[patch] match limit with inverse [!]
Jerome de Vivie
jerome.de-vivie@wanadoo.fr
Wed, 07 Nov 2001 01:25:47 +0100
Il s'agit d'un message multivolet au format MIME.
--------------F42A436AD3B2CB379314518A
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi,
inverse flag "!" now works with the match limit.
If we are using LOG, we want to match only low rate. If we are trying to
protect against DoS, we want to match over the limit, so we should
inverse the logic.
With a !, we are able to take a decision in the same rule instead of
going to the next one.
regards,
j.
--------------F42A436AD3B2CB379314518A
Content-Type: text/plain; charset=iso-8859-1;
name="iptables-1.2.4.diff"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline;
filename="iptables-1.2.4.diff"
diff -urN iptables-1.2.4/extensions/libip6t_limit.c iptables-1.2.4-ok/extensions/libip6t_limit.c
--- iptables-1.2.4/extensions/libip6t_limit.c Mon Aug 6 10:53:41 2001
+++ iptables-1.2.4-ok/extensions/libip6t_limit.c Wed Nov 7 00:59:50 2001
@@ -1,6 +1,6 @@
/* Shared library add-on to iptables to add limit support.
*
- * Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr>
+ * Jérôme de Vivie <jerome.de-vivie@wanadoo.fr>
* Hervé Eychenne <eychenne@info.enserb.u-bordeaux.fr>
*/
#include <stdio.h>
@@ -21,7 +21,7 @@
{
printf(
"limit v%s options:\n"
-"--limit avg max average match rate: default "IP6T_LIMIT_AVG"\n"
+"--limit [!] avg max average match rate: default "IP6T_LIMIT_AVG"\n"
" [Packets per second unless followed by \n"
" /sec /minute /hour /day postfixes]\n"
"--limit-burst number number to match in a burst, default %u\n"
@@ -100,6 +100,8 @@
struct ip6t_rateinfo *r = (struct ip6t_rateinfo *)(*match)->data;
unsigned int num;
+ r->inv = invert;
+
switch(c) {
case '%':
if (check_inverse(optarg, &invert))
@@ -162,7 +164,10 @@
int numeric)
{
struct ip6t_rateinfo *r = (struct ip6t_rateinfo *)match->data;
- printf("limit: avg "); print_rate(r->avg);
+ printf("limit: avg ");
+ if(r->inv)
+ printf("! ");
+ print_rate(r->avg);
printf("burst %u ", r->burst);
}
@@ -171,7 +176,10 @@
{
struct ip6t_rateinfo *r = (struct ip6t_rateinfo *)match->data;
- printf("--limit "); print_rate(r->avg);
+ printf("--limit ");
+ if(r->inv)
+ printf("! ");
+ print_rate(r->avg);
if (r->burst != IP6T_LIMIT_BURST)
printf("--limit-burst %u ", r->burst);
}
diff -urN iptables-1.2.4/extensions/libipt_limit.c iptables-1.2.4-ok/extensions/libipt_limit.c
--- iptables-1.2.4/extensions/libipt_limit.c Tue Oct 16 10:40:04 2001
+++ iptables-1.2.4-ok/extensions/libipt_limit.c Wed Nov 7 01:00:42 2001
@@ -1,6 +1,6 @@
/* Shared library add-on to iptables to add limit support.
*
- * Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr>
+ * Jérôme de Vivie <jerome.de-vivie@wanadoo.fr>
* Hervé Eychenne <eychenne@info.enserb.u-bordeaux.fr>
*/
#include <stdio.h>
@@ -21,7 +21,7 @@
{
printf(
"limit v%s options:\n"
-"--limit avg max average match rate: default "IPT_LIMIT_AVG"\n"
+"[!] --limit avg max average match rate: default "IPT_LIMIT_AVG"\n"
" [Packets per second unless followed by \n"
" /sec /minute /hour /day postfixes]\n"
"--limit-burst number number to match in a burst, default %u\n"
@@ -100,11 +100,14 @@
struct ipt_rateinfo *r = (struct ipt_rateinfo *)(*match)->data;
unsigned int num;
+ r->inv = invert;
+
switch(c) {
case '%':
if (check_inverse(optarg, &invert))
exit_error(PARAMETER_PROBLEM,
"Unexpected `!' after --limit");
+
if (!parse_rate(optarg, &r->avg))
exit_error(PARAMETER_PROBLEM,
"bad rate `%s'", optarg);
@@ -162,7 +165,10 @@
int numeric)
{
struct ipt_rateinfo *r = (struct ipt_rateinfo *)match->data;
- printf("limit: avg "); print_rate(r->avg);
+ printf("limit: avg ");
+ if(r->inv)
+ printf("! ");
+ print_rate(r->avg);
printf("burst %u ", r->burst);
}
@@ -171,7 +177,10 @@
{
struct ipt_rateinfo *r = (struct ipt_rateinfo *)match->data;
- printf("--limit "); print_rate(r->avg);
+ printf("--limit ");
+ if(r->inv)
+ printf("! ");
+ print_rate(r->avg);
if (r->burst != IPT_LIMIT_BURST)
printf("--limit-burst %u ", r->burst);
}
--------------F42A436AD3B2CB379314518A
Content-Type: text/plain; charset=iso-8859-1;
name="kernel.diff"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline;
filename="kernel.diff"
diff -urN linux/include/linux/netfilter_ipv4/ipt_limit.h linux-ok/include/linux/netfilter_ipv4/ipt_limit.h
--- linux/include/linux/netfilter_ipv4/ipt_limit.h Fri Mar 17 19:56:20 2000
+++ linux-ok/include/linux/netfilter_ipv4/ipt_limit.h Wed Nov 7 00:04:03 2001
@@ -9,6 +9,7 @@
struct ipt_rateinfo {
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
+ u_int32_t inv; /* Logic to match. */
/* Used internally by the kernel */
unsigned long prev;
diff -urN linux/include/linux/netfilter_ipv6/ip6t_limit.h linux-ok/include/linux/netfilter_ipv6/ip6t_limit.h
--- linux/include/linux/netfilter_ipv6/ip6t_limit.h Tue Jun 20 23:32:27 2000
+++ linux-ok/include/linux/netfilter_ipv6/ip6t_limit.h Wed Nov 7 00:03:53 2001
@@ -9,6 +9,7 @@
struct ip6t_rateinfo {
u_int32_t avg; /* Average secs between packets * scale */
u_int32_t burst; /* Period multiplier for upper limit. */
+ u_int32_t inv; /* Logic to match. */
/* Used internally by the kernel */
unsigned long prev;
diff -urN linux/net/ipv4/netfilter/ipt_limit.c linux-ok/net/ipv4/netfilter/ipt_limit.c
--- linux/net/ipv4/netfilter/ipt_limit.c Thu Aug 10 21:35:15 2000
+++ linux-ok/net/ipv4/netfilter/ipt_limit.c Wed Nov 7 00:11:49 2001
@@ -1,6 +1,6 @@
/* Kernel module to control the rate
*
- * Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr>
+ * Jérôme de Vivie <jerome.de-vivie@wanadoo.fr>
* Hervé Eychenne <eychenne@info.enserb.u-bordeaux.fr>
*
* 2 September 1999: Changed from the target RATE to the match
@@ -63,11 +63,11 @@
/* We're not limited. */
r->credit -= r->cost;
spin_unlock_bh(&limit_lock);
- return 1;
+ return ! r->inv;
}
spin_unlock_bh(&limit_lock);
- return 0;
+ return r->inv;
}
/* Precision saver. */
diff -urN linux/net/ipv6/netfilter/ip6t_limit.c linux-ok/net/ipv6/netfilter/ip6t_limit.c
--- linux/net/ipv6/netfilter/ip6t_limit.c Mon May 22 18:50:55 2000
+++ linux-ok/net/ipv6/netfilter/ip6t_limit.c Wed Nov 7 00:14:24 2001
@@ -1,6 +1,6 @@
/* Kernel module to control the rate
*
- * Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr>
+ * Jérôme de Vivie <jerome.de-vivie@wanadoo.fr>
* Hervé Eychenne <eychenne@info.enserb.u-bordeaux.fr>
*
* 2 September 1999: Changed from the target RATE to the match
@@ -63,11 +63,11 @@
/* We're not limited. */
r->credit -= r->cost;
spin_unlock_bh(&limit_lock);
- return 1;
+ return ! r->inv;
}
spin_unlock_bh(&limit_lock);
- return 0;
+ return r->inv;
}
/* Precision saver. */
--------------F42A436AD3B2CB379314518A
Content-Type: text/plain; charset=us-ascii;
name="packet-filtering-HOWTO.linuxdoc.sgml.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="packet-filtering-HOWTO.linuxdoc.sgml.diff"
--- packet-filtering-HOWTO.linuxdoc.sgml Tue Nov 6 22:56:45 2001
+++ packet-filtering-HOWTO.linuxdoc.sgml-ok Wed Nov 7 01:08:43 2001
@@ -744,17 +744,17 @@
<p>Syn-flood protection:
<tscreen><verb>
-# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
+# iptables -A FORWARD -p tcp --syn -m limit \! --limit 1/s -j DROP
</verb></tscreen>
Furtive port scanner:
<tscreen><verb>
-# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
+# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit \! --limit 1/s -j DROP
</verb></tscreen>
Ping of death:
<tscreen><verb>
-# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
+# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit \! --limit 1/s -j DROP
</verb></tscreen>
This module works like a "hysteresis door", as shown in the graph
--------------F42A436AD3B2CB379314518A--