Adapted version of commit a45c84008ae27aae36a5a67c5f9b08bca64aaf55 Author: Jiri Popelka Date: Tue Jan 6 18:00:49 2015 +0100 Iptables doesn't like limit of 1/d (RHBZ#1176813) It should eventually be fixed in iptables, this is a workaround for broken versions. diff --git a/doc/xml/firewalld.richlanguage.xml b/doc/xml/firewalld.richlanguage.xml index 0556f20..39a9ec7 100644 --- a/doc/xml/firewalld.richlanguage.xml +++ b/doc/xml/firewalld.richlanguage.xml @@ -226,7 +226,7 @@ log [prefix="prefix text"] [level="log l Log new connection attempts to the rule with kernel logging for example in syslog. You can define a prefix text that will be added to the log message as a prefix. Log level can be one of "", "", "", "", "", "", "" or "", where default (i.e. if there's no one specified) is "". See syslog3 for description of levels. - It is possible to limit logging: The rate is a natural positive number [1, ..], the duration is of "s", "m", "h", "d". "s" means seconds, "m" minutes, "h" hours and "d" days. The maximum limit value is "1/d" which means at maximum one log entry per day. + It is possible to limit logging: The rate is a natural positive number [1, ..], the duration is of "s", "m", "h", "d". "s" means seconds, "m" minutes, "h" hours and "d" days. The maximum limit value is "2/d" which means at maximum one log entry per day. diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py index 21dc86a..1c93d4f 100644 --- a/src/firewall/core/rich.py +++ b/src/firewall/core/rich.py @@ -183,6 +183,10 @@ class Rich_Limit(object): if 10000 * mult / rate == 0: raise FirewallError(INVALID_LIMIT, "%s too fast" % self.value) + if rate == 1 and duration == "d": + # iptables (v1.4.21) doesn't accept 1/d + raise FirewallError(INVALID_LIMIT, "%s too slow" % self.value) + def __str__(self): return 'limit value="%s"' % (self.value)