From 196a56ea3c975acf38a870a15bc64628a9611923 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 2 Jan 2018 13:26:32 -0800 Subject: [PATCH] Permit when firewall stopped when using an ipset for dynamic BL Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 193 +++++++++++++++++++++-------------------- 1 file changed, 99 insertions(+), 94 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 0fc652328..b1f658ba8 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -2575,109 +2575,114 @@ hits_command() { fi } +# +# Issue an error message and terminate if the firewall isn't started +# +require_started() { + if ! product_is_started; then + error_message "ERROR: $g_product is not started" + exit 2 + fi +} + # # 'allow' command executor # allow_command() { + local allowed + local which + which='-s' + local range + range='--src-range' + local dynexists + [ -n "$g_debugging" ] && set -x [ $# -eq 1 ] && missing_argument - if product_is_started ; then - local allowed - local which - which='-s' - local range - range='--src-range' - local dynexists - - if [ -n "$g_blacklistipset" ]; then - - case ${IPSET:=ipset} in - */*) - if [ ! -x "$IPSET" ]; then - fatal_error "IPSET=$IPSET does not exist or is not executable" - fi - ;; - *) - IPSET="$(mywhich $IPSET)" - [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located" - ;; - esac - fi - - if chain_exists dynamic; then - dynexists=Yes - elif [ -z "$g_blacklistipset" ]; then - fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration" - fi - - [ -n "$g_nolock" ] || mutex_on - - while [ $# -gt 1 ]; do - shift - - allowed='' - - case $1 in - from) - which='-s' - range='--src-range' - continue - ;; - to) - which='-d' - range='--dst-range' - continue - ;; - *-*) - if [ -n "$g_blacklistipset" ]; then - if qt $IPSET -D $g_blacklistipset $1; then - allowed=Yes - fi - fi - - if [ -n "$dynexists" ]; then - if qt $g_tool -D dynamic -m iprange $range $1 -j reject ||\ - qt $g_tool -D dynamic -m iprange $range $1 -j DROP ||\ - qt $g_tool -D dynamic -m iprange $range $1 -j logdrop ||\ - qt $g_tool -D dynamic -m iprange $range $1 -j logreject - then - allowed=Yes - fi - fi - ;; - *) - if [ -n "$g_blacklistipset" ]; then - if qt $IPSET -D $g_blacklistipset $1; then - allowed=Yes - fi - fi - - if [ -n "$dynexists" ]; then - if qt $g_tool -D dynamic $which $1 -j reject ||\ - qt $g_tool -D dynamic $which $1 -j DROP ||\ - qt $g_tool -D dynamic $which $1 -j logdrop ||\ - qt $g_tool -D dynamic $which $1 -j logreject - then - allowed=Yes - fi - fi - ;; - esac - - if [ -n "$allowed" ]; then - progress_message2 "$1 Allowed" - else - error_message "WARNING: $1 already allowed (not dynamically blacklisted)" - fi - done - - [ -n "$g_nolock" ] || mutex_off - else - error_message "ERROR: $g_product is not started" - exit 2 + if [ -n "$g_blacklistipset" ]; then + case ${IPSET:=ipset} in + */*) + if [ ! -x "$IPSET" ]; then + fatal_error "IPSET=$IPSET does not exist or is not executable" + fi + ;; + *) + IPSET="$(mywhich $IPSET)" + [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located" + ;; + esac fi + + if chain_exists dynamic; then + dynexists=Yes + elif [ -z "$g_blacklistipset" ]; then + require_started + fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration" + fi + + [ -n "$g_nolock" ] || mutex_on + + while [ $# -gt 1 ]; do + shift + + allowed='' + + case $1 in + from) + which='-s' + range='--src-range' + continue + ;; + to) + which='-d' + range='--dst-range' + continue + ;; + *-*) + if [ -n "$g_blacklistipset" ]; then + if qt $IPSET -D $g_blacklistipset $1; then + allowed=Yes + fi + fi + + if [ -n "$dynexists" ]; then + if qt $g_tool -D dynamic -m iprange $range $1 -j reject ||\ + qt $g_tool -D dynamic -m iprange $range $1 -j DROP ||\ + qt $g_tool -D dynamic -m iprange $range $1 -j logdrop ||\ + qt $g_tool -D dynamic -m iprange $range $1 -j logreject + then + allowed=Yes + fi + fi + ;; + *) + if [ -n "$g_blacklistipset" ]; then + if qt $IPSET -D $g_blacklistipset $1; then + allowed=Yes + fi + fi + + if [ -n "$dynexists" ]; then + if qt $g_tool -D dynamic $which $1 -j reject ||\ + qt $g_tool -D dynamic $which $1 -j DROP ||\ + qt $g_tool -D dynamic $which $1 -j logdrop ||\ + qt $g_tool -D dynamic $which $1 -j logreject + then + allowed=Yes + fi + fi + ;; + esac + + if [ -n "$allowed" ]; then + progress_message2 "$1 Allowed" + else + error_message "WARNING: $1 already allowed (not dynamically blacklisted)" + fi + done + + [ -n "$g_nolock" ] || mutex_off } #