diff options
| author | Jo-Philipp Wich <jow@openwrt.org> | 2010-08-31 01:54:08 +0000 |
|---|---|---|
| committer | Jo-Philipp Wich <jow@openwrt.org> | 2010-08-31 01:54:08 +0000 |
| commit | ee4dd61b1095aa103a20fb97f8dfabecc7a1f8a8 (patch) | |
| tree | 81815f5d4963fe004ab4d30f9a0056923168872d /package/firewall/files/lib/core_init.sh | |
| parent | 867ac59ff97fc53ff1d205be3a176b6409e358f2 (diff) | |
| download | mtk-20170518-ee4dd61b1095aa103a20fb97f8dfabecc7a1f8a8.zip mtk-20170518-ee4dd61b1095aa103a20fb97f8dfabecc7a1f8a8.tar.gz mtk-20170518-ee4dd61b1095aa103a20fb97f8dfabecc7a1f8a8.tar.bz2 | |
firewall: - fix processing of rules with an ip family option - append interface rules at the end of internal zone chains, simplifies injecting user or addon rules - support simple file logging (option log + option log_limit per zone)
SVN-Revision: 22847
Diffstat (limited to 'package/firewall/files/lib/core_init.sh')
| -rw-r--r-- | package/firewall/files/lib/core_init.sh | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/package/firewall/files/lib/core_init.sh b/package/firewall/files/lib/core_init.sh index a549bd9..72cef2f 100644 --- a/package/firewall/files/lib/core_init.sh +++ b/package/firewall/files/lib/core_init.sh @@ -84,13 +84,16 @@ fw_load_defaults() { [ $defaults_syn_flood == 1 ] && \ defaults_synflood_protect=1 + [ "${defaults_synflood_rate%/*}" == "$defaults_synflood_rate" ] && \ + defaults_synflood_rate="$defaults_synflood_rate/second" + [ $defaults_synflood_protect == 1 ] && { echo "Loading synflood protection" fw_callback pre synflood fw add i f syn_flood fw add i f syn_flood RETURN { \ -p tcp --syn \ - -m limit --limit "${defaults_synflood_rate}/second" --limit-burst "${defaults_synflood_burst}" \ + -m limit --limit "${defaults_synflood_rate}" --limit-burst "${defaults_synflood_burst}" \ } fw add i f syn_flood DROP fw add i f INPUT syn_flood { -p tcp --syn } @@ -142,6 +145,8 @@ fw_config_get_zone() { boolean conntrack 0 \ boolean mtu_fix 0 \ boolean custom_chains "$FW_ADD_CUSTOM_CHAINS" \ + boolean log 0 \ + string log_limit 10 \ string family "" \ } || return [ -n "$zone_name" ] || zone_name=$zone_NAME @@ -204,6 +209,7 @@ fw_load_zone() { fw add $mode n ${chain}_prerouting fw add $mode r ${chain}_notrack + [ $zone_masq == 1 ] && \ fw add $mode n POSTROUTING ${chain}_nat $ @@ -224,6 +230,17 @@ fw_load_zone() { fw add $mode n ${chain}_prerouting prerouting_${zone_name} ^ } + [ "$zone_log" == 1 ] && { + [ "${zone_log_limit%/*}" == "$zone_log_limit" ] && \ + zone_log_limit="$zone_log_limit/minute" + + local t + for t in REJECT DROP MSSFIX; do + fw add $mode f ${chain}_${t} LOG ^ \ + { -m limit --limit $zone_log_limit --log-prefix "$t($zone_name): " } + done + } + fw_callback post zone } |