extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 01:37:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Make the allow command work with both ipset and chain dynamic blacklisting

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-06-14 13:42:20 -07:00
parent ea56d4ed19
commit 56b6db1a3d
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
1 changed files with 67 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
Shorewall-core/lib.cli
View File

@ -2522,9 +2522,18 @@ hits_command() {
# 'allow' command executor # 'allow' command executor
# #
allow_command() { allow_command() {
[ -n "$g_debugging" ] && set -x [ -n "$g_debugging" ] && set -x
[ $# -eq 1 ] && missing_argument [ $# -eq 1 ] && missing_argument
if product_is_started ; then if product_is_started ; then
local allowed
local which
which='-s'
local range
range='--src-range'
local dynexists
if [ -n "$g_blacklistipset" ]; then if [ -n "$g_blacklistipset" ]; then
case ${IPSET:=ipset} in case ${IPSET:=ipset} in
@ -2538,68 +2547,76 @@ allow_command() {
[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located" [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
;; ;;
esac esac
fi
[ -n "$g_nolock" ] || mutex_on if chain_exists dynamic; then
dynexists=Yes
elif [ -z "$g_blacklistipset" ]; then
fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
fi
while [ $# -gt 1 ]; do [ -n "$g_nolock" ] || mutex_on
shift
qt $IPSET -D $g_blacklistipset $1 && progress_message2 "$1 Allowed" || error_message "WARNING: Address $1 was not currently blacklisted" while [ $# -gt 1 ]; do
done shift
[ -n "$g_nolock" ] || mutex_off allowed=''
else
local which
which='-s'
local range
range='--src-range'
if ! chain_exists dynamic; then case $1 in
fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration" from)
fi which='-s'
range='--src-range'
[ -n "$g_nolock" ] || mutex_on continue
;;
while [ $# -gt 1 ]; do to)
shift which='-d'
case $1 in range='--dst-range'
from) continue
which='-s' ;;
range='--src-range' *-*)
continue if [ -n "$g_blacklistipset" ]; then
;; if qt $IPSET -D $g_blacklistipset $1; then
to) allowed=Yes
which='-d'
range='--dst-range'
continue
;;
*-*)
if qt $g_tool -D dynamic -m iprange $range $1 -j reject ||\
qt $g_tool -D dynamic -m iprange $range $1 -j DROP ||\
qt $g_tool -D dynamic -m iprange $range $1 -j logdrop ||\
qt $g_tool -D dynamic -m iprange $range $1 -j logreject
then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"
fi fi
;; fi
*)
if [ -n "$dynexists" ]; then
if qt $g_tool -D dynamic -m iprange $range $1 -j reject ||\
qt $g_tool -D dynamic -m iprange $range $1 -j DROP ||\
qt $g_tool -D dynamic -m iprange $range $1 -j logdrop ||\
qt $g_tool -D dynamic -m iprange $range $1 -j logreject
then
allowed=Yes
fi
fi
;;
*)
if [ -n "$g_blacklistipset" ]; then
if qt $IPSET -D $g_blacklistipset $1; then
allowed=Yes
fi
fi
if [ -n "$dynexists" ]; then
if qt $g_tool -D dynamic $which $1 -j reject ||\ if qt $g_tool -D dynamic $which $1 -j reject ||\
qt $g_tool -D dynamic $which $1 -j DROP ||\ qt $g_tool -D dynamic $which $1 -j DROP ||\
qt $g_tool -D dynamic $which $1 -j logdrop ||\ qt $g_tool -D dynamic $which $1 -j logdrop ||\
qt $g_tool -D dynamic $which $1 -j logreject qt $g_tool -D dynamic $which $1 -j logreject
then then
echo "$1 Allowed" allowed=Yes
else
echo "$1 Not Dropped or Rejected"
fi fi
;; fi
esac ;;
done esac
[ -n "$g_nolock" ] || mutex_off if [ -n "$allowed" ]; then
fi progress_message2 "$1 Allowed"
else
error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
fi
done
[ -n "$g_nolock" ] || mutex_off
else else
error_message "ERROR: $g_product is not started" error_message "ERROR: $g_product is not started"
exit 2 exit 2