onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-18 17:27:20 +01:00
Code Issues Releases Wiki Activity

added comment to explain the logic behind shadowing detection with iptables limit modules

Browse Source
This commit is contained in:
Vadim Kurland 2010-04-27 16:15:20 +00:00
parent 29456bf2ea
commit ef2d783888
3 changed files with 23 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2845
#define BUILD_NUM 2847

26
src/iptlib/PolicyCompiler_ipt.cpp
View File

@ -5146,6 +5146,23 @@ list<string> PolicyCompiler_ipt::getUsedChains()
/*
* see #1417 To policy rules with different module limit settings but
* otherwise identical should not shadow each other.
*
* For all limit modules:
* rule with rate "-1" (i.e. no rate limiting at all) shadows rule with
* rate > 0
* OR
* rule with lower rate shadows rule with greater rate
*
* consider for example two rules: rule 1 that matches 30 pkts/sec and
* rule 2 that matches 50 pkts/sec
*
* In this case neither rule matches when packet flow is at <30
* pkts/sec and rule 1 matches if packet flow is greater than 30
* pkts/sec . Even when packet flow is greater than 50 pkts/sec, it is
* still rule 1 that matches it. So rule 2 will never match at all,
* and rule with lower rate shadows rule with greater rate.
*
* we should return true if candidate_rule_2 shadows candidate_rule_1
*/
bool PolicyCompiler_ipt::checkForShadowingPlatformSpecific(PolicyRule *candidate_r1,
PolicyRule *candidate_r2)
@ -5155,7 +5172,7 @@ bool PolicyCompiler_ipt::checkForShadowingPlatformSpecific(PolicyRule *candidate
if (opt_1->getInt("limit_value")>0 || opt_2->getInt("limit_value")>0)
{
if (opt_1->getStr("limit_value") < opt_2->getStr("limit_value"))
if (opt_1->getInt("limit_value") < opt_2->getInt("limit_value"))
return false;
if (opt_1->getStr("limit_value_not") != opt_2->getStr("limit_value_not"))
return false;
@ -5165,7 +5182,7 @@ bool PolicyCompiler_ipt::checkForShadowingPlatformSpecific(PolicyRule *candidate
if (opt_1->getInt("connlimit_value")>0 || opt_2->getInt("connlimit_value")>0)
{
if (opt_1->getStr("connlimit_value") < opt_2->getStr("connlimit_value"))
if (opt_1->getInt("connlimit_value") < opt_2->getInt("connlimit_value"))
return false;
if (opt_1->getStr("connlimit_value_not") != opt_2->getStr("connlimit_value_not"))
return false;
@ -5175,15 +5192,14 @@ bool PolicyCompiler_ipt::checkForShadowingPlatformSpecific(PolicyRule *candidate
if (opt_1->getInt("hashlimit_value")>0 || opt_2->getInt("hashlimit_value")>0)
{
if (opt_1->getInt("hashlimit_value") < opt_2->getInt("hashlimit_value"))
return false;
if (opt_1->getStr("hashlimit_suffix") != opt_2->getStr("hashlimit_suffix"))
return false;
if (opt_1->getStr("hashlimit_mode") != opt_2->getStr("hashlimit_mode"))
return false;
if (opt_1->getStr("hashlimit_name") != opt_2->getStr("hashlimit_name"))
return false;
if (opt_1->getInt("hashlimit_value") < opt_2->getInt("hashlimit_value"))
return false;
}
return true;

2
test/ipt/objects-for-regression-tests.fwb
View File

@ -49959,7 +49959,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id54445X20318" host_OS="linux24" inactive="False" lastCompiled="1272299247" lastInstalled="0" lastModified="1272299240" platform="iptables" version="" name="test-shadowing-3" comment="testing shadowing detection&#10;compiler runs with -xt flag&#10;testing shadowing when rules have non-default options" ro="False">
<Firewall id="id54445X20318" host_OS="linux24" inactive="False" lastCompiled="1272384879" lastInstalled="0" lastModified="1272384869" platform="iptables" version="" name="test-shadowing-3" comment="testing shadowing detection&#10;compiler runs with -xt flag&#10;testing shadowing when rules have non-default options" ro="False">
<NAT id="id54554X20318" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>