diff options
| -rw-r--r-- | README.md | 22 | ||||
| -rw-r--r-- | awall/modules/filter.lua | 15 |
2 files changed, 23 insertions, 14 deletions
@@ -223,16 +223,18 @@ classes](#log), the limit is considered absolute by default. The packet rates contributing to the limit may be summed over multiple [filters](#filter). This can be achieved by setting the optional -**name** attribute to equal values among the related limits. Named -limits may be specific only to fixed-size blocks of either the source -or the destination address, not both. However, the address to be -considered may vary among the rules using the limit and may be -selected by setting an attribute named **addr** to either **src** -(default) or **dest**. By default, all bits of the selected address -are taken into account, but address family–specific prefix -lengths can be set via the top-level **limit** dictionary, where the -keys correspond to limit names and values follow the syntax of -**src-mask** and **dest-mask**. +**name** attribute to equal values among the related limits. If the +**update** attribute is set to **false** (boolean), the rates measured +at this limit are not included in the sum, but the referred sum is +used to make the limiting decision. Named limits may be specific only +to fixed-size blocks of either the source or the destination address, +not both. However, the address to be considered may vary among the +rules using the limit and may be selected by setting an attribute +named **addr** to either **src** (default) or **dest**. By default, +all bits of the selected address are taken into account, but address +family–specific prefix lengths can be set via the top-level +**limit** dictionary, where the keys correspond to limit names and +values follow the syntax of **src-mask** and **dest-mask**. ### <a name="log"></a>Logging Classes diff --git a/awall/modules/filter.lua b/awall/modules/filter.lua index 1941bba..84bbfce 100644 --- a/awall/modules/filter.lua +++ b/awall/modules/filter.lua @@ -34,6 +34,9 @@ function FilterLimit:initmask() local limits = self.root.limit self[(self.addr or 'src')..'-mask'] = limits and limits[self.name] or true + + elseif self.update ~= nil then + self:error('Attribute allowed only with named limits: update') end FilterLimit.super(self):initmask() @@ -54,8 +57,9 @@ function FilterLimit:recentofrags(name) if count > RECENT_MAX_COUNT then return end + local update = self.update ~= false local cofs = {} - local sofs = {} + local sofs = update and {} or nil for _, family in ipairs{'inet', 'inet6'} do local attr, len = self:maskmode(family) @@ -95,10 +99,13 @@ function FilterLimit:recentofrags(name) cofs, combinations( rec, - {{match='--update --hitcount '..count..' --seconds '..interval}} + { + {match='--'..(update and 'update' or 'rcheck')..' --hitcount '.. + count..' --seconds '..interval} + } ) ) - extend(sofs, combinations(rec, {{match='--set'}})) + if sofs then extend(sofs, combinations(rec, {{match='--set'}})) end end return cofs, sofs @@ -389,7 +396,7 @@ function Filter:mangleoptfrags(ofrags) if ct then extend(ofs, self:actofrags(self.log)) nxt = target - elseif not pl then nxt = false end + elseif sofs and not pl then nxt = false end extend(ofs, combinations(sofs, self:actofrags(pl, nxt))) else |