mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-29 02:54:18 +01:00
Implement REAP_OPTION capability
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
8a278a3dd6
commit
8c4bbf0c85
@ -2260,6 +2260,7 @@ determine_capabilities() {
|
|||||||
PHYSDEV_BRIDGE=
|
PHYSDEV_BRIDGE=
|
||||||
IPRANGE_MATCH=
|
IPRANGE_MATCH=
|
||||||
RECENT_MATCH=
|
RECENT_MATCH=
|
||||||
|
REAP_OPTION=
|
||||||
OWNER_MATCH=
|
OWNER_MATCH=
|
||||||
OWNER_NAME_MATCH=
|
OWNER_NAME_MATCH=
|
||||||
IPSET_MATCH=
|
IPSET_MATCH=
|
||||||
@ -2429,7 +2430,11 @@ determine_capabilities() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
qt $g_tool -A $chain -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
if qt $g_tool -A $chain -m recent --update -j ACCEPT; then
|
||||||
|
RECENT_MATCH=Yes
|
||||||
|
qt $g_tool -A $chain -m recent --rcheck --seconds 10 --reap && REAP_OPTION=Yes
|
||||||
|
fi
|
||||||
|
|
||||||
qt $g_tool -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
|
qt $g_tool -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
|
||||||
|
|
||||||
local name
|
local name
|
||||||
@ -2676,6 +2681,7 @@ report_capabilities_unsorted() {
|
|||||||
report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH
|
report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH
|
||||||
report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH
|
report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH
|
||||||
report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH
|
report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH
|
||||||
|
[ -n "$RECENT_MATCH" ] && report_capability 'Recent Match "--reap" option'
|
||||||
report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
|
report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
|
||||||
report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
|
report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
|
||||||
if [ -n "$IPSET_MATCH" ]; then
|
if [ -n "$IPSET_MATCH" ]; then
|
||||||
@ -2797,6 +2803,7 @@ report_capabilities_unsorted1() {
|
|||||||
report_capability1 LENGTH_MATCH
|
report_capability1 LENGTH_MATCH
|
||||||
report_capability1 IPRANGE_MATCH
|
report_capability1 IPRANGE_MATCH
|
||||||
report_capability1 RECENT_MATCH
|
report_capability1 RECENT_MATCH
|
||||||
|
report_capability1 REAP_OPTION
|
||||||
report_capability1 OWNER_MATCH
|
report_capability1 OWNER_MATCH
|
||||||
report_capability1 OWNER_NAME_MATCH
|
report_capability1 OWNER_NAME_MATCH
|
||||||
report_capability1 IPSET_MATCH
|
report_capability1 IPSET_MATCH
|
||||||
|
@ -316,6 +316,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
|||||||
LENGTH_MATCH => 'Packet length Match',
|
LENGTH_MATCH => 'Packet length Match',
|
||||||
IPRANGE_MATCH => 'IP Range Match',
|
IPRANGE_MATCH => 'IP Range Match',
|
||||||
RECENT_MATCH => 'Recent Match',
|
RECENT_MATCH => 'Recent Match',
|
||||||
|
REAP_OPTION => 'Recent Match "--reap" option',
|
||||||
OWNER_MATCH => 'Owner Match',
|
OWNER_MATCH => 'Owner Match',
|
||||||
OWNER_NAME_MATCH
|
OWNER_NAME_MATCH
|
||||||
=> 'Owner Name Match',
|
=> 'Owner Name Match',
|
||||||
@ -947,6 +948,7 @@ sub initialize( $;$$) {
|
|||||||
MASQUERADE_TGT => undef,
|
MASQUERADE_TGT => undef,
|
||||||
UDPLITEREDIRECT => undef,
|
UDPLITEREDIRECT => undef,
|
||||||
NEW_TOS_MATCH => undef,
|
NEW_TOS_MATCH => undef,
|
||||||
|
REAP_OPTION => undef,
|
||||||
|
|
||||||
AMANDA_HELPER => undef,
|
AMANDA_HELPER => undef,
|
||||||
FTP_HELPER => undef,
|
FTP_HELPER => undef,
|
||||||
@ -3819,6 +3821,11 @@ sub Recent_Match() {
|
|||||||
qt1( "$iptables $iptablesw -A $sillyname -m recent --update -j ACCEPT" );
|
qt1( "$iptables $iptablesw -A $sillyname -m recent --update -j ACCEPT" );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub Reap_Option() {
|
||||||
|
( have_capability( 'RECENT_MATCH' ) &&
|
||||||
|
qt1( "$iptables $iptablesw -A $sillyname -m recent --rcheck --seconds 10 --reap" ) );
|
||||||
|
}
|
||||||
|
|
||||||
sub Owner_Match() {
|
sub Owner_Match() {
|
||||||
qt1( "$iptables $iptablesw -A $sillyname -m owner --uid-owner 0 -j ACCEPT" );
|
qt1( "$iptables $iptablesw -A $sillyname -m owner --uid-owner 0 -j ACCEPT" );
|
||||||
}
|
}
|
||||||
@ -4286,6 +4293,7 @@ our %detect_capability =
|
|||||||
RAW_TABLE => \&Raw_Table,
|
RAW_TABLE => \&Raw_Table,
|
||||||
RAWPOST_TABLE => \&Rawpost_Table,
|
RAWPOST_TABLE => \&Rawpost_Table,
|
||||||
REALM_MATCH => \&Realm_Match,
|
REALM_MATCH => \&Realm_Match,
|
||||||
|
REAP_OPTION => \&Reap_Option,
|
||||||
RECENT_MATCH => \&Recent_Match,
|
RECENT_MATCH => \&Recent_Match,
|
||||||
RPFILTER_MATCH => \&RPFilter_Match,
|
RPFILTER_MATCH => \&RPFilter_Match,
|
||||||
SANE_HELPER => \&SANE_Helper,
|
SANE_HELPER => \&SANE_Helper,
|
||||||
@ -4385,6 +4393,7 @@ sub determine_capabilities() {
|
|||||||
|
|
||||||
$capabilities{IPRANGE_MATCH} = detect_capability( 'IPRANGE_MATCH' );
|
$capabilities{IPRANGE_MATCH} = detect_capability( 'IPRANGE_MATCH' );
|
||||||
$capabilities{RECENT_MATCH} = detect_capability( 'RECENT_MATCH' );
|
$capabilities{RECENT_MATCH} = detect_capability( 'RECENT_MATCH' );
|
||||||
|
$capabilities{REAP_OPTION} = detect_capability( 'REAP_OPTION' );
|
||||||
$capabilities{OWNER_MATCH} = detect_capability( 'OWNER_MATCH' );
|
$capabilities{OWNER_MATCH} = detect_capability( 'OWNER_MATCH' );
|
||||||
$capabilities{OWNER_NAME_MATCH}
|
$capabilities{OWNER_NAME_MATCH}
|
||||||
= detect_capability( 'OWNER_NAME_MATCH' );
|
= detect_capability( 'OWNER_NAME_MATCH' );
|
||||||
|
@ -22,6 +22,9 @@
|
|||||||
DEFAULTS -,60,5,2,300,DROP,info
|
DEFAULTS -,60,5,2,300,DROP,info
|
||||||
|
|
||||||
?begin perl
|
?begin perl
|
||||||
|
|
||||||
|
use Shorewall::Config;
|
||||||
|
|
||||||
my ( $event, $interval, $count, $successive, $bltime, $disposition, $level ) = get_action_params(7);
|
my ( $event, $interval, $count, $successive, $bltime, $disposition, $level ) = get_action_params(7);
|
||||||
|
|
||||||
fatal_error "The event name parameter to AutoBL is required" unless supplied $event;
|
fatal_error "The event name parameter to AutoBL is required" unless supplied $event;
|
||||||
@ -37,11 +40,16 @@ validate_level( $level );
|
|||||||
#
|
#
|
||||||
# Silently reject the client if blacklisted
|
# Silently reject the client if blacklisted
|
||||||
#
|
#
|
||||||
IfEvent(${1}_BL,$6,$5,1,src,check:reap)
|
?if $REAP_OPTION
|
||||||
|
?set check_param 'check:reap'
|
||||||
|
?else
|
||||||
|
?set check_param 'check'
|
||||||
|
?endif
|
||||||
|
IfEvent(${1}_BL,$6,$5,1,src,$check_param)
|
||||||
#
|
#
|
||||||
# Blacklist if M attempts in the last N seconds
|
# Blacklist if M attempts in the last N seconds
|
||||||
#
|
#
|
||||||
IfEvent($1,AutoBLL($1,$6,$7),$2,$3,src,check:reap)
|
IfEvent($1,AutoBLL($1,$6,$7),$2,$3,src,$check_param)
|
||||||
#
|
#
|
||||||
# Log and reject if the client has tried to connect
|
# Log and reject if the client has tried to connect
|
||||||
# in the last N seconds
|
# in the last N seconds
|
||||||
|
@ -97,7 +97,8 @@ set_action_name_to_caller;
|
|||||||
require_capability 'RECENT_MATCH', 'Use of events', 's';
|
require_capability 'RECENT_MATCH', 'Use of events', 's';
|
||||||
|
|
||||||
if ( $command & $REAP_OPT ) {
|
if ( $command & $REAP_OPT ) {
|
||||||
fatal_error "${command}reap requires a time limit" if ! $duration;
|
require_capability( 'REAP_OPTION', q(The 'reap' option), 's' );
|
||||||
|
fatal_error "${command}reap requires a time limit" unless $duration;
|
||||||
$duration .= '--reap ';
|
$duration .= '--reap ';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user