mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 14:20:40 +01:00
'allow' now works with ipset-based dynamic blacklisting
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
cd01df4200
commit
4869f61a25
@ -2525,6 +2525,30 @@ allow_command() {
|
|||||||
[ -n "$g_debugging" ] && set -x
|
[ -n "$g_debugging" ] && set -x
|
||||||
[ $# -eq 1 ] && missing_argument
|
[ $# -eq 1 ] && missing_argument
|
||||||
if product_is_started ; then
|
if product_is_started ; then
|
||||||
|
if [ -n "$g_blacklistipset" ]; then
|
||||||
|
|
||||||
|
case ${IPSET:=ipset} in
|
||||||
|
*/*)
|
||||||
|
if [ ! -x "$IPSET" ]; then
|
||||||
|
fatal_error "IPSET=$IPSET does not exist or is not executable"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
IPSET="$(mywhich $IPSET)"
|
||||||
|
[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
[ -n "$g_nolock" ] || mutex_on
|
||||||
|
|
||||||
|
while [ $# -gt 1 ]; do
|
||||||
|
shift
|
||||||
|
|
||||||
|
qt $IPSET -D $g_blacklistipset $1 && progress_message2 "$1 Allowed" || error_message "WARNING: Address $1 was not currently blacklisted"
|
||||||
|
done
|
||||||
|
|
||||||
|
[ -n "$g_nolock" ] || mutex_off
|
||||||
|
else
|
||||||
local which
|
local which
|
||||||
which='-s'
|
which='-s'
|
||||||
local range
|
local range
|
||||||
@ -2535,6 +2559,7 @@ allow_command() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$g_nolock" ] || mutex_on
|
[ -n "$g_nolock" ] || mutex_on
|
||||||
|
|
||||||
while [ $# -gt 1 ]; do
|
while [ $# -gt 1 ]; do
|
||||||
shift
|
shift
|
||||||
case $1 in
|
case $1 in
|
||||||
@ -2572,7 +2597,9 @@ allow_command() {
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
||||||
[ -n "$g_nolock" ] || mutex_off
|
[ -n "$g_nolock" ] || mutex_off
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
error_message "ERROR: $g_product is not started"
|
error_message "ERROR: $g_product is not started"
|
||||||
exit 2
|
exit 2
|
||||||
@ -3507,7 +3534,7 @@ blacklist_command() {
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
$IPSET -A $g_blacklistipset $@ || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
|
$IPSET -A $g_blacklistipset $@ && progress_message2 "$1 Blacklisted" || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
@ -702,7 +702,9 @@
|
|||||||
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
||||||
role="bold">logdrop</emphasis>, <emphasis
|
role="bold">logdrop</emphasis>, <emphasis
|
||||||
role="bold">reject</emphasis>, or <emphasis
|
role="bold">reject</emphasis>, or <emphasis
|
||||||
role="bold">logreject</emphasis> command.</para>
|
role="bold">logreject</emphasis> command. Beginning with Shorewall
|
||||||
|
5.0.10, this command can also re-enable addresses blacklisted using
|
||||||
|
the <command>blacklist</command> command.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -380,7 +380,7 @@ loc eth2 -</programlisting>
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>loopback</term>
|
<term><emphasis role="bold">loopback</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.6.6. Designates the interface as
|
<para>Added in Shorewall 4.6.6. Designates the interface as
|
||||||
@ -451,8 +451,8 @@ loc eth2 -</programlisting>
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis
|
<term><emphasis role="bold"><emphasis
|
||||||
role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
|
role="bold">mss</emphasis>=</emphasis><emphasis>number</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
|
<para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
|
||||||
|
@ -964,7 +964,9 @@
|
|||||||
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
||||||
role="bold">logdrop</emphasis>, <emphasis
|
role="bold">logdrop</emphasis>, <emphasis
|
||||||
role="bold">reject</emphasis>, or <emphasis
|
role="bold">reject</emphasis>, or <emphasis
|
||||||
role="bold">logreject</emphasis> command.</para>
|
role="bold">logreject</emphasis> command. Beginning with Shorewall
|
||||||
|
5.0.10, this command can also re-enable addresses blacklisted using
|
||||||
|
the <command>blacklist</command> command.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -679,7 +679,9 @@
|
|||||||
<para>Re-enables receipt of packets from hosts previously
|
<para>Re-enables receipt of packets from hosts previously
|
||||||
blacklisted by a <command>drop</command>,
|
blacklisted by a <command>drop</command>,
|
||||||
<command>logdrop</command>, <command>reject</command>, or
|
<command>logdrop</command>, <command>reject</command>, or
|
||||||
<command>logreject</command> command.</para>
|
<command>logreject</command> command. Beginning with Shorewall
|
||||||
|
5.0.10, this command can also re-enable addresses blacklisted using
|
||||||
|
the <command>blacklist</command> command.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -321,7 +321,7 @@ loc eth2 -</programlisting>
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>loopback</term>
|
<term><emphasis role="bold">loopback</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.6.6. Designates the interface as
|
<para>Added in Shorewall 4.6.6. Designates the interface as
|
||||||
|
@ -932,7 +932,9 @@
|
|||||||
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
||||||
role="bold">logdrop</emphasis>, <emphasis
|
role="bold">logdrop</emphasis>, <emphasis
|
||||||
role="bold">reject</emphasis>, or <emphasis
|
role="bold">reject</emphasis>, or <emphasis
|
||||||
role="bold">logreject</emphasis> command.</para>
|
role="bold">logreject</emphasis> command. Beginning with Shorewall
|
||||||
|
5.0.10, this command can also re-enable addresses blacklisted using
|
||||||
|
the <command>blacklist</command> command.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user