mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-15 19:01:19 +01:00
A number of corrections to split blacklisting.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
64544f4ab5
commit
50300a60b7
@ -287,8 +287,8 @@ sub setup_blacklist() {
|
||||
$chainref1 ,
|
||||
NO_RESTRICT ,
|
||||
do_proto( $protocol , $ports, '' ) ,
|
||||
$networks,
|
||||
'',
|
||||
$networks,
|
||||
'' ,
|
||||
$target ,
|
||||
'' ,
|
||||
@ -323,6 +323,7 @@ sub setup_blacklist() {
|
||||
progress_message " Type 1 blacklisting enabled on ${interface}:${network}";
|
||||
}
|
||||
|
||||
if ( @{$chainref1->{rules}} ) {
|
||||
for my $hostref ( @$hosts1 ) {
|
||||
my $interface = $hostref->[0];
|
||||
my $ipsec = $hostref->[1];
|
||||
@ -331,16 +332,13 @@ sub setup_blacklist() {
|
||||
my $source = match_source_net $network;
|
||||
my $target = source_exclusion( $hostref->[3], $chainref1 );
|
||||
|
||||
for my $chain ( first_chains $interface ) {
|
||||
add_jump $filter_table->{$chain} , $target, 0, "${source}${state}${policy}";
|
||||
}
|
||||
add_jump $filter_table->{forward_chain $interface} , $target, 0, "${source}${state}${policy}";
|
||||
|
||||
set_interface_option $interface, 'use_input_chain', 1;
|
||||
set_interface_option $interface, 'use_forward_chain', 1;
|
||||
|
||||
progress_message " Type 2 blacklisting enabled on ${interface}:${network}";
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1875,6 +1873,8 @@ sub generate_matrix() {
|
||||
my $preroutingref = ensure_chain 'nat', 'dnat';
|
||||
my $fw = firewall_zone;
|
||||
my $notrackref = $raw_table->{notrack_chain $fw};
|
||||
my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
|
||||
my $blackout = @{$filter_table->{blackout}{rules}};
|
||||
my @zones = off_firewall_zones;
|
||||
my @vservers = vserver_zones;
|
||||
my $interface_jumps_added = 0;
|
||||
@ -2010,7 +2010,7 @@ sub generate_matrix() {
|
||||
my $ipsec_in_match = match_ipsec_in $zone , $hostref;
|
||||
my $ipsec_out_match = match_ipsec_out $zone , $hostref;
|
||||
my $exclusions = $hostref->{exclusions};
|
||||
my $blacklist = $hostref->{options}{blacklist} & BL_OUT;
|
||||
my $blacklist = $blackout && $hostref->{options}{blacklist} & BL_IN;
|
||||
|
||||
for my $net ( @{$hostref->{hosts}} ) {
|
||||
my $dest = match_dest_net $net;
|
||||
@ -2291,7 +2291,7 @@ sub generate_matrix() {
|
||||
add_jump $frwd_ref , $last_chain, 1 if $frwd_ref && $last_chain;
|
||||
}
|
||||
|
||||
add_jump( $filter_table->{$_}, $filter_table->{blackout} , 0 , '' , 0 , 0 ) for keys %needs_bl_jump;
|
||||
add_jump( $filter_table->{$_}, $filter_table->{blackout} , 0 , $state , 0 , 0 ) for keys %needs_bl_jump;
|
||||
add_interface_jumps @interfaces unless $interface_jumps_added;
|
||||
|
||||
my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
|
||||
|
@ -685,7 +685,7 @@ sub add_group_to_zone($$$$$)
|
||||
# Make 'find_hosts_by_option()' work correctly for this zone
|
||||
#
|
||||
for ( qw/blacklist maclist nosmurfs tcpflags/ ) {
|
||||
$options->{$_} = 1 if $interfaceref->{options}{$_};
|
||||
$options->{$_} = $interfaceref->{options}{$_} if $interfaceref->{options}{$_};
|
||||
}
|
||||
|
||||
$allip = 1;
|
||||
@ -977,7 +977,7 @@ sub process_interface( $$ ) {
|
||||
} elsif ( $option eq 'blacklist' ) {
|
||||
$value = BL_IN unless ( defined $value && $value ne '' );
|
||||
fatal_error "Invalid 'blacklist' value ( $value )" unless $value =~ /^[12]$/;
|
||||
$options{blacklist} = $value eq 1 ? BL_IN | BL_OUT : BL_OUT;
|
||||
$options{blacklist} = $value;
|
||||
$hostoptions{blacklist} = $options{blacklist} & BL_IN;
|
||||
} else {
|
||||
assert( 0 );
|
||||
|
Loading…
Reference in New Issue
Block a user