'allow' now works with ipset-based dynamic blacklisting

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-06-09 08:44:25 -07:00
parent cd01df4200
commit 4869f61a25
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
7 changed files with 86 additions and 51 deletions

View File

@ -2525,6 +2525,30 @@ allow_command() {
[ -n "$g_debugging" ] && set -x [ -n "$g_debugging" ] && set -x
[ $# -eq 1 ] && missing_argument [ $# -eq 1 ] && missing_argument
if product_is_started ; then if product_is_started ; then
if [ -n "$g_blacklistipset" ]; then
case ${IPSET:=ipset} in
*/*)
if [ ! -x "$IPSET" ]; then
fatal_error "IPSET=$IPSET does not exist or is not executable"
fi
;;
*)
IPSET="$(mywhich $IPSET)"
[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
;;
esac
[ -n "$g_nolock" ] || mutex_on
while [ $# -gt 1 ]; do
shift
qt $IPSET -D $g_blacklistipset $1 && progress_message2 "$1 Allowed" || error_message "WARNING: Address $1 was not currently blacklisted"
done
[ -n "$g_nolock" ] || mutex_off
else
local which local which
which='-s' which='-s'
local range local range
@ -2535,6 +2559,7 @@ allow_command() {
fi fi
[ -n "$g_nolock" ] || mutex_on [ -n "$g_nolock" ] || mutex_on
while [ $# -gt 1 ]; do while [ $# -gt 1 ]; do
shift shift
case $1 in case $1 in
@ -2572,7 +2597,9 @@ allow_command() {
;; ;;
esac esac
done done
[ -n "$g_nolock" ] || mutex_off [ -n "$g_nolock" ] || mutex_off
fi
else else
error_message "ERROR: $g_product is not started" error_message "ERROR: $g_product is not started"
exit 2 exit 2
@ -3507,7 +3534,7 @@ blacklist_command() {
;; ;;
esac esac
$IPSET -A $g_blacklistipset $@ || { error_message "ERROR: Address $1 not blacklisted"; return 1; } $IPSET -A $g_blacklistipset $@ && progress_message2 "$1 Blacklisted" || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
return 0 return 0
} }

View File

@ -702,7 +702,9 @@
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
role="bold">logdrop</emphasis>, <emphasis role="bold">logdrop</emphasis>, <emphasis
role="bold">reject</emphasis>, or <emphasis role="bold">reject</emphasis>, or <emphasis
role="bold">logreject</emphasis> command.</para> role="bold">logreject</emphasis> command. Beginning with Shorewall
5.0.10, this command can also re-enable addresses blacklisted using
the <command>blacklist</command> command.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

View File

@ -380,7 +380,7 @@ loc eth2 -</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>loopback</term> <term><emphasis role="bold">loopback</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 4.6.6. Designates the interface as <para>Added in Shorewall 4.6.6. Designates the interface as
@ -451,8 +451,8 @@ loc eth2 -</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis role="bold"><emphasis
role="bold">mss</emphasis>=<emphasis>number</emphasis></term> role="bold">mss</emphasis>=</emphasis><emphasis>number</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN <para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN

View File

@ -964,7 +964,9 @@
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
role="bold">logdrop</emphasis>, <emphasis role="bold">logdrop</emphasis>, <emphasis
role="bold">reject</emphasis>, or <emphasis role="bold">reject</emphasis>, or <emphasis
role="bold">logreject</emphasis> command.</para> role="bold">logreject</emphasis> command. Beginning with Shorewall
5.0.10, this command can also re-enable addresses blacklisted using
the <command>blacklist</command> command.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

View File

@ -679,7 +679,9 @@
<para>Re-enables receipt of packets from hosts previously <para>Re-enables receipt of packets from hosts previously
blacklisted by a <command>drop</command>, blacklisted by a <command>drop</command>,
<command>logdrop</command>, <command>reject</command>, or <command>logdrop</command>, <command>reject</command>, or
<command>logreject</command> command.</para> <command>logreject</command> command. Beginning with Shorewall
5.0.10, this command can also re-enable addresses blacklisted using
the <command>blacklist</command> command.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

View File

@ -321,7 +321,7 @@ loc eth2 -</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>loopback</term> <term><emphasis role="bold">loopback</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 4.6.6. Designates the interface as <para>Added in Shorewall 4.6.6. Designates the interface as

View File

@ -932,7 +932,9 @@
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
role="bold">logdrop</emphasis>, <emphasis role="bold">logdrop</emphasis>, <emphasis
role="bold">reject</emphasis>, or <emphasis role="bold">reject</emphasis>, or <emphasis
role="bold">logreject</emphasis> command.</para> role="bold">logreject</emphasis> command. Beginning with Shorewall
5.0.10, this command can also re-enable addresses blacklisted using
the <command>blacklist</command> command.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>