mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code
This commit is contained in:
commit
726d7cde65
@ -3622,6 +3622,7 @@ reject_command() {
|
||||
|
||||
blacklist_command() {
|
||||
local family
|
||||
local timeout
|
||||
|
||||
[ $# -gt 0 ] || fatal_error "Missing address"
|
||||
|
||||
@ -3639,7 +3640,9 @@ blacklist_command() {
|
||||
;;
|
||||
esac
|
||||
|
||||
if $IPSET -A $g_blacklistipset $@ -exist; then
|
||||
echo "$@" | fgrep -q ' timeout ' || timeout="timeout $g_dbltimeout"
|
||||
|
||||
if $IPSET -A $g_blacklistipset $@ $timeout -exist; then
|
||||
local message
|
||||
|
||||
progress_message2 "$1 Blacklisted"
|
||||
@ -3908,8 +3911,26 @@ setup_dbl() {
|
||||
case $DYNAMIC_BLACKLIST in
|
||||
ipset*,timeout*)
|
||||
#
|
||||
# This utility doesn't need to know about 'timeout=nnn'
|
||||
# Capture timeout
|
||||
#
|
||||
local ifs
|
||||
local f
|
||||
|
||||
ifs=$IFS
|
||||
IFS=','
|
||||
|
||||
for f in $DYNAMIC_BLACKLIST; do
|
||||
case $f in
|
||||
timeout=*)
|
||||
g_dbltimeout=${f#timeout=}
|
||||
g_dbltimeout=${g_dbltimeout%%:*}
|
||||
break
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
IFS=$ifs
|
||||
|
||||
DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
|
||||
;;
|
||||
esac
|
||||
@ -4458,6 +4479,7 @@ shorewall_cli() {
|
||||
g_disconnect=
|
||||
g_havemutex=
|
||||
g_trace=
|
||||
g_dbltimeout=
|
||||
|
||||
VERBOSE=
|
||||
VERBOSITY=1
|
||||
|
@ -4079,7 +4079,7 @@ sub optimize_level8( $$$ ) {
|
||||
|
||||
if ( $config{RENAME_COMBINED} && $chainref->{name} !~ /^[~%]/ ) {
|
||||
#
|
||||
# For simple use of the BLACKLIST section, we can end up with many identical
|
||||
# For simple use of the blrules file, we can end up with many identical
|
||||
# chains. To distinguish them from other renamed chains, we keep track of
|
||||
# these chains via the 'blacklistsection' member.
|
||||
#
|
||||
@ -8890,7 +8890,7 @@ sub ensure_ipsets( @ ) {
|
||||
my $set;
|
||||
my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
|
||||
|
||||
if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
|
||||
if ( $_[0] eq $globals{DBL_IPSET} ) {
|
||||
shift;
|
||||
|
||||
emit( qq( if ! qt \$IPSET list $globals{DBL_IPSET}; then));
|
||||
@ -8901,12 +8901,12 @@ sub ensure_ipsets( @ ) {
|
||||
emit( q( #),
|
||||
q( # Set the timeout for the dynamic blacklisting ipset),
|
||||
q( #),
|
||||
qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) );
|
||||
qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet timeout 0${counters}) );
|
||||
} else {
|
||||
emit( q( #),
|
||||
q( # Set the timeout for the dynamic blacklisting ipset),
|
||||
q( #),
|
||||
qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) );
|
||||
qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout 0${counters}) );
|
||||
}
|
||||
|
||||
pop_indent;
|
||||
@ -9133,7 +9133,7 @@ sub create_load_ipsets() {
|
||||
emit( ' #',
|
||||
' # Update the dynamic blacklisting ipset timeout value',
|
||||
' #',
|
||||
qq( awk '/create $set/ { sub( /timeout [0-9]+/, "timeout $globals{DBL_TIMEOUT}" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
|
||||
qq( awk '/create $set/ { sub( /timeout [0-9]+/, "timeout 0" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
|
||||
' zap_ipsets',
|
||||
' $IPSET restore < ${VARDIR}/ipsets.temp',
|
||||
' fi' );
|
||||
|
Loading…
Reference in New Issue
Block a user