|
 |
3d17f4 |
Adapted version of
|
|
|
3d17f4 |
|
|
|
3d17f4 |
commit a45c84008ae27aae36a5a67c5f9b08bca64aaf55
|
|
|
3d17f4 |
Author: Jiri Popelka <jpopelka@redhat.com>
|
|
|
3d17f4 |
Date: Tue Jan 6 18:00:49 2015 +0100
|
|
|
3d17f4 |
|
|
|
3d17f4 |
Iptables doesn't like limit of 1/d (RHBZ#1176813)
|
|
|
3d17f4 |
|
|
|
3d17f4 |
It should eventually be fixed in iptables,
|
|
|
3d17f4 |
this is a workaround for broken versions.
|
|
|
3d17f4 |
|
|
|
3d17f4 |
diff --git a/doc/xml/firewalld.richlanguage.xml b/doc/xml/firewalld.richlanguage.xml
|
|
|
3d17f4 |
index 0556f20..39a9ec7 100644
|
|
|
3d17f4 |
--- a/doc/xml/firewalld.richlanguage.xml
|
|
|
3d17f4 |
+++ b/doc/xml/firewalld.richlanguage.xml
|
|
|
3d17f4 |
@@ -226,7 +226,7 @@ log [prefix="prefix text"] [level="log l
|
|
|
3d17f4 |
Log new connection attempts to the rule with kernel logging for example in syslog. You can define a prefix text that will be added to the log message as a prefix. Log level can be one of "<option>emerg</option>", "<option>alert</option>", "<option>crit</option>", "<option>error</option>", "<option>warning</option>", "<option>notice</option>", "<option>info</option>" or "<option>debug</option>", where default (i.e. if there's no one specified) is "<option>warning</option>". See <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry> for description of levels.
|
|
|
3d17f4 |
</para>
|
|
|
3d17f4 |
<para>
|
|
|
3d17f4 |
- It is possible to limit logging: The rate is a natural positive number [1, ..], the duration is of "s", "m", "h", "d". "s" means seconds, "m" minutes, "h" hours and "d" days. The maximum limit value is "1/d" which means at maximum one log entry per day.
|
|
|
3d17f4 |
+ It is possible to limit logging: The rate is a natural positive number [1, ..], the duration is of "s", "m", "h", "d". "s" means seconds, "m" minutes, "h" hours and "d" days. The maximum limit value is "2/d" which means at maximum one log entry per day.
|
|
|
3d17f4 |
</para>
|
|
|
3d17f4 |
</refsect2>
|
|
|
3d17f4 |
|
|
|
3d17f4 |
diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
|
|
|
3d17f4 |
index 21dc86a..1c93d4f 100644
|
|
|
3d17f4 |
--- a/src/firewall/core/rich.py
|
|
|
3d17f4 |
+++ b/src/firewall/core/rich.py
|
|
|
3d17f4 |
@@ -183,6 +183,10 @@ class Rich_Limit(object):
|
|
|
3d17f4 |
if 10000 * mult / rate == 0:
|
|
|
3d17f4 |
raise FirewallError(INVALID_LIMIT, "%s too fast" % self.value)
|
|
|
3d17f4 |
|
|
|
3d17f4 |
+ if rate == 1 and duration == "d":
|
|
|
3d17f4 |
+ # iptables (v1.4.21) doesn't accept 1/d
|
|
|
3d17f4 |
+ raise FirewallError(INVALID_LIMIT, "%s too slow" % self.value)
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
def __str__(self):
|
|
|
3d17f4 |
return 'limit value="%s"' % (self.value)
|
|
|
3d17f4 |
|