Permit when firewall stopped when using an ipset for dynamic BL

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-02-22 04:31:23 +01:00 · 2018-01-02 13:26:32 -08:00 · 2018-01-02 13:26:32 -08:00 · 196a56ea3c
commit 196a56ea3c
parent 2c3f121835
1 changed files with 99 additions and 94 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@ -2575,109 +2575,114 @@ hits_command() {
    fi
 }

+#
+# Issue an error message and terminate if the firewall isn't started
+#
+require_started() {
+    if ! product_is_started; then
+	error_message "ERROR: $g_product is not started"
+	exit 2
+    fi
+}
+
 #
 # 'allow' command executor
 #
 allow_command() {

+    local allowed
+    local which
+    which='-s'
+    local range
+    range='--src-range'
+    local dynexists
+
    [ -n "$g_debugging" ] && set -x
    [ $# -eq 1 ] && missing_argument

-    if product_is_started ; then
-	local allowed
-	local which
-	which='-s'
-	local range
-	range='--src-range'
-	local dynexists
-
-	if [ -n "$g_blacklistipset" ]; then
-
-	    case ${IPSET:=ipset} in
-		*/*)
-		    if [ ! -x "$IPSET" ]; then
-			fatal_error "IPSET=$IPSET does not exist or is not executable"
-		    fi
-		    ;;
-		*)
-		    IPSET="$(mywhich $IPSET)"
-		    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
-		    ;;
-	    esac
-	fi
-
-	if chain_exists dynamic; then
-	    dynexists=Yes
-	elif [ -z "$g_blacklistipset" ]; then
-	    fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
-	fi
-
-	[ -n "$g_nolock" ] || mutex_on
-
-	while [ $# -gt 1 ]; do
-	    shift
-
-	    allowed=''
-
-	    case $1 in
-		from)
-		    which='-s'
-		    range='--src-range'
-		    continue
-		    ;;
-		to)
-		    which='-d'
-		    range='--dst-range'
-		    continue
-		    ;;
-		*-*)
-		    if [ -n "$g_blacklistipset" ]; then
-			if qt $IPSET -D $g_blacklistipset $1; then
-			    allowed=Yes
-			fi
-		    fi
-
-		    if [ -n "$dynexists" ]; then
-			if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
-			    qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
-			    qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
-			    qt $g_tool -D dynamic -m iprange $range $1 -j logreject
-			then
-			    allowed=Yes
-			fi
-		    fi
-		    ;;
-		*)
-		    if [ -n "$g_blacklistipset" ]; then
-			if qt $IPSET -D $g_blacklistipset $1; then
-			    allowed=Yes
-			fi
-		    fi
-
-		    if [ -n "$dynexists" ]; then
-			if  qt $g_tool -D dynamic $which $1 -j reject    ||\
-			    qt $g_tool -D dynamic $which $1 -j DROP      ||\
-			    qt $g_tool -D dynamic $which $1 -j logdrop   ||\
-			    qt $g_tool -D dynamic $which $1 -j logreject
-			then
-			    allowed=Yes
-			fi
-		    fi
-		    ;;
-	    esac
-
-	    if [ -n "$allowed" ]; then
-		progress_message2 "$1 Allowed"
-	    else
-		error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
-	    fi
-	done
-
-	[ -n "$g_nolock" ] || mutex_off
-    else
-	error_message "ERROR: $g_product is not started"
-	exit 2
+    if [ -n "$g_blacklistipset" ]; then
+	case ${IPSET:=ipset} in
+	    */*)
+		if [ ! -x "$IPSET" ]; then
+		    fatal_error "IPSET=$IPSET does not exist or is not executable"
+		fi
+		;;
+	    *)
+		IPSET="$(mywhich $IPSET)"
+		[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
+		;;
+	esac
    fi
+
+    if chain_exists dynamic; then
+	dynexists=Yes
+    elif [ -z "$g_blacklistipset" ]; then
+	require_started
+	fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
+    fi
+
+    [ -n "$g_nolock" ] || mutex_on
+
+    while [ $# -gt 1 ]; do
+	shift
+
+	allowed=''
+
+	case $1 in
+	    from)
+		which='-s'
+		range='--src-range'
+		continue
+		;;
+	    to)
+		which='-d'
+		range='--dst-range'
+		continue
+		;;
+	    *-*)
+		if [ -n "$g_blacklistipset" ]; then
+		    if qt $IPSET -D $g_blacklistipset $1; then
+			allowed=Yes
+		    fi
+		fi
+
+		if [ -n "$dynexists" ]; then
+		    if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
+			qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
+			qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
+			qt $g_tool -D dynamic -m iprange $range $1 -j logreject
+		    then
+			allowed=Yes
+		    fi
+		fi
+		;;
+	    *)
+		if [ -n "$g_blacklistipset" ]; then
+		    if qt $IPSET -D $g_blacklistipset $1; then
+			allowed=Yes
+		    fi
+		fi
+
+		if [ -n "$dynexists" ]; then
+		    if  qt $g_tool -D dynamic $which $1 -j reject    ||\
+		        qt $g_tool -D dynamic $which $1 -j DROP      ||\
+			qt $g_tool -D dynamic $which $1 -j logdrop   ||\
+			qt $g_tool -D dynamic $which $1 -j logreject
+		    then
+			allowed=Yes
+		    fi
+		fi
+		;;
+	esac
+
+	if [ -n "$allowed" ]; then
+	    progress_message2 "$1 Allowed"
+	else
+	    error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
+	fi
+    done
+
+    [ -n "$g_nolock" ] || mutex_off
 }

 #