extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-15 10:51:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

First steps toward zone-based blacklisting

Browse Source
This commit is contained in:
Tom Eastep 2010-09-16 06:55:48 -07:00
parent 1d650b41cd
commit 3c1cff0794
2 changed files with 23 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos
compile_stop_firewall compile_stop_firewall
); );
our @EXPORT_OK = qw( process_rule process_rule1 initialize ); our @EXPORT_OK = qw( process_rule process_rule1 initialize );
our $VERSION = '4.4_13'; our $VERSION = '4.4_14';
our $macro_nest_level; our $macro_nest_level;
our $current_param; our $current_param;
@ -1851,6 +1851,8 @@ sub generate_matrix() {
# #
my $frwd_ref = new_standard_chain zone_forward_chain( $zone ); my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
add_jump( $frwd_ref, $filter_table->{blacklst}, 0 ) if $zoneref->{options}{in}{blacklist};
if ( have_ipsec ) { if ( have_ipsec ) {
# #
# Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the

37
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -84,7 +84,7 @@ our @EXPORT = qw( NOTHING
); );
our @EXPORT_OK = qw( initialize ); our @EXPORT_OK = qw( initialize );
our $VERSION = '4.4_13'; our $VERSION = '4.4_14';
# #
# IPSEC Option types # IPSEC Option types
@ -299,6 +299,7 @@ sub initialize( $ ) {
sub parse_zone_option_list($$) sub parse_zone_option_list($$)
{ {
my %validoptions = ( mss => NUMERIC, my %validoptions = ( mss => NUMERIC,
blacklist => NOTHING,
strict => NOTHING, strict => NOTHING,
next => NOTHING, next => NOTHING,
reqid => NUMERIC, reqid => NUMERIC,
@ -311,7 +312,7 @@ sub parse_zone_option_list($$)
# #
# Hash of options that have their own key in the returned hash. # Hash of options that have their own key in the returned hash.
# #
my %key = ( mss => 'mss' ); my %key = ( mss => 1 , blacklist => 'blacklist' );
my ( $list, $zonetype ) = @_; my ( $list, $zonetype ) = @_;
my %h; my %h;
@ -344,7 +345,7 @@ sub parse_zone_option_list($$)
} }
if ( $key{$e} ) { if ( $key{$e} ) {
$h{$e} = $val; $h{$e} = $val || 1;
} else { } else {
fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC; fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;
$options .= $invert; $options .= $invert;
@ -435,20 +436,22 @@ sub process_zone( \$ ) {
} }
} }
$zones{$zone} = { type => $type, my $zoneref = $zones{$zone} = { type => $type,
parents => \@parents, parents => \@parents,
bridge => '', bridge => '',
options => { in_out => parse_zone_option_list( $options || '', $type ) , options => { in_out => parse_zone_option_list( $options || '', $type ) ,
in => parse_zone_option_list( $in_options || '', $type ) , in => parse_zone_option_list( $in_options || '', $type ) ,
out => parse_zone_option_list( $out_options || '', $type ) , out => parse_zone_option_list( $out_options || '', $type ) ,
complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) , complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
nested => @parents > 0 , nested => @parents > 0 ,
super => 0 , super => 0 ,
} , } ,
interfaces => {} , interfaces => {} ,
children => [] , children => [] ,
hosts => {} hosts => {}
}; };
$zoneref->{options}{in}{blacklist} = $zoneref->{options}{out}{blacklist} = 1 if $zoneref->{options}{in_out}{blacklist};
return $zone; return $zone;