mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-20 12:39:06 +01:00
Break <command> into <command>[<optionlist>]
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
5ba8df81fb
commit
8c27b027fc
@ -54,20 +54,56 @@ if ( supplied $duration ) {
|
|||||||
|
|
||||||
fatal_error "Invalid hit count ($hitcount)" unless $hitcount =~ /^\d+$/;
|
fatal_error "Invalid hit count ($hitcount)" unless $hitcount =~ /^\d+$/;
|
||||||
fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src|dst)$/;
|
fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src|dst)$/;
|
||||||
fatal_error "Invalid reset flag ($command)" unless $command =~ /^(?:reset|update|updatereap|check|checkreap)$/;
|
|
||||||
|
my $srcdst = $destination eq 'src'? '--rsource' : '--rdest';
|
||||||
|
|
||||||
|
our $commands_defined;
|
||||||
|
|
||||||
|
#
|
||||||
|
# Can't 'use constant' here
|
||||||
|
#
|
||||||
|
my ( $UPDATE_CMD, $CHECK_CMD, $RESET_CMD, $REAP_OPT, $TTL_OPT ) = ( 1, 2, 4, 8, 16 );
|
||||||
|
|
||||||
|
my %command = ( check => $CHECK_CMD,
|
||||||
|
update => $UPDATE_CMD,
|
||||||
|
reset => $RESET_CMD
|
||||||
|
);
|
||||||
|
|
||||||
|
my %commandopts = (
|
||||||
|
reap => $REAP_OPT,
|
||||||
|
ttl => $TTL_OPT
|
||||||
|
);
|
||||||
|
|
||||||
|
my @command = split(':', $command);
|
||||||
|
|
||||||
|
$command = $command{shift @command} || 0;
|
||||||
|
|
||||||
|
fatal_error "Command must be 'check', 'update' or 'reset" unless $command & ( $CHECK_CMD | $UPDATE_CMD | $RESET_CMD);
|
||||||
|
|
||||||
|
for ( @command ) {
|
||||||
|
fatal_error "Invalid command option ($_)" unless $commandopts{$_};
|
||||||
|
if ( $command & $commandopts{$_} ) {
|
||||||
|
warning_message "Duplicate command ($_)";
|
||||||
|
} else {
|
||||||
|
$command |= $commandopts{$_};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
my $duplicate;
|
||||||
|
|
||||||
set_action_disposition( $disposition) if supplied $disposition;
|
set_action_disposition( $disposition) if supplied $disposition;
|
||||||
set_action_name_to_caller;
|
set_action_name_to_caller;
|
||||||
|
|
||||||
require_capability 'RECENT_MATCH', 'Use of events', 's';
|
require_capability 'RECENT_MATCH', 'Use of events', 's';
|
||||||
|
|
||||||
my $reap;
|
if ( $command & $REAP_OPT ) {
|
||||||
|
fatal_error "${command}reap requires a time limit" if ! $duration;
|
||||||
|
$duration .= '--reap ';
|
||||||
|
}
|
||||||
|
|
||||||
fatal_error "${command}reap requires a time limit" if ( $reap = $command =~ s/reap$// ? '--reap ' : '' ) && ! $duration;
|
$duration .= '--rttl ' if $command & $TTL_OPT;
|
||||||
|
|
||||||
$duration .= $reap;
|
if ( $command & $RESET_CMD ) {
|
||||||
|
|
||||||
if ( $command eq 'reset' ) {
|
|
||||||
require_capability 'MARK_ANYWHERE', '"reset"', 's';
|
require_capability 'MARK_ANYWHERE', '"reset"', 's';
|
||||||
|
|
||||||
print "Resetting....\n";
|
print "Resetting....\n";
|
||||||
@ -86,19 +122,15 @@ if ( $command eq 'reset' ) {
|
|||||||
#
|
#
|
||||||
# Mark the packet if event is armed
|
# Mark the packet if event is armed
|
||||||
#
|
#
|
||||||
if ( $destination eq 'dst' ) {
|
perl_action_helper( 'INLINE', "-m recent --rcheck ${duration}--hitcount $hitcount --name $event $srcdst -j MARK --or-mark $mark" );
|
||||||
perl_action_helper( 'INLINE', "-m recent --rcheck ${duration}--hitcount $hitcount --name $event --rdest -j MARK --or-mark $mark" );
|
|
||||||
} else {
|
|
||||||
perl_action_helper( 'INLINE', "-m recent --rcheck ${duration}--hitcount $hitcount --name $event --rsource -j MARK --or-mark $mark" );
|
|
||||||
}
|
|
||||||
#
|
#
|
||||||
# if the event is armed, remove it and perform the action
|
# if the event is armed, remove it and perform the action
|
||||||
#
|
#
|
||||||
perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event" );
|
perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event" );
|
||||||
} elsif ( $command eq 'update' ) {
|
} elsif ( $command & $UPDATE_CMD ) {
|
||||||
perl_action_helper( $action, "-m recent --update ${duration}--hitcount $hitcount --name $event" );
|
perl_action_helper( $action, "-m recent --update ${duration}--hitcount $hitcount --name $event $srcdst" );
|
||||||
} else {
|
} else {
|
||||||
perl_action_helper( $action, "-m recent --rcheck ${duration}--hitcount $hitcount --name $event" );
|
perl_action_helper( $action, "-m recent --rcheck ${duration}--hitcount $hitcount --name $event $srcdst" );
|
||||||
}
|
}
|
||||||
|
|
||||||
1;
|
1;
|
||||||
|
@ -272,8 +272,8 @@
|
|||||||
[ <replaceable>duration</replaceable> ], [
|
[ <replaceable>duration</replaceable> ], [
|
||||||
<replaceable>hitcount</replaceable> ], [
|
<replaceable>hitcount</replaceable> ], [
|
||||||
<replaceable>src-dst</replaceable>], [
|
<replaceable>src-dst</replaceable>], [
|
||||||
<replaceable>command</replaceable> ], [
|
<replaceable>command</replaceable>[:<replaceable>option</replaceable>]...,
|
||||||
<replaceable>disposition</replaceable> ] )</para>
|
[ <replaceable>disposition</replaceable> ] )</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
@ -348,8 +348,9 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Like <emphasis role="bold">check</emphasis>. If the
|
<para>Like <emphasis role="bold">check</emphasis>. If the
|
||||||
test succeeds, the <replaceable>event</replaceable> will be
|
test succeeds, the <replaceable>event</replaceable> will be
|
||||||
reset before the <replaceable>action</replaceable> is
|
reset before the <replaceable>action</replaceable> is taken.
|
||||||
taken.</para>
|
Requires the <firstterm>Mark in filter table</firstterm>
|
||||||
|
capability in your kernel and iptables.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -364,36 +365,35 @@
|
|||||||
<replaceable>event</replaceable>.</para>
|
<replaceable>event</replaceable>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term>checkreap</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Requires a <replaceable>duration</replaceable>. Like
|
|
||||||
<emphasis role="bold">check</emphasis> but regardless of
|
|
||||||
whether the test succeeds, entries for the
|
|
||||||
<replaceable>src-dst</replaceable> IP address that are older
|
|
||||||
than <replaceable>duration</replaceable> seconds will be
|
|
||||||
deleted from the <replaceable>event</replaceable>.</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term>updatereap</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Requires a <replaceable>duration</replaceable>. Like
|
|
||||||
<emphasis role="bold">update</emphasis> but regardless of
|
|
||||||
whether the test succeeds, entries for the
|
|
||||||
<replaceable>src-dst</replaceable> IP address that are older
|
|
||||||
than <replaceable>duration</replaceable> seconds will be
|
|
||||||
deleted from the <replaceable>event</replaceable>.</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
<para>The default is <emphasis
|
<para>The default is <emphasis
|
||||||
role="bold">check</emphasis>.</para>
|
role="bold">check</emphasis>.</para>
|
||||||
|
|
||||||
|
<para><replaceable>option</replaceable> may be one of:</para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term>reap</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Regardless of whether the test succeeds, entries for
|
||||||
|
the <replaceable>src-dst</replaceable> IP address that are
|
||||||
|
older than <replaceable>duration</replaceable> seconds will
|
||||||
|
be deleted from the <replaceable>event</replaceable>.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>ttl</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Constrains the test to require that the packet TTL
|
||||||
|
match the ttl in the original packet that created the
|
||||||
|
entry.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -521,7 +521,7 @@ IfEvent(SSH_COUNTER,REJECT,300,1)
|
|||||||
#
|
#
|
||||||
# Blacklist if 5 attempts in the last minute
|
# Blacklist if 5 attempts in the last minute
|
||||||
#
|
#
|
||||||
IfEvent(SSH,SSH_BLACKLIST,60,5,src,checkreap)
|
IfEvent(SSH,SSH_BLACKLIST,60,5,src,check:reap)
|
||||||
#
|
#
|
||||||
# Log and reject if the client has tried to connect
|
# Log and reject if the client has tried to connect
|
||||||
# in the last two seconds
|
# in the last two seconds
|
||||||
|
Loading…
Reference in New Issue
Block a user