diff options
| author | Bob Gilligan <gilligan@vyatta.com> | 2009-01-21 17:27:49 -0800 |
|---|---|---|
| committer | Bob Gilligan <gilligan@vyatta.com> | 2009-01-21 17:27:49 -0800 |
| commit | ab3c02ada2b42a26c1878a24c60e6f0049accd89 (patch) | |
| tree | efa6ebc96de13700c6ba8afb1c5a5f8e3922362d | |
| parent | c1b35e85eff4bb00ed7e7098fa1aee54d919608a (diff) | |
| parent | f3aeea6b352a8467f2aac51ffab8dae4ec3e9cee (diff) | |
| download | vyatta-cfg-firewall-ab3c02ada2b42a26c1878a24c60e6f0049accd89.tar.gz vyatta-cfg-firewall-ab3c02ada2b42a26c1878a24c60e6f0049accd89.zip | |
Merge branch 'jenner' of http://git.vyatta.com/vyatta-cfg-firewall into jenner
22 files changed, 71 insertions, 14 deletions
diff --git a/debian/changelog b/debian/changelog index 8854565..455fc6a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +vyatta-cfg-firewall (0.13.3) unstable; urgency=low + + * UNRELEASED + * - Fix Bug 2223 Add rate rate limiting / burst limiting functions to + the Vyatta firewall + * Fix Bug 3653 Add the ability to configure time-based firewall rules + * Fix Bug 3653 Add the ability to configure time-based firewall rules + + -- Mohit Mehta <mohit.mehta@vyatta.com> Fri, 16 Jan 2009 18:33:11 -0800 + vyatta-cfg-firewall (0.13.2) unstable; urgency=low * UNRELEASED diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm index a53b167..449b32b 100644 --- a/lib/Vyatta/IpTables/Rule.pm +++ b/lib/Vyatta/IpTables/Rule.pm @@ -46,6 +46,10 @@ my %fields = ( _weekdays => undef, _utc => undef, }, + _limit => { + _rate => undef, + _burst => undef, + }, _disable => undef, ); @@ -88,6 +92,10 @@ my %dummy_rule = ( _weekdays => undef, _utc => undef, }, + _limit => { + _rate => undef, + _burst => undef, + }, _disable => undef, ); @@ -154,6 +162,9 @@ sub setup { $self->{_time}->{_weekdays} = $config->returnValue("time weekdays"); $self->{_time}->{_utc} = $config->exists("time utc"); + $self->{_limit}->{_rate} = $config->returnValue("limit rate"); + $self->{_limit}->{_burst} = $config->returnValue("limit burst"); + $self->{_disable} = $config->exists("disable"); # TODO: need $config->exists("$level source") in Vyatta::Config.pm @@ -209,6 +220,9 @@ sub setupOrig { $self->{_time}->{_weekdays} = $config->returnOrigValue("time weekdays"); $self->{_time}->{_utc} = $config->existsOrig("time utc"); + $self->{_limit}->{_rate} = $config->returnOrigValue("limit rate"); + $self->{_limit}->{_burst} = $config->returnOrigValue("limit burst"); + $self->{_disable} = $config->existsOrig("disable"); # TODO: need $config->exists("$level source") in Vyatta::Config.pm @@ -441,6 +455,17 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo $rule .= " -m time $time "; } + my $limit = undef; + if (defined($self->{_limit}->{_burst})) { + return ("Limit rate not defined", ) if (!defined($self->{_limit}->{_rate})); + $limit = "--limit $self->{_limit}->{_rate} --limit-burst $self->{_limit}->{_burst}"; + } elsif (defined($self->{_limit}->{_rate})) { + $limit = "--limit $self->{_limit}->{_rate} --limit-burst 1"; + } + if (defined($limit)) { + $rule .= " -m limit $limit "; + } + my $chain = $self->{_name}; my $rule_num = $self->{_rule_number}; my $rule2 = undef; diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def b/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def new file mode 100644 index 0000000..2739faa --- /dev/null +++ b/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def @@ -0,0 +1,3 @@ +type: u32 +help: Set maximum number of packets to allow in excess of rate +syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/node.def b/templates/firewall/modify/node.tag/rule/node.tag/limit/node.def new file mode 100644 index 0000000..42081fe --- /dev/null +++ b/templates/firewall/modify/node.tag/rule/node.tag/limit/node.def @@ -0,0 +1 @@ +help: Set to match rule at a limited rate using a token bucket filter diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def b/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def new file mode 100644 index 0000000..de22a6f --- /dev/null +++ b/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def @@ -0,0 +1,7 @@ +type: txt +help: Set maximum average matching rate +syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \ +"Invalid value for rate. Rate should be specified as an integer followed by +a forward slash '/' and either of these time units - second, minute, hour or day +eg. 1/second implies rule to be matched at an average of once per second" + diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/monthdays/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/monthdays/node.def index 025a2a9..b5d3285 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/monthdays/node.def +++ b/templates/firewall/modify/node.tag/rule/node.tag/time/monthdays/node.def @@ -1,5 +1,5 @@ type: txt -help: Set monthdays on which to apply rule +help: Set monthdays on which to match rule syntax:expression: pattern $VAR(@) "^!?([[:digit:]]\{1,2\}\,)*[[:digit:]]\{1,2\}$" ; \ "Incorrect value for monthdays. Monthdays should be specified as 2,12,21 For negation, add ! in front eg. !2,12,21" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/node.def index 8061ba6..b7e283b 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/node.def +++ b/templates/firewall/modify/node.tag/rule/node.tag/time/node.def @@ -1 +1 @@ -help: Set time during which to apply rule +help: Set to match rule at a specified time diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/startdate/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/startdate/node.def index 4d470f4..b54ff51 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/startdate/node.def +++ b/templates/firewall/modify/node.tag/rule/node.tag/time/startdate/node.def @@ -1,5 +1,5 @@ type: txt -help: Set to apply rule starting from specified date +help: Set to match rule starting from the given date syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ "Invalid value for startdate. Date should use yyyy-mm-dd format. To specify time of date with startdate, append 'T' to date followed by time in 24 hour notation diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/starttime/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/starttime/node.def index 46c68c2..11767c3 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/starttime/node.def +++ b/templates/firewall/modify/node.tag/rule/node.tag/time/starttime/node.def @@ -1,5 +1,5 @@ type: txt -help: Set to apply rule starting from specified time +help: Set to match rule starting from the given time of day syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ "Incorrect value for starttime. Date should be entered using 24 hour notation - hh:mm:ss" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/stopdate/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/stopdate/node.def index 90dd684..1fd9d8e 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/stopdate/node.def +++ b/templates/firewall/modify/node.tag/rule/node.tag/time/stopdate/node.def @@ -1,5 +1,5 @@ type: txt -help: Set to apply rule till specified date +help: Set to match rule until the given date syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ "Invalid value for stopdate. Date should use yyyy-mm-dd format. To specify time of date with stopdate, append 'T' to date followed by time in 24 hour notation diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/stoptime/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/stoptime/node.def index 0514e8b..fb864d9 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/stoptime/node.def +++ b/templates/firewall/modify/node.tag/rule/node.tag/time/stoptime/node.def @@ -1,5 +1,5 @@ type: txt -help: Set to apply rule till specified time +help: Set to match rule to the given time of day syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ "Incorrect value for stoptime. Date should be entered using 24 hour notation - hh:mm:ss" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/weekdays/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/weekdays/node.def index aea3e22..fe167ac 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/weekdays/node.def +++ b/templates/firewall/modify/node.tag/rule/node.tag/time/weekdays/node.def @@ -1,5 +1,5 @@ type: txt -help: Set weekdays on which to apply rules on +help: Set weekdays on which to match rules on syntax:expression: pattern $VAR(@) "^!?([[:upper:]][[:lower:]]\{2\}\,)*[[:upper:]][[:lower:]]\{2\}$" ; \ "Incorrect value for weekdays. Weekdays should be specified using the first three characters of the day with the first character capitalized eg. Mon,Thu,Sat diff --git a/templates/firewall/name/node.tag/rule/node.tag/limit/burst/node.def b/templates/firewall/name/node.tag/rule/node.tag/limit/burst/node.def new file mode 100644 index 0000000..2739faa --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/limit/burst/node.def @@ -0,0 +1,3 @@ +type: u32 +help: Set maximum number of packets to allow in excess of rate +syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero" diff --git a/templates/firewall/name/node.tag/rule/node.tag/limit/node.def b/templates/firewall/name/node.tag/rule/node.tag/limit/node.def new file mode 100644 index 0000000..42081fe --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/limit/node.def @@ -0,0 +1 @@ +help: Set to match rule at a limited rate using a token bucket filter diff --git a/templates/firewall/name/node.tag/rule/node.tag/limit/rate/node.def b/templates/firewall/name/node.tag/rule/node.tag/limit/rate/node.def new file mode 100644 index 0000000..de22a6f --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/limit/rate/node.def @@ -0,0 +1,7 @@ +type: txt +help: Set maximum average matching rate +syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \ +"Invalid value for rate. Rate should be specified as an integer followed by +a forward slash '/' and either of these time units - second, minute, hour or day +eg. 1/second implies rule to be matched at an average of once per second" + diff --git a/templates/firewall/name/node.tag/rule/node.tag/time/monthdays/node.def b/templates/firewall/name/node.tag/rule/node.tag/time/monthdays/node.def index 025a2a9..b5d3285 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/time/monthdays/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/time/monthdays/node.def @@ -1,5 +1,5 @@ type: txt -help: Set monthdays on which to apply rule +help: Set monthdays on which to match rule syntax:expression: pattern $VAR(@) "^!?([[:digit:]]\{1,2\}\,)*[[:digit:]]\{1,2\}$" ; \ "Incorrect value for monthdays. Monthdays should be specified as 2,12,21 For negation, add ! in front eg. !2,12,21" diff --git a/templates/firewall/name/node.tag/rule/node.tag/time/node.def b/templates/firewall/name/node.tag/rule/node.tag/time/node.def index 8061ba6..b7e283b 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/time/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/time/node.def @@ -1 +1 @@ -help: Set time during which to apply rule +help: Set to match rule at a specified time diff --git a/templates/firewall/name/node.tag/rule/node.tag/time/startdate/node.def b/templates/firewall/name/node.tag/rule/node.tag/time/startdate/node.def index a971375..09a2f19 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/time/startdate/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/time/startdate/node.def @@ -1,5 +1,5 @@ type: txt -help: Set to apply rule starting from specified date +help: Set to match rule starting from the given date syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ "Invalid value for startdate. Date should use yyyy-mm-dd format. To specify time of date with startdate, append 'T' to date followed by time in 24 hour notation diff --git a/templates/firewall/name/node.tag/rule/node.tag/time/starttime/node.def b/templates/firewall/name/node.tag/rule/node.tag/time/starttime/node.def index 46c68c2..11767c3 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/time/starttime/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/time/starttime/node.def @@ -1,5 +1,5 @@ type: txt -help: Set to apply rule starting from specified time +help: Set to match rule starting from the given time of day syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ "Incorrect value for starttime. Date should be entered using 24 hour notation - hh:mm:ss" diff --git a/templates/firewall/name/node.tag/rule/node.tag/time/stopdate/node.def b/templates/firewall/name/node.tag/rule/node.tag/time/stopdate/node.def index c99dd7b..5e58b2a 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/time/stopdate/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/time/stopdate/node.def @@ -1,5 +1,5 @@ type: txt -help: Set to apply rule till specified date +help: Set to match rule until the given date syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ "Invalid value for stopdate. Date should use yyyy-mm-dd format. To specify time of date with stopdate, append 'T' to date followed by time in 24 hour notation diff --git a/templates/firewall/name/node.tag/rule/node.tag/time/stoptime/node.def b/templates/firewall/name/node.tag/rule/node.tag/time/stoptime/node.def index 0514e8b..fb864d9 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/time/stoptime/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/time/stoptime/node.def @@ -1,5 +1,5 @@ type: txt -help: Set to apply rule till specified time +help: Set to match rule to the given time of day syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ "Incorrect value for stoptime. Date should be entered using 24 hour notation - hh:mm:ss" diff --git a/templates/firewall/name/node.tag/rule/node.tag/time/weekdays/node.def b/templates/firewall/name/node.tag/rule/node.tag/time/weekdays/node.def index aea3e22..fe167ac 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/time/weekdays/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/time/weekdays/node.def @@ -1,5 +1,5 @@ type: txt -help: Set weekdays on which to apply rules on +help: Set weekdays on which to match rules on syntax:expression: pattern $VAR(@) "^!?([[:upper:]][[:lower:]]\{2\}\,)*[[:upper:]][[:lower:]]\{2\}$" ; \ "Incorrect value for weekdays. Weekdays should be specified using the first three characters of the day with the first character capitalized eg. Mon,Thu,Sat |