aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>2021-06-19 22:10:38 +0300
committerKaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>2021-06-19 22:13:48 +0300
commit047b26affae68346ef7099e21b6907e78fbd60ba (patch)
tree05e48ba930f3d283fa7946e773bf75353df37783
parent7a97c0a67132ecec496a9f1c161321f0bc519fd1 (diff)
downloadawall-047b26affae68346ef7099e21b6907e78fbd60ba.tar.gz
awall-047b26affae68346ef7099e21b6907e78fbd60ba.tar.bz2
awall-047b26affae68346ef7099e21b6907e78fbd60ba.tar.xz
test: dnat: conn-limitv1.10.0
-rw-r--r--test/optional/filter-dnat.json6
-rw-r--r--test/output/filter-dnat/dump267
-rw-r--r--test/output/filter-dnat/rules-save9
-rw-r--r--test/output/filter-dnat/rules6-save8
4 files changed, 173 insertions, 117 deletions
diff --git a/test/optional/filter-dnat.json b/test/optional/filter-dnat.json
index caf2d00..a26cee3 100644
--- a/test/optional/filter-dnat.json
+++ b/test/optional/filter-dnat.json
@@ -16,6 +16,12 @@
"in": "A",
"service": "ssh",
"dnat": { "addr": "10.0.0.3", "port": "8022-8033" }
+ },
+ {
+ "in": "A",
+ "service": "https",
+ "dnat": "10.0.0.4",
+ "conn-limit": 2
}
]
}
diff --git a/test/output/filter-dnat/dump b/test/output/filter-dnat/dump
index 54b5da8..a146fc5 100644
--- a/test/output/filter-dnat/dump
+++ b/test/output/filter-dnat/dump
@@ -12,123 +12,139 @@ Dnat 2 {"in":"B"}
inet/nat/PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
-Filter 1 {"dest":"192.168.0.1","dnat":"10.0.0.1","in":"A","service":"smtp"}
-(filter-dnat)
- inet/filter/FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
- inet/filter/INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
- inet/nat/PREROUTING -i eth0 -p tcp --dport 25 -d 192.168.0.1 -j DNAT --to-destination 10.0.0.1
-
-Filter 2 {"dest":"192.168.0.2","dnat":{"addr":"10.0.0.2","port":8080},"in":"A","service":"http"}
-(filter-dnat)
- inet/filter/FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
- inet/filter/INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
- inet/nat/PREROUTING -i eth0 -p tcp --dport 80 -d 192.168.0.2 -j DNAT --to-destination 10.0.0.2:8080
-
-Filter 3 {"dnat":{"addr":"10.0.0.3","port":"8022-8033"},"in":"A","service":"ssh"}
-(filter-dnat)
- inet/filter/FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
- inet/filter/INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
- inet/nat/PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.3:8022-8033
- inet6/filter/FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT
- inet6/filter/INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
-
-Filter 4 {"action":"pass","in":"_fw","log":"ulog"}
-(log)
- inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
-
-Filter 5 {"in":["_fw","A"]}
-(zone)
- inet/filter/FORWARD -i eth0 -j ACCEPT
- inet/filter/INPUT -i eth0 -j ACCEPT
- inet/filter/OUTPUT -j ACCEPT
- inet6/filter/FORWARD -i eth0 -j ACCEPT
- inet6/filter/INPUT -i eth0 -j ACCEPT
- inet6/filter/OUTPUT -j ACCEPT
-
-Filter 6 {"in":"B","out":"C"}
-(zone)
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-
-Filter 7 {"out":["_fw","B"]}
-(zone)
- inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/INPUT -j ACCEPT
- inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/INPUT -j ACCEPT
- inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-
-Filter 8 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
-(zone)
- inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
- inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
- inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
- inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
- inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
- inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
- inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+Filter 1 {"dest":"192.168.0.1","dnat":"10.0.0.1","in":"A","service":"smtp"}
+(filter-dnat)
+ inet/filter/FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
+ inet/filter/INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
+ inet/nat/PREROUTING -i eth0 -p tcp --dport 25 -d 192.168.0.1 -j DNAT --to-destination 10.0.0.1
+
+Filter 2 {"dest":"192.168.0.2","dnat":{"addr":"10.0.0.2","port":8080},"in":"A","service":"http"}
+(filter-dnat)
+ inet/filter/FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
+ inet/filter/INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
+ inet/nat/PREROUTING -i eth0 -p tcp --dport 80 -d 192.168.0.2 -j DNAT --to-destination 10.0.0.2:8080
+
+Filter 3 {"dnat":{"addr":"10.0.0.3","port":"8022-8033"},"in":"A","service":"ssh"}
+(filter-dnat)
+ inet/filter/FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
+ inet/filter/INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
+ inet/nat/PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.3:8022-8033
+ inet6/filter/FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT
+ inet6/filter/INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
+
+Filter 4 {"conn-limit":2,"dnat":"10.0.0.4","in":"A","service":"https"}
+(filter-dnat)
+ inet/filter/FORWARD -i eth0 -p tcp --dport 443 -d 10.0.0.4 -m conntrack --ctstate DNAT -j limit-https-0
+ inet/filter/INPUT -i eth0 -p tcp --dport 443 -d 10.0.0.4 -m conntrack --ctstate DNAT -j limit-https-0
+ inet/filter/limit-https-0 -m recent --name limit-https-0 --rsource --mask 255.255.255.255 --update --hitcount 2 --seconds 1 -j logdrop-https-0
+ inet/filter/limit-https-0 -m recent --name limit-https-0 --rsource --mask 255.255.255.255 --set -j ACCEPT
+ inet/filter/logdrop-https-0 -m limit --limit 1/second -j LOG
+ inet/filter/logdrop-https-0 -j DROP
+ inet/nat/PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.0.0.4
+ inet6/filter/FORWARD -i eth0 -p tcp --dport 443 -j limit-https-0
+ inet6/filter/INPUT -i eth0 -p tcp --dport 443 -j limit-https-0
+ inet6/filter/limit-https-0 -m recent --name limit-https-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 2 --seconds 1 -j logdrop-https-0
+ inet6/filter/limit-https-0 -m recent --name limit-https-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+ inet6/filter/logdrop-https-0 -m limit --limit 1/second -j LOG
+ inet6/filter/logdrop-https-0 -j DROP
+
+Filter 5 {"action":"pass","in":"_fw","log":"ulog"}
+(log)
+ inet/filter/OUTPUT -m limit --limit 12/minute -j ULOG
+
+Filter 6 {"in":["_fw","A"]}
+(zone)
+ inet/filter/FORWARD -i eth0 -j ACCEPT
+ inet/filter/INPUT -i eth0 -j ACCEPT
+ inet/filter/OUTPUT -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -j ACCEPT
+ inet6/filter/INPUT -i eth0 -j ACCEPT
+ inet6/filter/OUTPUT -j ACCEPT
+
+Filter 7 {"in":"B","out":"C"}
+(zone)
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+
+Filter 8 {"out":["_fw","B"]}
+(zone)
+ inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/INPUT -j ACCEPT
+ inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/INPUT -j ACCEPT
+ inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
+
+Filter 9 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
+(zone)
+ inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+ inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
Ipset awall-masquerade {"family":"inet","type":"hash:net"}
@@ -471,11 +487,14 @@ hash:net family inet
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
+:limit-https-0 - [0:0]
+:logdrop-https-0 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
+-A FORWARD -i eth0 -p tcp --dport 443 -d 10.0.0.4 -m conntrack --ctstate DNAT -j limit-https-0
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -537,6 +556,7 @@ hash:net family inet
-A INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
+-A INPUT -i eth0 -p tcp --dport 443 -d 10.0.0.4 -m conntrack --ctstate DNAT -j limit-https-0
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
@@ -550,6 +570,10 @@ hash:net family inet
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
+-A limit-https-0 -m recent --name limit-https-0 --rsource --mask 255.255.255.255 --update --hitcount 2 --seconds 1 -j logdrop-https-0
+-A limit-https-0 -m recent --name limit-https-0 --rsource --mask 255.255.255.255 --set -j ACCEPT
+-A logdrop-https-0 -m limit --limit 1/second -j LOG
+-A logdrop-https-0 -j DROP
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
@@ -578,6 +602,7 @@ COMMIT
-A PREROUTING -i eth0 -p tcp --dport 25 -d 192.168.0.1 -j DNAT --to-destination 10.0.0.1
-A PREROUTING -i eth0 -p tcp --dport 80 -d 192.168.0.2 -j DNAT --to-destination 10.0.0.2:8080
-A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.3:8022-8033
+-A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.0.0.4
-A PREROUTING -i eth0 -j REDIRECT
-A PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
-A masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE
@@ -597,9 +622,12 @@ COMMIT
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
+:limit-https-0 - [0:0]
+:logdrop-https-0 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmpv6 -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT
+-A FORWARD -i eth0 -p tcp --dport 443 -j limit-https-0
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -633,6 +661,7 @@ COMMIT
-A INPUT -p icmpv6 -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
+-A INPUT -i eth0 -p tcp --dport 443 -j limit-https-0
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
@@ -646,6 +675,10 @@ COMMIT
-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
+-A limit-https-0 -m recent --name limit-https-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 2 --seconds 1 -j logdrop-https-0
+-A limit-https-0 -m recent --name limit-https-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+-A logdrop-https-0 -m limit --limit 1/second -j LOG
+-A logdrop-https-0 -j DROP
COMMIT
*mangle
:INPUT ACCEPT [0:0]
diff --git a/test/output/filter-dnat/rules-save b/test/output/filter-dnat/rules-save
index 3fa869f..89c48d6 100644
--- a/test/output/filter-dnat/rules-save
+++ b/test/output/filter-dnat/rules-save
@@ -4,11 +4,14 @@
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
+:limit-https-0 - [0:0]
+:logdrop-https-0 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
+-A FORWARD -i eth0 -p tcp --dport 443 -d 10.0.0.4 -m conntrack --ctstate DNAT -j limit-https-0
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -70,6 +73,7 @@
-A INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
+-A INPUT -i eth0 -p tcp --dport 443 -d 10.0.0.4 -m conntrack --ctstate DNAT -j limit-https-0
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
@@ -83,6 +87,10 @@
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
+-A limit-https-0 -m recent --name limit-https-0 --rsource --mask 255.255.255.255 --update --hitcount 2 --seconds 1 -j logdrop-https-0
+-A limit-https-0 -m recent --name limit-https-0 --rsource --mask 255.255.255.255 --set -j ACCEPT
+-A logdrop-https-0 -m limit --limit 1/second -j LOG
+-A logdrop-https-0 -j DROP
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
@@ -111,6 +119,7 @@ COMMIT
-A PREROUTING -i eth0 -p tcp --dport 25 -d 192.168.0.1 -j DNAT --to-destination 10.0.0.1
-A PREROUTING -i eth0 -p tcp --dport 80 -d 192.168.0.2 -j DNAT --to-destination 10.0.0.2:8080
-A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.3:8022-8033
+-A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.0.0.4
-A PREROUTING -i eth0 -j REDIRECT
-A PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
-A masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE
diff --git a/test/output/filter-dnat/rules6-save b/test/output/filter-dnat/rules6-save
index 9fd959f..e3bde43 100644
--- a/test/output/filter-dnat/rules6-save
+++ b/test/output/filter-dnat/rules6-save
@@ -4,9 +4,12 @@
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
+:limit-https-0 - [0:0]
+:logdrop-https-0 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmpv6 -m conntrack --ctstate RELATED -j icmp-routing
-A FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT
+-A FORWARD -i eth0 -p tcp --dport 443 -j limit-https-0
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -40,6 +43,7 @@
-A INPUT -p icmpv6 -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
+-A INPUT -i eth0 -p tcp --dport 443 -j limit-https-0
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
@@ -53,6 +57,10 @@
-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
+-A limit-https-0 -m recent --name limit-https-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --update --hitcount 2 --seconds 1 -j logdrop-https-0
+-A limit-https-0 -m recent --name limit-https-0 --rsource --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -j ACCEPT
+-A logdrop-https-0 -m limit --limit 1/second -j LOG
+-A logdrop-https-0 -j DROP
COMMIT
*mangle
:INPUT ACCEPT [0:0]