Merge remote-tracking branch 'amarx/beta3' into next

author Michael Tremer <michael.tremer@ipfire.org>

Tue, 4 Mar 2014 13:54:06 +0000 (14:54 +0100)

committer Michael Tremer <michael.tremer@ipfire.org>

Tue, 4 Mar 2014 13:54:06 +0000 (14:54 +0100)
author Michael Tremer <michael.tremer@ipfire.org>
Tue, 4 Mar 2014 13:54:06 +0000 (14:54 +0100)
committer Michael Tremer <michael.tremer@ipfire.org>
Tue, 4 Mar 2014 13:54:06 +0000 (14:54 +0100)
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf

index d6a2f75048123728f5b44b7a245d200761e67c5f..a91aeb37f16dc82f5b183f45e9f278ad483f4283 100644 (file)
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -1,7 +1,9 @@
  net.ipv4.ip_forward = 1
  net.ipv4.ip_dynaddr = 1
+
  net.ipv4.icmp_echo_ignore_broadcasts = 1
  net.ipv4.icmp_ignore_bogus_error_responses = 1
+net.ipv4.icmp_ratemask = 88089
  
  net.ipv4.tcp_syncookies = 1
  net.ipv4.tcp_fin_timeout = 30
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl

index 182c9482aa52f0303756d5896f2f126ac7100650..4bb40a4f9c7b7f65a2b460bdea1d50117fe186ad 100755 (executable)
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -70,6 +70,8 @@ my $netsettings               = "${General::swroot}/ethernet/settings";
  &General::readhasharray($configgrp, \%customgrp);
  &General::get_aliases(\%aliases);
  
+my @log_limit_options = &make_log_limit_options();
+
  # MAIN
  &main();
  
@@ -305,7 +307,7 @@ sub buildrules {
                                                         }
  
                                                         if ($LOG) {
-                                                               run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options -j LOG --log-prefix 'DNAT '");
+                                                               run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options @log_limit_options -j LOG --log-prefix 'DNAT '");
                                                         }
                                                         run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options -j DNAT --to-destination $dnat_address");
  
@@ -317,7 +319,7 @@ sub buildrules {
                                                         push(@nat_options, @destination_options);
  
                                                         if ($LOG) {
-                                                               run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j LOG --log-prefix 'SNAT '");
+                                                               run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @log_limit_options -j LOG --log-prefix 'SNAT '");
                                                         }
                                                         run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j SNAT --to-source $nat_address");
                                                 }
@@ -328,7 +330,7 @@ sub buildrules {
  
                                         # Insert firewall rule.
                                         if ($LOG && !$NAT) {
-                                               run("$IPTABLES -A $chain @options -j LOG");
+                                               run("$IPTABLES -A $chain @options @log_limit_options -j LOG --log-prefix '$chain '");
                                         }
                                         run("$IPTABLES -A $chain @options -j $target");
                                 }
@@ -764,3 +766,18 @@ sub add_dnat_mangle_rules {
                 run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_options");
         }
  }
+
+sub make_log_limit_options {
+       my @options = ("-m", "limit");
+
+       # Maybe we should get this from the configuration.
+       my $limit = 10;
+
+       # We limit log messages to $limit messages per minute.
+       push(@options, ("--limit", "$limit/min"));
+
+       # And we allow bursts of 2x $limit.
+       push(@options, ("--limit-burst", $limit * 2));
+
+       return @options;
+}
diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi

index e1573acdb654d53ac858181c4dae8f7d3d246611..52bac58beda889734cf047b6416f8404c53d1449 100644 (file)
--- a/html/cgi-bin/firewall.cgi
+++ b/html/cgi-bin/firewall.cgi
@@ -1286,6 +1286,12 @@ sub getcolor
         my $val=shift;
         my $hash=shift;
         if($optionsfw{'SHOWCOLORS'} eq 'on'){
+               # Don't colourise MAC addresses
+               if (&General::validmac($val)) {
+                       $tdcolor = "";
+                       return;
+               }
+
                 #custom Hosts
                 if ($nettype eq 'cust_host_src' || $nettype eq 'cust_host_tgt'){
                         foreach my $key (sort keys %$hash){
author	Michael Tremer <michael.tremer@ipfire.org>
	Tue, 4 Mar 2014 13:54:06 +0000 (14:54 +0100)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Tue, 4 Mar 2014 13:54:06 +0000 (14:54 +0100)
config/etc/sysctl.conf		patch \| blob \| blame \| history
config/firewall/rules.pl		patch \| blob \| blame \| history
html/cgi-bin/firewall.cgi		patch \| blob \| blame \| history