extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-22 06:10:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

'allow' now works with ipset-based dynamic blacklisting

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-06-09 08:44:25 -07:00
parent cd01df4200
commit 4869f61a25
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
7 changed files with 86 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
Shorewall-core/lib.cli
View File

@ -2525,54 +2525,81 @@ allow_command() {
[ -n "$g_debugging" ] && set -x [ -n "$g_debugging" ] && set -x
[ $# -eq 1 ] && missing_argument [ $# -eq 1 ] && missing_argument
if product_is_started ; then if product_is_started ; then
local which if [ -n "$g_blacklistipset" ]; then
which='-s'
local range
range='--src-range'
if ! chain_exists dynamic; then case ${IPSET:=ipset} in
fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration" */*)
fi if [ ! -x "$IPSET" ]; then
fatal_error "IPSET=$IPSET does not exist or is not executable"
[ -n "$g_nolock" ] || mutex_on
while [ $# -gt 1 ]; do
shift
case $1 in
from)
which='-s'
range='--src-range'
continue
;;
to)
which='-d'
range='--dst-range'
continue
;;
*-*)
if qt $g_tool -D dynamic -m iprange $range $1 -j reject ||\
qt $g_tool -D dynamic -m iprange $range $1 -j DROP ||\
qt $g_tool -D dynamic -m iprange $range $1 -j logdrop ||\
qt $g_tool -D dynamic -m iprange $range $1 -j logreject
then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
fi fi
;; ;;
*) *)
if qt $g_tool -D dynamic $which $1 -j reject ||\ IPSET="$(mywhich $IPSET)"
qt $g_tool -D dynamic $which $1 -j DROP ||\ [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
qt $g_tool -D dynamic $which $1 -j logdrop ||\
qt $g_tool -D dynamic $which $1 -j logreject
then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
fi
;; ;;
esac esac
done
[ -n "$g_nolock" ] || mutex_off [ -n "$g_nolock" ] || mutex_on
while [ $# -gt 1 ]; do
shift
qt $IPSET -D $g_blacklistipset $1 && progress_message2 "$1 Allowed" || error_message "WARNING: Address $1 was not currently blacklisted"
done
[ -n "$g_nolock" ] || mutex_off
else
local which
which='-s'
local range
range='--src-range'
if ! chain_exists dynamic; then
fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
fi
[ -n "$g_nolock" ] || mutex_on
while [ $# -gt 1 ]; do
shift
case $1 in
from)
which='-s'
range='--src-range'
continue
;;
to)
which='-d'
range='--dst-range'
continue
;;
*-*)
if qt $g_tool -D dynamic -m iprange $range $1 -j reject ||\
qt $g_tool -D dynamic -m iprange $range $1 -j DROP ||\
qt $g_tool -D dynamic -m iprange $range $1 -j logdrop ||\
qt $g_tool -D dynamic -m iprange $range $1 -j logreject
then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
fi
;;
*)
if qt $g_tool -D dynamic $which $1 -j reject ||\
qt $g_tool -D dynamic $which $1 -j DROP ||\
qt $g_tool -D dynamic $which $1 -j logdrop ||\
qt $g_tool -D dynamic $which $1 -j logreject
then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
fi
;;
esac
done
[ -n "$g_nolock" ] || mutex_off
fi
else else
error_message "ERROR: $g_product is not started" error_message "ERROR: $g_product is not started"
exit 2 exit 2
@ -3507,7 +3534,7 @@ blacklist_command() {
;; ;;
esac esac
$IPSET -A $g_blacklistipset $@ || { error_message "ERROR: Address $1 not blacklisted"; return 1; } $IPSET -A $g_blacklistipset $@ && progress_message2 "$1 Blacklisted" || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
return 0 return 0
} }

4
Shorewall-lite/manpages/shorewall-lite.xml
View File

@ -702,7 +702,9 @@
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
role="bold">logdrop</emphasis>, <emphasis role="bold">logdrop</emphasis>, <emphasis
role="bold">reject</emphasis>, or <emphasis role="bold">reject</emphasis>, or <emphasis
role="bold">logreject</emphasis> command.</para> role="bold">logreject</emphasis> command. Beginning with Shorewall
5.0.10, this command can also re-enable addresses blacklisted using
the <command>blacklist</command> command.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

6
Shorewall/manpages/shorewall-interfaces.xml
View File

@ -380,7 +380,7 @@ loc eth2 -</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>loopback</term> <term><emphasis role="bold">loopback</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 4.6.6. Designates the interface as <para>Added in Shorewall 4.6.6. Designates the interface as
@ -451,8 +451,8 @@ loc eth2 -</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis role="bold"><emphasis
role="bold">mss</emphasis>=<emphasis>number</emphasis></term> role="bold">mss</emphasis>=</emphasis><emphasis>number</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN <para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN

4
Shorewall/manpages/shorewall.xml
View File

@ -964,7 +964,9 @@
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
role="bold">logdrop</emphasis>, <emphasis role="bold">logdrop</emphasis>, <emphasis
role="bold">reject</emphasis>, or <emphasis role="bold">reject</emphasis>, or <emphasis
role="bold">logreject</emphasis> command.</para> role="bold">logreject</emphasis> command. Beginning with Shorewall
5.0.10, this command can also re-enable addresses blacklisted using
the <command>blacklist</command> command.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

4
Shorewall6-lite/manpages/shorewall6-lite.xml
View File

@ -679,7 +679,9 @@
<para>Re-enables receipt of packets from hosts previously <para>Re-enables receipt of packets from hosts previously
blacklisted by a <command>drop</command>, blacklisted by a <command>drop</command>,
<command>logdrop</command>, <command>reject</command>, or <command>logdrop</command>, <command>reject</command>, or
<command>logreject</command> command.</para> <command>logreject</command> command. Beginning with Shorewall
5.0.10, this command can also re-enable addresses blacklisted using
the <command>blacklist</command> command.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

2
Shorewall6/manpages/shorewall6-interfaces.xml
View File

@ -321,7 +321,7 @@ loc eth2 -</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>loopback</term> <term><emphasis role="bold">loopback</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 4.6.6. Designates the interface as <para>Added in Shorewall 4.6.6. Designates the interface as

4
Shorewall6/manpages/shorewall6.xml
View File

@ -932,7 +932,9 @@
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
role="bold">logdrop</emphasis>, <emphasis role="bold">logdrop</emphasis>, <emphasis
role="bold">reject</emphasis>, or <emphasis role="bold">reject</emphasis>, or <emphasis
role="bold">logreject</emphasis> command.</para> role="bold">logreject</emphasis> command. Beginning with Shorewall
5.0.10, this command can also re-enable addresses blacklisted using
the <command>blacklist</command> command.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>