mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-21 23:23:13 +01:00
Replace bizarre {dbl} encoding (what was I smoking when I wrote that code?)
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
a96656a509
commit
4ca77b109c
@ -953,9 +953,8 @@ sub add_common_rules ( $ ) {
|
||||
|
||||
my @nodbl = @{$interfaceref->{nodbl}};
|
||||
|
||||
if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ne '0:0' ) ) {
|
||||
if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ) ) {
|
||||
|
||||
my ( $in, $out ) = split /:/, $setting;
|
||||
my ( $src_target, $dst_target ) = ( $dbl_src_target, $dbl_dst_target );
|
||||
my ( @src_exclude, @dst_exclude );
|
||||
|
||||
@ -993,20 +992,19 @@ sub add_common_rules ( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
if ( $in == 1 ) {
|
||||
if ( $setting & DBL_SRC) {
|
||||
#
|
||||
# src
|
||||
# src or src-dst
|
||||
#
|
||||
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $src_target, $origin{DYNAMIC_BLACKLIST}, @src_exclude, @state, set => "--match-set $dbl_ipset src" );
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $src_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset src" );
|
||||
} elsif ( $in == 2 ) {
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" );
|
||||
}
|
||||
|
||||
if ( $out == 2 ) {
|
||||
if ( $setting & DBL_DST ) {
|
||||
#
|
||||
# dst
|
||||
# dst or src-dst
|
||||
#
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" );
|
||||
add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" );
|
||||
}
|
||||
}
|
||||
|
@ -49,6 +49,10 @@ our @EXPORT = ( qw( NOTHING
|
||||
GROUP
|
||||
NO_UPDOWN
|
||||
NO_SFILTER
|
||||
DBL_NONE
|
||||
DBL_SRC
|
||||
DBL_DST
|
||||
DBL_SRC_DST
|
||||
|
||||
determine_zones
|
||||
zone_report
|
||||
@ -214,6 +218,14 @@ use constant { NOTHING => 'NOTHING',
|
||||
IPSECMODE => 'tunnel|transport'
|
||||
};
|
||||
|
||||
#
|
||||
# Dynamic blacklisting values
|
||||
#
|
||||
use constant { DBL_NONE => 0,
|
||||
DBL_SRC => 1,
|
||||
DBL_DST => 2,
|
||||
DBL_SRC_DST => 3 };
|
||||
|
||||
sub NETWORK() {
|
||||
$family == F_IPV4 ? '\d+.\d+.\d+.\d+(\/\d+)?' : '(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/d+)?';
|
||||
}
|
||||
@ -1321,7 +1333,7 @@ sub process_interface( $$ ) {
|
||||
my %options;
|
||||
|
||||
$options{port} = 1 if $port;
|
||||
$options{dbl} = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
|
||||
$options{dbl} = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? DBL_SRC_DST : $config{DYNAMIC_BLACKLIST} ? DBL_SRC : DBL_NONE;
|
||||
|
||||
my $hostoptionsref = {};
|
||||
|
||||
@ -1364,7 +1376,7 @@ sub process_interface( $$ ) {
|
||||
warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
|
||||
}
|
||||
} elsif ( $option eq 'nodbl' ) {
|
||||
$options{dbl} = '0:0';
|
||||
$options{dbl} = DBL_NONE;
|
||||
} else {
|
||||
$options{$option} = 1;
|
||||
$hostoptions{$option} = 1 if $hostopt;
|
||||
@ -1387,7 +1399,7 @@ sub process_interface( $$ ) {
|
||||
$options{arp_ignore} = 1;
|
||||
}
|
||||
} elsif ( $option eq 'dbl' ) {
|
||||
my %values = ( none => '0:0', src => '1:0', dst => '2:0', 'src-dst' => '1:2' );
|
||||
my %values = ( none => 0, src => DBL_SRC, dst => DBL_DST, 'src-dst' => DBL_SRC_DST );
|
||||
|
||||
fatal_error q(The 'dbl' option requires a value) unless defined $value;
|
||||
fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $options{dbl} = $values{$value} );
|
||||
|
Loading…
Reference in New Issue
Block a user