diff options
21 files changed, 61 insertions, 14 deletions
diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm index 23755a6..fb1574b 100644 --- a/lib/Vyatta/IpTables/Rule.pm +++ b/lib/Vyatta/IpTables/Rule.pm @@ -46,6 +46,10 @@ my %fields = ( _weekdays => undef, _utc => undef, }, + _limit => { + _rate => undef, + _burst => undef, + }, _disable => undef, ); @@ -88,6 +92,10 @@ my %dummy_rule = ( _weekdays => undef, _utc => undef, }, + _limit => { + _rate => undef, + _burst => undef, + }, _disable => undef, ); @@ -154,6 +162,9 @@ sub setup { $self->{_time}->{_weekdays} = $config->returnValue("time weekdays"); $self->{_time}->{_utc} = $config->exists("time utc"); + $self->{_limit}->{_rate} = $config->returnValue("limit rate"); + $self->{_limit}->{_burst} = $config->returnValue("limit burst"); + $self->{_disable} = $config->exists("disable"); # TODO: need $config->exists("$level source") in Vyatta::Config.pm @@ -209,6 +220,9 @@ sub setupOrig { $self->{_time}->{_weekdays} = $config->returnOrigValue("time weekdays"); $self->{_time}->{_utc} = $config->existsOrig("time utc"); + $self->{_limit}->{_rate} = $config->returnOrigValue("limit rate"); + $self->{_limit}->{_burst} = $config->returnOrigValue("limit burst"); + $self->{_disable} = $config->existsOrig("disable"); # TODO: need $config->exists("$level source") in Vyatta::Config.pm @@ -441,6 +455,17 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo $rule .= " -m time $time "; } + my $limit = undef; + if (defined($self->{_limit}->{_burst})) { + return ("Limit rate not defined", ) if (!defined($self->{_limit}->{_rate})); + $limit = "--limit $self->{_limit}->{_rate} --limit-burst $self->{_limit}->{_burst}"; + } elsif (defined($self->{_limit}->{_rate})) { + $limit = "--limit $self->{_limit}->{_rate} --limit-burst 1"; + } + if (defined($limit)) { + $rule .= " -m limit $limit "; + } + my $chain = $self->{_name}; my $rule_num = $self->{_rule_number}; my $rule2 = undef; diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def b/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def new file mode 100644 index 0000000..2739faa --- /dev/null +++ b/templates/firewall/modify/node.tag/rule/node.tag/limit/burst/node.def @@ -0,0 +1,3 @@ +type: u32 +help: Set maximum number of packets to allow in excess of rate +syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/node.def b/templates/firewall/modify/node.tag/rule/node.tag/limit/node.def new file mode 100644 index 0000000..42081fe --- /dev/null +++ b/templates/firewall/modify/node.tag/rule/node.tag/limit/node.def @@ -0,0 +1 @@ +help: Set to match rule at a limited rate using a token bucket filter diff --git a/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def b/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def new file mode 100644 index 0000000..de22a6f --- /dev/null +++ b/templates/firewall/modify/node.tag/rule/node.tag/limit/rate/node.def @@ -0,0 +1,7 @@ +type: txt +help: Set maximum average matching rate +syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \ +"Invalid value for rate. Rate should be specified as an integer followed by +a forward slash '/' and either of these time units - second, minute, hour or day +eg. 1/second implies rule to be matched at an average of once per second" + diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/monthdays/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/monthdays/node.def index 025a2a9..b5d3285 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/monthdays/node.def +++ b/templates/firewall/modify/node.tag/rule/node.tag/time/monthdays/node.def @@ -1,5 +1,5 @@ type: txt -help: Set monthdays on which to apply rule +help: Set monthdays on which to match rule syntax:expression: pattern $VAR(@) "^!?([[:digit:]]\{1,2\}\,)*[[:digit:]]\{1,2\}$" ; \ "Incorrect value for monthdays. Monthdays should be specified as 2,12,21 For negation, add ! in front eg. !2,12,21" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/node.def index 8061ba6..b7e283b 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/node.def +++ b/templates/firewall/modify/node.tag/rule/node.tag/time/node.def @@ -1 +1 @@ -help: Set time during which to apply rule +help: Set to match rule at a specified time diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/startdate/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/startdate/node.def index 4d470f4..b54ff51 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/startdate/node.def +++ b/templates/firewall/modify/node.tag/rule/node.tag/time/startdate/node.def @@ -1,5 +1,5 @@ type: txt -help: Set to apply rule starting from specified date +help: Set to match rule starting from the given date syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ "Invalid value for startdate. Date should use yyyy-mm-dd format. To specify time of date with startdate, append 'T' to date followed by time in 24 hour notation diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/starttime/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/starttime/node.def index 46c68c2..11767c3 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/starttime/node.def +++ b/templates/firewall/modify/node.tag/rule/node.tag/time/starttime/node.def @@ -1,5 +1,5 @@ type: txt -help: Set to apply rule starting from specified time +help: Set to match rule starting from the given time of day syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ "Incorrect value for starttime. Date should be entered using 24 hour notation - hh:mm:ss" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/stopdate/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/stopdate/node.def index 90dd684..1fd9d8e 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/stopdate/node.def +++ b/templates/firewall/modify/node.tag/rule/node.tag/time/stopdate/node.def @@ -1,5 +1,5 @@ type: txt -help: Set to apply rule till specified date +help: Set to match rule until the given date syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ "Invalid value for stopdate. Date should use yyyy-mm-dd format. To specify time of date with stopdate, append 'T' to date followed by time in 24 hour notation diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/stoptime/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/stoptime/node.def index 0514e8b..fb864d9 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/stoptime/node.def +++ b/templates/firewall/modify/node.tag/rule/node.tag/time/stoptime/node.def @@ -1,5 +1,5 @@ type: txt -help: Set to apply rule till specified time +help: Set to match rule to the given time of day syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ "Incorrect value for stoptime. Date should be entered using 24 hour notation - hh:mm:ss" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/time/weekdays/node.def b/templates/firewall/modify/node.tag/rule/node.tag/time/weekdays/node.def index aea3e22..fe167ac 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/time/weekdays/node.def +++ b/templates/firewall/modify/node.tag/rule/node.tag/time/weekdays/node.def @@ -1,5 +1,5 @@ type: txt -help: Set weekdays on which to apply rules on +help: Set weekdays on which to match rules on syntax:expression: pattern $VAR(@) "^!?([[:upper:]][[:lower:]]\{2\}\,)*[[:upper:]][[:lower:]]\{2\}$" ; \ "Incorrect value for weekdays. Weekdays should be specified using the first three characters of the day with the first character capitalized eg. Mon,Thu,Sat diff --git a/templates/firewall/name/node.tag/rule/node.tag/limit/burst/node.def b/templates/firewall/name/node.tag/rule/node.tag/limit/burst/node.def new file mode 100644 index 0000000..2739faa --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/limit/burst/node.def @@ -0,0 +1,3 @@ +type: u32 +help: Set maximum number of packets to allow in excess of rate +syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero" diff --git a/templates/firewall/name/node.tag/rule/node.tag/limit/node.def b/templates/firewall/name/node.tag/rule/node.tag/limit/node.def new file mode 100644 index 0000000..42081fe --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/limit/node.def @@ -0,0 +1 @@ +help: Set to match rule at a limited rate using a token bucket filter diff --git a/templates/firewall/name/node.tag/rule/node.tag/limit/rate/node.def b/templates/firewall/name/node.tag/rule/node.tag/limit/rate/node.def new file mode 100644 index 0000000..de22a6f --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/limit/rate/node.def @@ -0,0 +1,7 @@ +type: txt +help: Set maximum average matching rate +syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \ +"Invalid value for rate. Rate should be specified as an integer followed by +a forward slash '/' and either of these time units - second, minute, hour or day +eg. 1/second implies rule to be matched at an average of once per second" + diff --git a/templates/firewall/name/node.tag/rule/node.tag/time/monthdays/node.def b/templates/firewall/name/node.tag/rule/node.tag/time/monthdays/node.def index 025a2a9..b5d3285 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/time/monthdays/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/time/monthdays/node.def @@ -1,5 +1,5 @@ type: txt -help: Set monthdays on which to apply rule +help: Set monthdays on which to match rule syntax:expression: pattern $VAR(@) "^!?([[:digit:]]\{1,2\}\,)*[[:digit:]]\{1,2\}$" ; \ "Incorrect value for monthdays. Monthdays should be specified as 2,12,21 For negation, add ! in front eg. !2,12,21" diff --git a/templates/firewall/name/node.tag/rule/node.tag/time/node.def b/templates/firewall/name/node.tag/rule/node.tag/time/node.def index 8061ba6..b7e283b 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/time/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/time/node.def @@ -1 +1 @@ -help: Set time during which to apply rule +help: Set to match rule at a specified time diff --git a/templates/firewall/name/node.tag/rule/node.tag/time/startdate/node.def b/templates/firewall/name/node.tag/rule/node.tag/time/startdate/node.def index a971375..09a2f19 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/time/startdate/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/time/startdate/node.def @@ -1,5 +1,5 @@ type: txt -help: Set to apply rule starting from specified date +help: Set to match rule starting from the given date syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ "Invalid value for startdate. Date should use yyyy-mm-dd format. To specify time of date with startdate, append 'T' to date followed by time in 24 hour notation diff --git a/templates/firewall/name/node.tag/rule/node.tag/time/starttime/node.def b/templates/firewall/name/node.tag/rule/node.tag/time/starttime/node.def index 46c68c2..11767c3 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/time/starttime/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/time/starttime/node.def @@ -1,5 +1,5 @@ type: txt -help: Set to apply rule starting from specified time +help: Set to match rule starting from the given time of day syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ "Incorrect value for starttime. Date should be entered using 24 hour notation - hh:mm:ss" diff --git a/templates/firewall/name/node.tag/rule/node.tag/time/stopdate/node.def b/templates/firewall/name/node.tag/rule/node.tag/time/stopdate/node.def index c99dd7b..5e58b2a 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/time/stopdate/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/time/stopdate/node.def @@ -1,5 +1,5 @@ type: txt -help: Set to apply rule till specified date +help: Set to match rule until the given date syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ "Invalid value for stopdate. Date should use yyyy-mm-dd format. To specify time of date with stopdate, append 'T' to date followed by time in 24 hour notation diff --git a/templates/firewall/name/node.tag/rule/node.tag/time/stoptime/node.def b/templates/firewall/name/node.tag/rule/node.tag/time/stoptime/node.def index 0514e8b..fb864d9 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/time/stoptime/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/time/stoptime/node.def @@ -1,5 +1,5 @@ type: txt -help: Set to apply rule till specified time +help: Set to match rule to the given time of day syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ "Incorrect value for stoptime. Date should be entered using 24 hour notation - hh:mm:ss" diff --git a/templates/firewall/name/node.tag/rule/node.tag/time/weekdays/node.def b/templates/firewall/name/node.tag/rule/node.tag/time/weekdays/node.def index aea3e22..fe167ac 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/time/weekdays/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/time/weekdays/node.def @@ -1,5 +1,5 @@ type: txt -help: Set weekdays on which to apply rules on +help: Set weekdays on which to match rules on syntax:expression: pattern $VAR(@) "^!?([[:upper:]][[:lower:]]\{2\}\,)*[[:upper:]][[:lower:]]\{2\}$" ; \ "Incorrect value for weekdays. Weekdays should be specified using the first three characters of the day with the first character capitalized eg. Mon,Thu,Sat |