mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-21 10:18:58 +02:00
Clean up V4/V5 ipset enforcement
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
541ecb67b4
commit
216bc715e8
@ -8288,14 +8288,20 @@ sub create_save_ipsets() {
|
|||||||
'' );
|
'' );
|
||||||
|
|
||||||
if ( $family == F_IPV6 || $setting !~ /yes/i ) {
|
if ( $family == F_IPV6 || $setting !~ /yes/i ) {
|
||||||
|
#
|
||||||
|
# Requires V5 or later
|
||||||
|
#
|
||||||
emit( '' ,
|
emit( '' ,
|
||||||
" for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
|
" for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
|
||||||
' $IPSET -F $set' ,
|
' $IPSET flush $set' ,
|
||||||
' $IPSET -X $set' ,
|
' $IPSET destroy $set' ,
|
||||||
" done" ,
|
" done" ,
|
||||||
'',
|
'',
|
||||||
);
|
);
|
||||||
} else {
|
} else {
|
||||||
|
#
|
||||||
|
# Restoring all ipsets (IPv4 and IPv6, if any)
|
||||||
|
#
|
||||||
emit ( ' if [ -f ${VARDIR}/ipsets.save ]; then' ,
|
emit ( ' if [ -f ${VARDIR}/ipsets.save ]; then' ,
|
||||||
' $IPSET -F' ,
|
' $IPSET -F' ,
|
||||||
' $IPSET -X' ,
|
' $IPSET -X' ,
|
||||||
@ -8322,6 +8328,9 @@ sub create_save_ipsets() {
|
|||||||
|
|
||||||
if ( $config{SAVE_IPSETS} ) {
|
if ( $config{SAVE_IPSETS} ) {
|
||||||
if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
|
if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
|
||||||
|
#
|
||||||
|
# Requires V5 or later
|
||||||
|
#
|
||||||
my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
|
my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
|
||||||
|
|
||||||
emit( '' ,
|
emit( '' ,
|
||||||
@ -8332,11 +8341,14 @@ sub create_save_ipsets() {
|
|||||||
|
|
||||||
emit( '',
|
emit( '',
|
||||||
" for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
|
" for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
|
||||||
" \$IPSET -S \$set >> \$file" ,
|
" \$IPSET save \$set >> \$file" ,
|
||||||
" done" ,
|
" done" ,
|
||||||
'',
|
'',
|
||||||
);
|
);
|
||||||
} else {
|
} else {
|
||||||
|
#
|
||||||
|
# Saving all ipsets (IPv4 and IPv6, if any )
|
||||||
|
#
|
||||||
emit (
|
emit (
|
||||||
'',
|
'',
|
||||||
' if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
|
' if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
|
||||||
@ -8347,9 +8359,12 @@ sub create_save_ipsets() {
|
|||||||
emit( " return 0",
|
emit( " return 0",
|
||||||
"}\n" );
|
"}\n" );
|
||||||
} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
|
} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
|
||||||
|
#
|
||||||
|
# Requires V5 or later
|
||||||
|
#
|
||||||
my %ipsets;
|
my %ipsets;
|
||||||
#
|
#
|
||||||
# Remove duplicates
|
# Requires V
|
||||||
#
|
#
|
||||||
$ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );
|
$ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );
|
||||||
|
|
||||||
@ -8365,8 +8380,8 @@ sub create_save_ipsets() {
|
|||||||
if ( @sets > 1 ) {
|
if ( @sets > 1 ) {
|
||||||
emit( '' ,
|
emit( '' ,
|
||||||
" for set in @sets; do" ,
|
" for set in @sets; do" ,
|
||||||
' if qt $IPSET -L $set; then' ,
|
' if qt $IPSET list $set; then' ,
|
||||||
' $IPSET -S $set >> ${VARDIR}/ipsets.tmp' ,
|
' $IPSET save $set >> ${VARDIR}/ipsets.tmp' ,
|
||||||
' else' ,
|
' else' ,
|
||||||
' error_message "ipset $set not saved (not found)"' ,
|
' error_message "ipset $set not saved (not found)"' ,
|
||||||
' fi' ,
|
' fi' ,
|
||||||
@ -8375,15 +8390,15 @@ sub create_save_ipsets() {
|
|||||||
my $set = $sets[0];
|
my $set = $sets[0];
|
||||||
|
|
||||||
emit( '' ,
|
emit( '' ,
|
||||||
" if qt \$IPSET -L $set; then" ,
|
" if qt \$IPSET list $set; then" ,
|
||||||
" \$IPSET -S $set >> \${VARDIR}/ipsets.tmp" ,
|
" \$IPSET save $set >> \${VARDIR}/ipsets.tmp" ,
|
||||||
' else' ,
|
' else' ,
|
||||||
" error_message 'ipset $set not saved (not found)'" ,
|
" error_message 'ipset $set not saved (not found)'" ,
|
||||||
' fi' );
|
' fi' );
|
||||||
}
|
}
|
||||||
|
|
||||||
emit( '' ,
|
emit( '' ,
|
||||||
" grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file\n" ,
|
" grep -q -- \"^create \" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file\n" ,
|
||||||
'' ,
|
'' ,
|
||||||
' return 0',
|
' return 0',
|
||||||
'' ,
|
'' ,
|
||||||
|
@ -346,7 +346,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
|||||||
=> 'Ipset Match nomatch',
|
=> 'Ipset Match nomatch',
|
||||||
IPSET_MATCH_COUNTERS
|
IPSET_MATCH_COUNTERS
|
||||||
=> 'Ipset Match counters',
|
=> 'Ipset Match counters',
|
||||||
IPSET_V5 => 'Version 5 ipsets',
|
IPSET_V5 => 'Version 5 or later ipset',
|
||||||
CONNMARK => 'CONNMARK Target',
|
CONNMARK => 'CONNMARK Target',
|
||||||
XCONNMARK => 'Extended CONNMARK Target',
|
XCONNMARK => 'Extended CONNMARK Target',
|
||||||
CONNMARK_MATCH => 'Connmark Match',
|
CONNMARK_MATCH => 'Connmark Match',
|
||||||
@ -5863,16 +5863,21 @@ sub get_configuration( $$$$ ) {
|
|||||||
unsupported_yes_no 'BRIDGING';
|
unsupported_yes_no 'BRIDGING';
|
||||||
unsupported_yes_no_warning 'RFC1918_STRICT';
|
unsupported_yes_no_warning 'RFC1918_STRICT';
|
||||||
|
|
||||||
|
$val = $config{SAVE_IPSETS};
|
||||||
|
|
||||||
unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
|
unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
|
||||||
$val = $config{SAVE_IPSETS};
|
if ( $val eq 'ipv4' ) {
|
||||||
unless ( $val eq 'ipv4' ) {
|
fatal_error 'SAVE_IPSETS=ipv4 is invalid in shorewall6.conf' if $family == F_IPV6;
|
||||||
|
} else {
|
||||||
my @sets = split_list( $val , 'ipset' );
|
my @sets = split_list( $val , 'ipset' );
|
||||||
$globals{SAVED_IPSETS} = \@sets;
|
$globals{SAVED_IPSETS} = \@sets;
|
||||||
require_capability 'IPSET_V5', 'A saved ipset list', 's';
|
|
||||||
$config{SAVE_IPSETS} = '';
|
$config{SAVE_IPSETS} = '';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
require_capability( 'IPSET_V5', "SAVE_IPSETS=$val", 's' ) if $config{SAVE_IPSETS};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
default_yes_no 'SAVE_ARPTABLES' , '';
|
default_yes_no 'SAVE_ARPTABLES' , '';
|
||||||
default_yes_no 'STARTUP_ENABLED' , 'Yes';
|
default_yes_no 'STARTUP_ENABLED' , 'Yes';
|
||||||
default_yes_no 'DELAYBLACKLISTLOAD' , '';
|
default_yes_no 'DELAYBLACKLISTLOAD' , '';
|
||||||
|
@ -1279,7 +1279,7 @@ sub process_interface( $$ ) {
|
|||||||
fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
|
fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
|
||||||
fatal_error "Duplicate $option option" if $netsref;
|
fatal_error "Duplicate $option option" if $netsref;
|
||||||
if ( $value eq 'dynamic' ) {
|
if ( $value eq 'dynamic' ) {
|
||||||
require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
|
require_capability( 'IPSET_V5', 'Dynamic nets', '');
|
||||||
$hostoptions{dynamic} = 1;
|
$hostoptions{dynamic} = 1;
|
||||||
#
|
#
|
||||||
# Defer remaining processing until we have the final physical interface name
|
# Defer remaining processing until we have the final physical interface name
|
||||||
|
Loading…
x
Reference in New Issue
Block a user