mirror of
https://gitlab.com/shorewall/code.git
synced 2025-05-31 15:05:39 +02:00
Make ADD and DELETE work with any type of ipset.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
c9423491f2
commit
1de257be19
@ -179,9 +179,27 @@ sub find_macro( $ )
|
|||||||
#
|
#
|
||||||
sub split_action ( $ ) {
|
sub split_action ( $ ) {
|
||||||
my $action = $_[0];
|
my $action = $_[0];
|
||||||
|
|
||||||
|
my $target = '';
|
||||||
|
my $max = 3;
|
||||||
|
#
|
||||||
|
# The following rather grim RE, when matched, breaks the action into two parts:
|
||||||
|
#
|
||||||
|
# basicaction(param)
|
||||||
|
# logging part (may be empty)
|
||||||
|
#
|
||||||
|
# The param may contain one or more ':' characters
|
||||||
|
#
|
||||||
|
if ( $action =~ /^([^(:]+\(.*?\))(:(.*))$/ ) {
|
||||||
|
$target = $1;
|
||||||
|
$action = $2 ? $3 : '';
|
||||||
|
$max = 2;
|
||||||
|
}
|
||||||
|
|
||||||
my @a = split( /:/ , $action, 4 );
|
my @a = split( /:/ , $action, 4 );
|
||||||
fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > 3 );
|
fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > $max );
|
||||||
( shift @a, join ":", @a );
|
$target = shift @a unless $target;
|
||||||
|
( $target, join ":", @a );
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|||||||
@ -1083,14 +1083,13 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
|
|||||||
} elsif ( $actiontype & LOGRULE ) {
|
} elsif ( $actiontype & LOGRULE ) {
|
||||||
fatal_error 'LOG requires a log level' unless defined $loglevel and $loglevel ne '';
|
fatal_error 'LOG requires a log level' unless defined $loglevel and $loglevel ne '';
|
||||||
} elsif ( $actiontype & SET ) {
|
} elsif ( $actiontype & SET ) {
|
||||||
my %xlate1 = ( ADD => 'add-set' , DEL => 'del-set' );
|
my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
|
||||||
my %xlate2 = ( d => 'dst' , s => 'src' );
|
|
||||||
|
|
||||||
my ( $setname, $direction, $rest ) = split ',', $param;
|
my ( $setname, $flags, $rest ) = split ':', $param, 3;
|
||||||
fatal_error "Invalid ADD/DEL parameter ($param)" if $rest;
|
fatal_error "Invalid ADD/DEL parameter ($param)" if $rest;
|
||||||
fatal_error "Expected ipset name ($setname)" unless $setname =~ s/^\+// && $setname =~ /^[a-zA-Z]\w*$/;
|
fatal_error "Expected ipset name ($setname)" unless $setname =~ s/^\+// && $setname =~ /^[a-zA-Z]\w*$/;
|
||||||
fatal_error "Invalid address designator ($direction)" unless defined $direction && $direction =~ /^[ds]$/;
|
fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
|
||||||
$action = join( ' ', 'SET --' . $xlate1{$basictarget} , $setname , $xlate2{$direction} );
|
$action = join( ' ', 'SET --' . $xlate{$basictarget} , $setname , $flags );
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
# Isolate and validate source and destination zones
|
# Isolate and validate source and destination zones
|
||||||
|
|||||||
@ -403,31 +403,44 @@
|
|||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis
|
<term><emphasis
|
||||||
role="bold">ADD(<replaceable>ipset</replaceable>,<replaceable>direction</replaceable>)</emphasis></term>
|
role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.12. Causes either the SOURCE or
|
<para>Added in Shorewall 4.4.12. Causes addresses and/or port
|
||||||
DESTINATION address of the connection to be added to the named
|
numbers to be added to the named
|
||||||
<replaceable>ipset</replaceable>. If
|
<replaceable>ipset</replaceable>. The
|
||||||
<replaceable>direction</replaceable> is <option>d</option>
|
<replaceable>flags</replaceable> specify the address or tupple
|
||||||
(e.g., ipset,d) then the DESTINATION address is added; if it
|
to be added to the set and must match the type of ipset
|
||||||
is <emphasis role="bold">s</emphasis>, then the SOURCE address
|
involved. For example, for an iphash ipset, either the SOURCE
|
||||||
is added.</para>
|
or DESTINATION address can be added using
|
||||||
|
<replaceable>flags</replaceable> <emphasis
|
||||||
|
role="bold">src</emphasis> or <emphasis
|
||||||
|
role="bold">dst</emphasis> respectively (see the -A command in
|
||||||
|
ipset (8)).</para>
|
||||||
|
|
||||||
|
<para>ADD is non-terminating. Even if a packet matches the
|
||||||
|
rule, it is passed on to the next rule.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis
|
<term><emphasis
|
||||||
role="bold">DEL(<replaceable>ipset</replaceable>,<replaceable>direction</replaceable>)</emphasis></term>
|
role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.12. Causes either the SOURCE or
|
<para>Added in Shorewall 4.4.12. Causes an entry to be deleted
|
||||||
DESTINATION address of the connection to be deleted from the
|
from the named <replaceable>ipset</replaceable>. The
|
||||||
named <replaceable>ipset</replaceable>. If
|
<replaceable>flags</replaceable> specify the address or tupple
|
||||||
<replaceable>direction</replaceable> is <option>d</option>
|
to be deleted from the set and must match the type of ipset
|
||||||
(e.g., ipset,d) then the DESTINATION address is added; if it
|
involved. For example, for an iphash ipset, either the SOURCE
|
||||||
is <emphasis role="bold">s</emphasis>, then the SOURCE address
|
or DESTINATION address can be deletec using
|
||||||
is deleteded.</para>
|
<replaceable>flags</replaceable> <emphasis
|
||||||
|
role="bold">src</emphasis> or <emphasis
|
||||||
|
role="bold">dst</emphasis> respectively (see the -D command in
|
||||||
|
ipset (8)).</para>
|
||||||
|
|
||||||
|
<para>DEL is non-terminating. Even if a packet matches the
|
||||||
|
rule, it is passed on to the next rule.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
@ -1296,6 +1309,17 @@
|
|||||||
that traffic.</para>
|
that traffic.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>Example 10:</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Add the tupple (source IP, dest port, dest IP) of an incoming
|
||||||
|
SSH connection to the ipset S:</para>
|
||||||
|
|
||||||
|
<programlisting> ADD(S:dst,src,dst) net fw tcp 22</programlisting>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
@ -1308,6 +1332,9 @@
|
|||||||
<refsect1>
|
<refsect1>
|
||||||
<title>See ALSO</title>
|
<title>See ALSO</title>
|
||||||
|
|
||||||
|
<para><ulink
|
||||||
|
url="http://www.shorewall.net/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>
|
||||||
|
|
||||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
|
||||||
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
|
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user