Fix bug 4629 configuration limit of recent count firewall rule is 20

* raise recent count limit to 255. add syntax check to disallow invalid values

6 files changed, 30 insertions, 1 deletions

diff --git a/Makefile.am b/Makefile.am
index 781965f..d76794a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2,7 +2,9 @@ cfgdir = $(datadir)/vyatta-cfg/templates
 share_perl5dir = /opt/vyatta/share/perl5/Vyatta/IpTables
 curverdir = $(sysconfdir)/config-migrate/current
 modprobedir = /etc/modprobe.d
-modprobe_DATA = etc/modprobe.d/vyatta_nf_conntrack
+
+modprobe_DATA  = etc/modprobe.d/vyatta_nf_conntrack
+modprobe_DATA += etc/modprobe.d/vyatta_xt_recent
 
 sbin_SCRIPTS =
 share_perl5_DATA =
diff --git a/etc/modprobe.d/vyatta_xt_recent b/etc/modprobe.d/vyatta_xt_recent
new file mode 100644
index 0000000..d517838
--- /dev/null
+++ b/etc/modprobe.d/vyatta_xt_recent
@@ -0,0 +1,22 @@
+#
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc.
+# All Rights Reserved.
+# **** End License ****
+#
+# Author:  Mohit Mehta
+# Description: Set number of packets per IP to remember to 255 for recent
+#              match condition. Default value was 20 as of July 14, 2010
+#
+
+options xt_recent ip_pkt_list_tot=255
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def
index a07010f..7f72b46 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def
@@ -1,2 +1,3 @@
 type: u32
 help: Set to N to only match source addresses seen more than N times
+syntax:expression: $VAR(@) >=1 && $VAR(@) <= 255; "recent count value must be between 1 and 255"
diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/recent/count/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/recent/count/node.def
index a07010f..7f72b46 100644
--- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/recent/count/node.def
+++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/recent/count/node.def
@@ -1,2 +1,3 @@
 type: u32
 help: Set to N to only match source addresses seen more than N times
+syntax:expression: $VAR(@) >=1 && $VAR(@) <= 255; "recent count value must be between 1 and 255"
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/recent/count/node.def b/templates/firewall/modify/node.tag/rule/node.tag/recent/count/node.def
index a07010f..767f42c 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/recent/count/node.def
+++ b/templates/firewall/modify/node.tag/rule/node.tag/recent/count/node.def
@@ -1,2 +1,4 @@
 type: u32
 help: Set to N to only match source addresses seen more than N times
+syntax:expression: $VAR(@) >=1 && $VAR(@) <= 255; "recent count value must be between 1 and 255"
+
diff --git a/templates/firewall/name/node.tag/rule/node.tag/recent/count/node.def b/templates/firewall/name/node.tag/rule/node.tag/recent/count/node.def
index a07010f..7f72b46 100644
--- a/templates/firewall/name/node.tag/rule/node.tag/recent/count/node.def
+++ b/templates/firewall/name/node.tag/rule/node.tag/recent/count/node.def
@@ -1,2 +1,3 @@
 type: u32
 help: Set to N to only match source addresses seen more than N times
+syntax:expression: $VAR(@) >=1 && $VAR(@) <= 255; "recent count value must be between 1 and 255"