From 62f44939d83a429c1e414a5b950e694e61055a90 Mon Sep 17 00:00:00 2001
From: hygienic-books <hygienic-books@tentic.net>
Date: Sat, 16 Jul 2022 02:21:14 +0200
Subject: [PATCH] docs(xml): Give detailed example on how a hitcount rule
 manifests in ip(6)tables

---
 README.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/README.md b/README.md
index bc7a7e7..ce72150 100644
--- a/README.md
+++ b/README.md
@@ -278,6 +278,21 @@ A custom `[section]` has the following options. We're calling them locals most o
 
   Adding a `hitcount` will automatically add 2 `ip(6)tables` rules right before the actual rules. Rules follow the [iptables "recent" extension](https://ipset.netfilter.org/iptables-extensions.man.html#lbBW). The first rule does `--update`, the second one does `--set` followed by the rule you specified.
 
+  Given config section:
+  ```
+  [anyone-may-access-mail-services]
+  ports = 143, 993, 110, 995, 25, 465, 587
+  hitcount = 120/60
+  ```
+  UFS generates rules:
+  ```
+  target  prot opt in out source     destination
+  DROP    tcp  --  *  *   0.0.0.0/0  0.0.0.0/0   multiport dports 143,993,110,995,25,465,587 recent: UPDATE seconds: 60 hit_count: 120 name: anyone-may-access-mail-services side: source mask: 255.255.255.255
+          tcp  --  *  *   0.0.0.0/0  0.0.0.0/0   multiport dports 143,993,110,995,25,465,587 recent: SET name: anyone-may-access-mail-services side: source mask: 255.255.255.255
+  ACCEPT  tcp  --  *  *   0.0.0.0/0  0.0.0.0/0   state NEW multiport dports 143,993,110,995,25,465,587 /* anyone-may-access-mail-services */
+  ```
+  Where the first `DROP` target will drop packets that have exceeded their hit count; the second `recent: SET` simply marks all matching packets to be added into the hitcount bucket and the third on is the actual `ACCEPT` rule permitting access **_if_** a source's hitcount permits it.
+
 * `do_ipv6`, __*optional*__, defaults to `false`: Decide if you want `firewalld` to generate `ip6tables` rules in addition to `iptables` rules. A default install of Docker Engine will have its IPv6 support disabled in `/etc/docker/daemon.json`. You may still want your machine to handle incoming IPv6 traffic. If your machine truly doesn't use IPv6 feel free to leave this at `false`. Otherwise `update-firewall-source.py` generates unused rules that clutter your rule set.
 
   If this is `true` IPv6 addresses found or resolved in `addr` in a `[section]` will be discarded.