Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code

This commit is contained in:
Tom Eastep 2020-05-31 17:39:38 -07:00
commit 726d7cde65
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
2 changed files with 29 additions and 7 deletions

View File

@ -3622,6 +3622,7 @@ reject_command() {
blacklist_command() {
local family
local timeout
[ $# -gt 0 ] || fatal_error "Missing address"
@ -3639,7 +3640,9 @@ blacklist_command() {
;;
esac
if $IPSET -A $g_blacklistipset $@ -exist; then
echo "$@" | fgrep -q ' timeout ' || timeout="timeout $g_dbltimeout"
if $IPSET -A $g_blacklistipset $@ $timeout -exist; then
local message
progress_message2 "$1 Blacklisted"
@ -3908,8 +3911,26 @@ setup_dbl() {
case $DYNAMIC_BLACKLIST in
ipset*,timeout*)
#
# This utility doesn't need to know about 'timeout=nnn'
# Capture timeout
#
local ifs
local f
ifs=$IFS
IFS=','
for f in $DYNAMIC_BLACKLIST; do
case $f in
timeout=*)
g_dbltimeout=${f#timeout=}
g_dbltimeout=${g_dbltimeout%%:*}
break
;;
esac
done
IFS=$ifs
DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
;;
esac
@ -4458,6 +4479,7 @@ shorewall_cli() {
g_disconnect=
g_havemutex=
g_trace=
g_dbltimeout=
VERBOSE=
VERBOSITY=1

View File

@ -4079,7 +4079,7 @@ sub optimize_level8( $$$ ) {
if ( $config{RENAME_COMBINED} && $chainref->{name} !~ /^[~%]/ ) {
#
# For simple use of the BLACKLIST section, we can end up with many identical
# For simple use of the blrules file, we can end up with many identical
# chains. To distinguish them from other renamed chains, we keep track of
# these chains via the 'blacklistsection' member.
#
@ -8890,7 +8890,7 @@ sub ensure_ipsets( @ ) {
my $set;
my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
if ( $_[0] eq $globals{DBL_IPSET} ) {
shift;
emit( qq( if ! qt \$IPSET list $globals{DBL_IPSET}; then));
@ -8901,12 +8901,12 @@ sub ensure_ipsets( @ ) {
emit( q( #),
q( # Set the timeout for the dynamic blacklisting ipset),
q( #),
qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) );
qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet timeout 0${counters}) );
} else {
emit( q( #),
q( # Set the timeout for the dynamic blacklisting ipset),
q( #),
qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) );
qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout 0${counters}) );
}
pop_indent;
@ -9133,7 +9133,7 @@ sub create_load_ipsets() {
emit( ' #',
' # Update the dynamic blacklisting ipset timeout value',
' #',
qq( awk '/create $set/ { sub( /timeout [0-9]+/, "timeout $globals{DBL_TIMEOUT}" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
qq( awk '/create $set/ { sub( /timeout [0-9]+/, "timeout 0" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
' zap_ipsets',
' $IPSET restore < ${VARDIR}/ipsets.temp',
' fi' );