diff options
| author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2017-10-07 15:15:55 +0300 |
|---|---|---|
| committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2017-10-07 15:16:13 +0300 |
| commit | cc8135a1825c8efc9b3f0d1189f665d7b1b9405f (patch) | |
| tree | fc1c7af3ec443881353213d9bbaed08b689a012f | |
| parent | b4d83b0152ca8fd96f2e5922ce9cac9a1c1a2478 (diff) | |
| download | awall-cc8135a1825c8efc9b3f0d1189f665d7b1b9405f.tar.bz2 awall-cc8135a1825c8efc9b3f0d1189f665d7b1b9405f.tar.xz | |
Filter: fix simple update-limit
| -rw-r--r-- | awall/modules/filter.lua | 30 | ||||
| -rw-r--r-- | test/mandatory/filter-limit.lua | 2 | ||||
| -rw-r--r-- | test/output/dump | 63 | ||||
| -rw-r--r-- | test/output/rules-save | 3 | ||||
| -rw-r--r-- | test/output/rules6-save | 3 |
5 files changed, 65 insertions, 36 deletions
diff --git a/awall/modules/filter.lua b/awall/modules/filter.lua index fb382a3..d5240f1 100644 --- a/awall/modules/filter.lua +++ b/awall/modules/filter.lua @@ -234,20 +234,25 @@ function Filter:init(...) self[limit].log = loadclass('log').get(self, self[limit].log, true) end - if ul then - if self.action ~= 'pass' then - self:error('Cannot specify action with update-limit') - end + if ul and self.action ~= 'pass' then + self:error('Cannot specify action with update-limit') + end +end +function Filter:updatelimit() + local ul = util.copy(self['update-limit']) + + if type(ul) == 'table' then if not contains({'conn', 'flow'}, setdefault(ul, 'measure', 'conn')) then self:error('Invalid value for measure: '..ul.measure) end + if self['no-track'] and ul.measure == 'conn' then self:error('Tracking required when measuring connection rate') end - - self:create(LimitReference, ul, 'update-limit') end + + return ul and self:create(LimitReference, ul, 'update-limit') end function Filter:extratrules() @@ -351,10 +356,9 @@ function Filter:limit() end function Filter:position() + local ul = self:updatelimit() return not self['no-track'] and ( - self:limit() == 'flow-limit' or ( - self['update-limit'] and self['update-limit'].measure == 'flow' - ) + self:limit() == 'flow-limit' or (ul and ul.measure == 'flow') ) and 'prepend' or 'append' end @@ -372,9 +376,11 @@ end function Filter:mangleoptfrags(ofrags) local limit = self:limit() + local ul = self:updatelimit() + if not limit then - if self['update-limit'] then - ofrags = self:combine(ofrags, self['update-limit']:recentofrags()) + if ul then + ofrags = self:combine(ofrags, ul:recentofrags()) end return Filter.super(self):mangleoptfrags(ofrags) end @@ -383,7 +389,7 @@ function Filter:mangleoptfrags(ofrags) self:error('Limit incompatible with '..item) end - if self['update-limit'] then incompatible('update-limit') end + if ul then incompatible('update-limit') end if self:customtarget() or self:logdefault() then incompatible('action: '..self.action) diff --git a/test/mandatory/filter-limit.lua b/test/mandatory/filter-limit.lua index 3cbca1e..9eb1cfb 100644 --- a/test/mandatory/filter-limit.lua +++ b/test/mandatory/filter-limit.lua @@ -53,6 +53,8 @@ add('conn', {out='B'}) add('flow') add('flow', {['in']='A', out='_fw', ['no-track']=true}) +table.insert(res, {['update-limit']='foo'}) + for _, measure in ipairs{'conn', 'flow'} do for _, addr in ipairs{'src', 'dest'} do table.insert( diff --git a/test/output/dump b/test/output/dump index 57058c9..a8fdcce 100644 --- a/test/output/dump +++ b/test/output/dump @@ -5066,7 +5066,7 @@ Filter 342 {"flow-limit":{"count":30,"log":"none"},"in": inet/filter/OUTPUT -o eth0 -j ACCEPT inet6/filter/OUTPUT -o eth0 -j ACCEPT -Filter 343 {"update-limit":{"addr":"src","measure":"conn","name":"foo"}} +Filter 343 {"update-limit":"foo"} (filter-limit) inet/filter/FORWARD -m recent --name user:foo --rsource --mask 255.255.255.255 --set inet/filter/INPUT -m recent --name user:foo --rsource --mask 255.255.255.255 --set @@ -5075,7 +5075,16 @@ Filter 343 {"update-limit":{"addr":"src","measure":"conn inet/filter/OUTPUT -m recent --name user:foo --rsource --mask 255.255.255.255 --set inet6/filter/OUTPUT -m recent --name user:foo --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -Filter 344 {"update-limit":{"addr":"dest","measure":"conn","name":"foo"}} +Filter 344 {"update-limit":{"addr":"src","measure":"conn","name":"foo"}} +(filter-limit) + inet/filter/FORWARD -m recent --name user:foo --rsource --mask 255.255.255.255 --set + inet/filter/INPUT -m recent --name user:foo --rsource --mask 255.255.255.255 --set + inet6/filter/FORWARD -m recent --name user:foo --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set + inet6/filter/INPUT -m recent --name user:foo --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set + inet/filter/OUTPUT -m recent --name user:foo --rsource --mask 255.255.255.255 --set + inet6/filter/OUTPUT -m recent --name user:foo --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set + +Filter 345 {"update-limit":{"addr":"dest","measure":"conn","name":"foo"}} (filter-limit) inet/filter/FORWARD -m recent --name user:foo --rdest --mask 255.255.255.255 --set inet/filter/INPUT -m recent --name user:foo --rdest --mask 255.255.255.255 --set @@ -5084,7 +5093,7 @@ Filter 344 {"update-limit":{"addr":"dest","measure":"con inet/filter/OUTPUT -m recent --name user:foo --rdest --mask 255.255.255.255 --set inet6/filter/OUTPUT -m recent --name user:foo --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -Filter 345 {"update-limit":{"addr":"src","measure":"flow","name":"foo"}} +Filter 346 {"update-limit":{"addr":"src","measure":"flow","name":"foo"}} (filter-limit) inet/filter/FORWARD -m recent --name user:foo --rsource --mask 255.255.255.255 --set inet/filter/INPUT -m recent --name user:foo --rsource --mask 255.255.255.255 --set @@ -5093,7 +5102,7 @@ Filter 345 {"update-limit":{"addr":"src","measure":"flow inet/filter/OUTPUT -m recent --name user:foo --rsource --mask 255.255.255.255 --set inet6/filter/OUTPUT -m recent --name user:foo --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -Filter 346 {"update-limit":{"addr":"dest","measure":"flow","name":"foo"}} +Filter 347 {"update-limit":{"addr":"dest","measure":"flow","name":"foo"}} (filter-limit) inet/filter/FORWARD -m recent --name user:foo --rdest --mask 255.255.255.255 --set inet/filter/INPUT -m recent --name user:foo --rdest --mask 255.255.255.255 --set @@ -5102,7 +5111,7 @@ Filter 346 {"update-limit":{"addr":"dest","measure":"flo inet/filter/OUTPUT -m recent --name user:foo --rdest --mask 255.255.255.255 --set inet6/filter/OUTPUT -m recent --name user:foo --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -Filter 347 {} +Filter 348 {} (log) inet/filter/FORWARD -j ACCEPT inet6/filter/FORWARD -j ACCEPT @@ -5111,7 +5120,7 @@ Filter 347 {} inet/filter/OUTPUT -j ACCEPT inet6/filter/OUTPUT -j ACCEPT -Filter 348 {"action":"drop"} +Filter 349 {"action":"drop"} (log) inet/filter/FORWARD -j logdrop-109 inet6/filter/FORWARD -j logdrop-109 @@ -5124,7 +5133,7 @@ Filter 348 {"action":"drop"} inet/filter/logdrop-109 -j DROP inet6/filter/logdrop-109 -j DROP -Filter 349 {"action":"pass"} +Filter 350 {"action":"pass"} (log) inet/filter/FORWARD inet6/filter/FORWARD @@ -5133,7 +5142,7 @@ Filter 349 {"action":"pass"} inet/filter/OUTPUT inet6/filter/OUTPUT -Filter 350 {"log":false} +Filter 351 {"log":false} (log) inet/filter/FORWARD -j ACCEPT inet6/filter/FORWARD -j ACCEPT @@ -5142,7 +5151,7 @@ Filter 350 {"log":false} inet/filter/OUTPUT -j ACCEPT inet6/filter/OUTPUT -j ACCEPT -Filter 351 {"action":"drop","log":false} +Filter 352 {"action":"drop","log":false} (log) inet/filter/FORWARD -j DROP inet6/filter/FORWARD -j DROP @@ -5151,7 +5160,7 @@ Filter 351 {"action":"drop","log":false} inet/filter/OUTPUT -j DROP inet6/filter/OUTPUT -j DROP -Filter 352 {"action":"pass","log":false} +Filter 353 {"action":"pass","log":false} (log) inet/filter/FORWARD inet6/filter/FORWARD @@ -5160,7 +5169,7 @@ Filter 352 {"action":"pass","log":false} inet/filter/OUTPUT inet6/filter/OUTPUT -Filter 353 {"log":true} +Filter 354 {"log":true} (log) inet/filter/FORWARD -j logaccept-8 inet6/filter/FORWARD -j logaccept-8 @@ -5173,7 +5182,7 @@ Filter 353 {"log":true} inet/filter/logaccept-8 -j ACCEPT inet6/filter/logaccept-8 -j ACCEPT -Filter 354 {"action":"drop","log":true} +Filter 355 {"action":"drop","log":true} (log) inet/filter/FORWARD -j logdrop-110 inet6/filter/FORWARD -j logdrop-110 @@ -5186,7 +5195,7 @@ Filter 354 {"action":"drop","log":true} inet/filter/logdrop-110 -j DROP inet6/filter/logdrop-110 -j DROP -Filter 355 {"action":"pass","log":true} +Filter 356 {"action":"pass","log":true} (log) inet/filter/FORWARD -j logpass-0 inet6/filter/FORWARD -j logpass-0 @@ -5197,7 +5206,7 @@ Filter 355 {"action":"pass","log":true} inet/filter/logpass-0 -m limit --limit 1/second -j LOG inet6/filter/logpass-0 -m limit --limit 1/second -j LOG -Filter 356 {"log":"none"} +Filter 357 {"log":"none"} (log) inet/filter/FORWARD -j ACCEPT inet6/filter/FORWARD -j ACCEPT @@ -5206,7 +5215,7 @@ Filter 356 {"log":"none"} inet/filter/OUTPUT -j ACCEPT inet6/filter/OUTPUT -j ACCEPT -Filter 357 {"action":"drop","log":"none"} +Filter 358 {"action":"drop","log":"none"} (log) inet/filter/FORWARD -j DROP inet6/filter/FORWARD -j DROP @@ -5215,7 +5224,7 @@ Filter 357 {"action":"drop","log":"none"} inet/filter/OUTPUT -j DROP inet6/filter/OUTPUT -j DROP -Filter 358 {"action":"pass","log":"none"} +Filter 359 {"action":"pass","log":"none"} (log) inet/filter/FORWARD inet6/filter/FORWARD @@ -5224,7 +5233,7 @@ Filter 358 {"action":"pass","log":"none"} inet/filter/OUTPUT inet6/filter/OUTPUT -Filter 359 {"in":"_fw","no-track":true,"service":"http"} +Filter 360 {"in":"_fw","no-track":true,"service":"http"} (no-track) inet/filter/OUTPUT -p tcp --dport 80 -j ACCEPT inet6/filter/OUTPUT -p tcp --dport 80 -j ACCEPT @@ -5235,7 +5244,7 @@ Filter 359 {"in":"_fw","no-track":true,"service":"http"} inet/filter/INPUT -p tcp --sport 80 -j ACCEPT inet6/filter/INPUT -p tcp --sport 80 -j ACCEPT -Filter 360 {"dest":"172.17.0.0\/16","no-track":true,"service":"radius","src":"172.16.0.0\/16"} +Filter 361 {"dest":"172.17.0.0\/16","no-track":true,"service":"radius","src":"172.16.0.0\/16"} (no-track) inet/filter/FORWARD -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT inet/filter/INPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT @@ -5258,7 +5267,7 @@ Filter 360 {"dest":"172.17.0.0\/16","no-track":true,"ser inet/filter/OUTPUT -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT inet/filter/OUTPUT -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT -Filter 361 {"dest":"172.18.0.0\/16","no-track":true,"service":"ssh"} +Filter 362 {"dest":"172.18.0.0\/16","no-track":true,"service":"ssh"} (no-track) inet/filter/FORWARD -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT inet/filter/INPUT -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT @@ -5271,7 +5280,7 @@ Filter 361 {"dest":"172.18.0.0\/16","no-track":true,"ser inet/filter/INPUT -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT inet/filter/OUTPUT -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT -Filter 362 {"no-track":true,"out":"_fw","service":"ipsec"} +Filter 363 {"no-track":true,"out":"_fw","service":"ipsec"} (no-track) inet/filter/INPUT -p esp -j ACCEPT inet6/filter/INPUT -p esp -j ACCEPT @@ -5290,7 +5299,7 @@ Filter 362 {"no-track":true,"out":"_fw","service":"ipsec inet/filter/OUTPUT -p udp -m multiport --sports 500,4500 -j ACCEPT inet6/filter/OUTPUT -p udp -m multiport --sports 500,4500 -j ACCEPT -Filter 363 {"in":["_fw","A"]} +Filter 364 {"in":["_fw","A"]} (zone) inet/filter/OUTPUT -j ACCEPT inet6/filter/OUTPUT -j ACCEPT @@ -5299,12 +5308,12 @@ Filter 363 {"in":["_fw","A"]} inet/filter/INPUT -i eth0 -j ACCEPT inet6/filter/INPUT -i eth0 -j ACCEPT -Filter 364 {"in":"B","out":"C"} +Filter 365 {"in":"B","out":"C"} (zone) inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT -Filter 365 {"out":["_fw","B"]} +Filter 366 {"out":["_fw","B"]} (zone) inet/filter/INPUT -j ACCEPT inet6/filter/INPUT -j ACCEPT @@ -5313,7 +5322,7 @@ Filter 365 {"out":["_fw","B"]} inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -Filter 366 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} +Filter 367 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} (zone) inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT @@ -6390,6 +6399,7 @@ hash:net family inet -A FORWARD -j logaccept-final-19 -A FORWARD -j ACCEPT -A FORWARD -m recent --name user:foo --rsource --mask 255.255.255.255 --set +-A FORWARD -m recent --name user:foo --rsource --mask 255.255.255.255 --set -A FORWARD -m recent --name user:foo --rdest --mask 255.255.255.255 --set -A FORWARD -j ACCEPT -A FORWARD -j logdrop-109 @@ -6754,6 +6764,7 @@ hash:net family inet -A INPUT -i eth0 -j limit-334 -A INPUT -i eth0 -j limit-335 -A INPUT -m recent --name user:foo --rsource --mask 255.255.255.255 --set +-A INPUT -m recent --name user:foo --rsource --mask 255.255.255.255 --set -A INPUT -m recent --name user:foo --rdest --mask 255.255.255.255 --set -A INPUT -j ACCEPT -A INPUT -j logdrop-109 @@ -7134,6 +7145,7 @@ hash:net family inet -A OUTPUT -o eth0 -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT -A OUTPUT -m recent --name user:foo --rsource --mask 255.255.255.255 --set +-A OUTPUT -m recent --name user:foo --rsource --mask 255.255.255.255 --set -A OUTPUT -m recent --name user:foo --rdest --mask 255.255.255.255 --set -A OUTPUT -j ACCEPT -A OUTPUT -j logdrop-109 @@ -9060,6 +9072,7 @@ COMMIT -A FORWARD -j logaccept-final-19 -A FORWARD -j ACCEPT -A FORWARD -m recent --name user:foo --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A FORWARD -m recent --name user:foo --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A FORWARD -m recent --name user:foo --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A FORWARD -j ACCEPT -A FORWARD -j logdrop-109 @@ -9394,6 +9407,7 @@ COMMIT -A INPUT -i eth0 -j limit-334 -A INPUT -i eth0 -j limit-335 -A INPUT -m recent --name user:foo --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A INPUT -m recent --name user:foo --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A INPUT -m recent --name user:foo --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A INPUT -j ACCEPT -A INPUT -j logdrop-109 @@ -9768,6 +9782,7 @@ COMMIT -A OUTPUT -o eth0 -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT -A OUTPUT -m recent --name user:foo --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A OUTPUT -m recent --name user:foo --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A OUTPUT -m recent --name user:foo --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A OUTPUT -j ACCEPT -A OUTPUT -j logdrop-109 diff --git a/test/output/rules-save b/test/output/rules-save index f812d7f..2f12c1f 100644 --- a/test/output/rules-save +++ b/test/output/rules-save @@ -746,6 +746,7 @@ -A FORWARD -j logaccept-final-19 -A FORWARD -j ACCEPT -A FORWARD -m recent --name user:foo --rsource --mask 255.255.255.255 --set +-A FORWARD -m recent --name user:foo --rsource --mask 255.255.255.255 --set -A FORWARD -m recent --name user:foo --rdest --mask 255.255.255.255 --set -A FORWARD -j ACCEPT -A FORWARD -j logdrop-109 @@ -1110,6 +1111,7 @@ -A INPUT -i eth0 -j limit-334 -A INPUT -i eth0 -j limit-335 -A INPUT -m recent --name user:foo --rsource --mask 255.255.255.255 --set +-A INPUT -m recent --name user:foo --rsource --mask 255.255.255.255 --set -A INPUT -m recent --name user:foo --rdest --mask 255.255.255.255 --set -A INPUT -j ACCEPT -A INPUT -j logdrop-109 @@ -1490,6 +1492,7 @@ -A OUTPUT -o eth0 -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT -A OUTPUT -m recent --name user:foo --rsource --mask 255.255.255.255 --set +-A OUTPUT -m recent --name user:foo --rsource --mask 255.255.255.255 --set -A OUTPUT -m recent --name user:foo --rdest --mask 255.255.255.255 --set -A OUTPUT -j ACCEPT -A OUTPUT -j logdrop-109 diff --git a/test/output/rules6-save b/test/output/rules6-save index fa1677a..aff7623 100644 --- a/test/output/rules6-save +++ b/test/output/rules6-save @@ -746,6 +746,7 @@ -A FORWARD -j logaccept-final-19 -A FORWARD -j ACCEPT -A FORWARD -m recent --name user:foo --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A FORWARD -m recent --name user:foo --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A FORWARD -m recent --name user:foo --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A FORWARD -j ACCEPT -A FORWARD -j logdrop-109 @@ -1080,6 +1081,7 @@ -A INPUT -i eth0 -j limit-334 -A INPUT -i eth0 -j limit-335 -A INPUT -m recent --name user:foo --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A INPUT -m recent --name user:foo --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A INPUT -m recent --name user:foo --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A INPUT -j ACCEPT -A INPUT -j logdrop-109 @@ -1454,6 +1456,7 @@ -A OUTPUT -o eth0 -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT -A OUTPUT -m recent --name user:foo --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set +-A OUTPUT -m recent --name user:foo --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A OUTPUT -m recent --name user:foo --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A OUTPUT -j ACCEPT -A OUTPUT -j logdrop-109 |