From 7cf567cb1538070ea204b64e53135de876c12dd3 Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Thu, 15 Jul 2010 10:51:53 -0700 Subject: Fix bug 4629 configuration limit of recent count firewall rule is 20 * raise recent count limit to 255. add syntax check to disallow invalid values --- Makefile.am | 4 +++- etc/modprobe.d/vyatta_xt_recent | 22 ++++++++++++++++++++++ .../node.tag/rule/node.tag/recent/count/node.def | 1 + .../node.tag/rule/node.tag/recent/count/node.def | 1 + .../node.tag/rule/node.tag/recent/count/node.def | 2 ++ .../node.tag/rule/node.tag/recent/count/node.def | 1 + 6 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 etc/modprobe.d/vyatta_xt_recent diff --git a/Makefile.am b/Makefile.am index 781965f..d76794a 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2,7 +2,9 @@ cfgdir = $(datadir)/vyatta-cfg/templates share_perl5dir = /opt/vyatta/share/perl5/Vyatta/IpTables curverdir = $(sysconfdir)/config-migrate/current modprobedir = /etc/modprobe.d -modprobe_DATA = etc/modprobe.d/vyatta_nf_conntrack + +modprobe_DATA = etc/modprobe.d/vyatta_nf_conntrack +modprobe_DATA += etc/modprobe.d/vyatta_xt_recent sbin_SCRIPTS = share_perl5_DATA = diff --git a/etc/modprobe.d/vyatta_xt_recent b/etc/modprobe.d/vyatta_xt_recent new file mode 100644 index 0000000..d517838 --- /dev/null +++ b/etc/modprobe.d/vyatta_xt_recent @@ -0,0 +1,22 @@ +# +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc. +# All Rights Reserved. +# **** End License **** +# +# Author: Mohit Mehta +# Description: Set number of packets per IP to remember to 255 for recent +# match condition. Default value was 20 as of July 14, 2010 +# + +options xt_recent ip_pkt_list_tot=255 diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def index a07010f..7f72b46 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/recent/count/node.def @@ -1,2 +1,3 @@ type: u32 help: Set to N to only match source addresses seen more than N times +syntax:expression: $VAR(@) >=1 && $VAR(@) <= 255; "recent count value must be between 1 and 255" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/recent/count/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/recent/count/node.def index a07010f..7f72b46 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/recent/count/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/recent/count/node.def @@ -1,2 +1,3 @@ type: u32 help: Set to N to only match source addresses seen more than N times +syntax:expression: $VAR(@) >=1 && $VAR(@) <= 255; "recent count value must be between 1 and 255" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/recent/count/node.def b/templates/firewall/modify/node.tag/rule/node.tag/recent/count/node.def index a07010f..767f42c 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/recent/count/node.def +++ b/templates/firewall/modify/node.tag/rule/node.tag/recent/count/node.def @@ -1,2 +1,4 @@ type: u32 help: Set to N to only match source addresses seen more than N times +syntax:expression: $VAR(@) >=1 && $VAR(@) <= 255; "recent count value must be between 1 and 255" + diff --git a/templates/firewall/name/node.tag/rule/node.tag/recent/count/node.def b/templates/firewall/name/node.tag/rule/node.tag/recent/count/node.def index a07010f..7f72b46 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/recent/count/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/recent/count/node.def @@ -1,2 +1,3 @@ type: u32 help: Set to N to only match source addresses seen more than N times +syntax:expression: $VAR(@) >=1 && $VAR(@) <= 255; "recent count value must be between 1 and 255" -- cgit v1.2.3