extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 01:37:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Make the allow command work with both ipset and chain dynamic blacklisting

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-06-14 13:42:20 -07:00
parent ea56d4ed19
commit 56b6db1a3d
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
1 changed files with 67 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
Shorewall-core/lib.cli
View File

@ -2522,9 +2522,18 @@ hits_command() {
# 'allow' command executor # 'allow' command executor
# #
allow_command() { allow_command() {
[ -n "$g_debugging" ] && set -x [ -n "$g_debugging" ] && set -x
[ $# -eq 1 ] && missing_argument [ $# -eq 1 ] && missing_argument
if product_is_started ; then if product_is_started ; then
local allowed
local which
which='-s'
local range
range='--src-range'
local dynexists
if [ -n "$g_blacklistipset" ]; then if [ -n "$g_blacklistipset" ]; then
case ${IPSET:=ipset} in case ${IPSET:=ipset} in
@ -2538,23 +2547,11 @@ allow_command() {
[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located" [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
;; ;;
esac esac
fi
[ -n "$g_nolock" ] || mutex_on if chain_exists dynamic; then
dynexists=Yes
while [ $# -gt 1 ]; do elif [ -z "$g_blacklistipset" ]; then
shift
qt $IPSET -D $g_blacklistipset $1 && progress_message2 "$1 Allowed" || error_message "WARNING: Address $1 was not currently blacklisted"
done
[ -n "$g_nolock" ] || mutex_off
else
local which
which='-s'
local range
range='--src-range'
if ! chain_exists dynamic; then
fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration" fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
fi fi
@ -2562,6 +2559,9 @@ allow_command() {
while [ $# -gt 1 ]; do while [ $# -gt 1 ]; do
shift shift
allowed=''
case $1 in case $1 in
from) from)
which='-s' which='-s'
@ -2574,32 +2574,49 @@ allow_command() {
continue continue
;; ;;
*-*) *-*)
if [ -n "$g_blacklistipset" ]; then
if qt $IPSET -D $g_blacklistipset $1; then
allowed=Yes
fi
fi
if [ -n "$dynexists" ]; then
if qt $g_tool -D dynamic -m iprange $range $1 -j reject ||\ if qt $g_tool -D dynamic -m iprange $range $1 -j reject ||\
qt $g_tool -D dynamic -m iprange $range $1 -j DROP ||\ qt $g_tool -D dynamic -m iprange $range $1 -j DROP ||\
qt $g_tool -D dynamic -m iprange $range $1 -j logdrop ||\ qt $g_tool -D dynamic -m iprange $range $1 -j logdrop ||\
qt $g_tool -D dynamic -m iprange $range $1 -j logreject qt $g_tool -D dynamic -m iprange $range $1 -j logreject
then then
echo "$1 Allowed" allowed=Yes
else fi
echo "$1 Not Dropped or Rejected"
fi fi
;; ;;
*) *)
if [ -n "$g_blacklistipset" ]; then
if qt $IPSET -D $g_blacklistipset $1; then
allowed=Yes
fi
fi
if [ -n "$dynexists" ]; then
if qt $g_tool -D dynamic $which $1 -j reject ||\ if qt $g_tool -D dynamic $which $1 -j reject ||\
qt $g_tool -D dynamic $which $1 -j DROP ||\ qt $g_tool -D dynamic $which $1 -j DROP ||\
qt $g_tool -D dynamic $which $1 -j logdrop ||\ qt $g_tool -D dynamic $which $1 -j logdrop ||\
qt $g_tool -D dynamic $which $1 -j logreject qt $g_tool -D dynamic $which $1 -j logreject
then then
echo "$1 Allowed" allowed=Yes
else fi
echo "$1 Not Dropped or Rejected"
fi fi
;; ;;
esac esac
if [ -n "$allowed" ]; then
progress_message2 "$1 Allowed"
else
error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
fi
done done
[ -n "$g_nolock" ] || mutex_off [ -n "$g_nolock" ] || mutex_off
fi
else else
error_message "ERROR: $g_product is not started" error_message "ERROR: $g_product is not started"
exit 2 exit 2