From 4ca77b109c556da32f28d9e29827185837285b63 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 2 Mar 2024 10:40:12 -0800 Subject: [PATCH] Replace bizarre {dbl} encoding (what was I smoking when I wrote that code?) Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Misc.pm | 14 ++++++-------- Shorewall/Perl/Shorewall/Zones.pm | 18 +++++++++++++++--- 2 files changed, 21 insertions(+), 11 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index ede9137f3..61216b0c3 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -953,9 +953,8 @@ sub add_common_rules ( $ ) { my @nodbl = @{$interfaceref->{nodbl}}; - if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ne '0:0' ) ) { + if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ) ) { - my ( $in, $out ) = split /:/, $setting; my ( $src_target, $dst_target ) = ( $dbl_src_target, $dbl_dst_target ); my ( @src_exclude, @dst_exclude ); @@ -993,20 +992,19 @@ sub add_common_rules ( $ ) { } } - if ( $in == 1 ) { + if ( $setting & DBL_SRC) { # - # src + # src or src-dst # add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $src_target, $origin{DYNAMIC_BLACKLIST}, @src_exclude, @state, set => "--match-set $dbl_ipset src" ); add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $src_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset src" ); - } elsif ( $in == 2 ) { - add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" ); } - if ( $out == 2 ) { + if ( $setting & DBL_DST ) { # - # dst + # dst or src-dst # + add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" ); add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" ); } } diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 5558ff8b7..1856a6b8d 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -49,6 +49,10 @@ our @EXPORT = ( qw( NOTHING GROUP NO_UPDOWN NO_SFILTER + DBL_NONE + DBL_SRC + DBL_DST + DBL_SRC_DST determine_zones zone_report @@ -214,6 +218,14 @@ use constant { NOTHING => 'NOTHING', IPSECMODE => 'tunnel|transport' }; +# +# Dynamic blacklisting values +# +use constant { DBL_NONE => 0, + DBL_SRC => 1, + DBL_DST => 2, + DBL_SRC_DST => 3 }; + sub NETWORK() { $family == F_IPV4 ? '\d+.\d+.\d+.\d+(\/\d+)?' : '(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/d+)?'; } @@ -1321,7 +1333,7 @@ sub process_interface( $$ ) { my %options; $options{port} = 1 if $port; - $options{dbl} = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0'; + $options{dbl} = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? DBL_SRC_DST : $config{DYNAMIC_BLACKLIST} ? DBL_SRC : DBL_NONE; my $hostoptionsref = {}; @@ -1364,7 +1376,7 @@ sub process_interface( $$ ) { warning_message "The 'blacklist' option is ignored on multi-zone interfaces"; } } elsif ( $option eq 'nodbl' ) { - $options{dbl} = '0:0'; + $options{dbl} = DBL_NONE; } else { $options{$option} = 1; $hostoptions{$option} = 1 if $hostopt; @@ -1387,7 +1399,7 @@ sub process_interface( $$ ) { $options{arp_ignore} = 1; } } elsif ( $option eq 'dbl' ) { - my %values = ( none => '0:0', src => '1:0', dst => '2:0', 'src-dst' => '1:2' ); + my %values = ( none => 0, src => DBL_SRC, dst => DBL_DST, 'src-dst' => DBL_SRC_DST ); fatal_error q(The 'dbl' option requires a value) unless defined $value; fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $options{dbl} = $values{$value} );