From d2793ea80576ac5200f62c911b9492a5c102a81b Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 11 Sep 2014 14:01:28 +0200 Subject: [PATCH] BUG10615 part3: adapt rules.pl to use connectionlimit and ratelimit --- config/firewall/rules.pl | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index aa8870cdc4..30d3a3c3db 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -268,6 +268,33 @@ sub buildrules { } } + # Concurrent connection limit + my @ratelimit_options = (); + if ($$hash{$key}[32] eq 'ON') { + my $conn_limit = $$hash{$key}[33]; + + if ($conn_limit ge 1) { + push(@ratelimit_options, ("-m", "connlimit")); + + # Use the the entire source IP address + push(@ratelimit_options, "--connlimit-saddr"); + push(@ratelimit_options, ("--connlimit-mask", "32")); + + # Apply the limit + push(@ratelimit_options, ("--connlimit-upto", $conn_limit)); + } + } + + # Ratelimit + if ($$hash{$key}[34] eq 'ON') { + my $rate_limit = "$$hash{$key}[35]/$$hash{$key}[36]"; + + if ($rate_limit) { + push(@ratelimit_options, ("-m", "limit")); + push(@ratelimit_options, ("--limit", $rate_limit)); + } + } + # Check which protocols are used in this rule and so that we can # later group rules by protocols. my @protocols = &get_protocols($hash, $key); @@ -336,6 +363,9 @@ sub buildrules { # Add time constraint options. push(@options, @time_options); + # Add ratelimiting option + push(@options, @ratelimit_options); + my $firewall_is_in_source_subnet = 1; if ($source) { $firewall_is_in_source_subnet = &firewall_is_in_subnet($source); -- 2.39.5