurrent connection limit
+		my @ratelimit_options = ();
+		if ($$hash{$key}[32] eq 'ON') {
+			my $conn_limit = $$hash{$key}[33];
+
+			if ($conn_limit ge 1) {
+				push(@ratelimit_options, ("-m", "connlimit"));
+
+				# Use the the entire source IP address
+				push(@ratelimit_options, "--connlimit-saddr");
+				push(@ratelimit_options, ("--connlimit-mask", "32"));
+
+				# Apply the limit
+				push(@ratelimit_options, ("--connlimit-upto", $conn_limit));
+			}
+		}
+
+		# Ratelimit
+		if ($$hash{$key}[34] eq 'ON') {
+			my $rate_limit = "$$hash{$key}[35]/$$hash{$key}[36]";
+
+				if ($rate_limit) {
+					push(@ratelimit_options, ("-m", "limit"));
+					push(@ratelimit_options, ("--limit", $rate_limit));
+				}
+		}
+
 		# Check which protocols are used in this rule and so that we can
 		# later group rules by protocols.
 		my @protocols = &get_protocols($hash, $key);
@@ -336,6 +363,9 @@ sub buildrules {
 					# Add time constraint options.
 					push(@options, @time_options);
 
+					# Add ratelimiting option
+					push(@options, @ratelimit_options);
+
 					my $firewall_is_in_source_subnet = 1;
 					if ($source) {
 						$firewall_is_in_source_subnet = &firewall_is_in_subnet($source);