First steps toward zone-based blacklisting

2024-12-15 19:01:19 +01:00 · 2010-09-16 06:55:48 -07:00 · 2010-09-16 06:55:48 -07:00 · 3c1cff0794
commit 3c1cff0794
parent 1d650b41cd
2 changed files with 23 additions and 18 deletions
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_14';

 our $macro_nest_level;
 our $current_param;
@ -1851,6 +1851,8 @@ sub generate_matrix() {
 	#
 	my $frwd_ref = new_standard_chain zone_forward_chain( $zone );

+	add_jump( $frwd_ref, $filter_table->{blacklst}, 0 ) if $zoneref->{options}{in}{blacklist};
+
 	if ( have_ipsec ) {
 	    #
 	    # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@ -84,7 +84,7 @@ our @EXPORT = qw( NOTHING
 		 );

 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_14';

 #
 # IPSEC Option types
@ -299,6 +299,7 @@ sub initialize( $ ) {
 sub parse_zone_option_list($$)
 {
    my %validoptions = ( mss          => NUMERIC,
+			 blacklist    => NOTHING,
 			 strict       => NOTHING,
 			 next         => NOTHING,
 			 reqid        => NUMERIC,
@ -311,7 +312,7 @@ sub parse_zone_option_list($$)
    #
    # Hash of options that have their own key in the returned hash.
    #
-    my %key = ( mss => 'mss' );
+    my %key = ( mss => 1 , blacklist => 'blacklist' );

    my ( $list, $zonetype ) = @_;
    my %h;
@ -344,7 +345,7 @@ sub parse_zone_option_list($$)
 	    }

 	    if ( $key{$e} ) {
-		$h{$e} = $val;
+		$h{$e} = $val || 1;
 	    } else {
 		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;
 		$options .= $invert;
@ -435,20 +436,22 @@ sub process_zone( \$ ) {
 	}
    }

-    $zones{$zone} = { type       => $type,
-		      parents    => \@parents,
-		      bridge     => '',
-		      options    => { in_out  => parse_zone_option_list( $options || '', $type ) ,
-				      in      => parse_zone_option_list( $in_options || '', $type ) ,
-				      out     => parse_zone_option_list( $out_options || '', $type ) ,
-				      complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
-				      nested  => @parents > 0 ,
-				      super   => 0 ,
-				    } ,
-		      interfaces => {} ,
-		      children   => [] ,
-		      hosts      => {}
-		    };
+    my $zoneref = $zones{$zone} = { type       => $type,
+				    parents    => \@parents,
+				    bridge     => '',
+				    options    => { in_out  => parse_zone_option_list( $options || '', $type ) ,
+						    in      => parse_zone_option_list( $in_options || '', $type ) ,
+						    out     => parse_zone_option_list( $out_options || '', $type ) ,
+						    complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
+						    nested  => @parents > 0 ,
+						    super   => 0 ,
+						  } ,
+				    interfaces => {} ,
+				    children   => [] ,
+				    hosts      => {}
+				  };
+
+    $zoneref->{options}{in}{blacklist} = $zoneref->{options}{out}{blacklist} = 1 if $zoneref->{options}{in_out}{blacklist};

    return $zone;