Implement REAP_OPTION capability

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-25 09:03:30 +01:00 · 2013-10-07 07:54:52 -07:00 · 2013-10-07 07:54:52 -07:00 · 8c4bbf0c85
commit 8c4bbf0c85
parent 8a278a3dd6
4 changed files with 29 additions and 4 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@ -2260,6 +2260,7 @@ determine_capabilities() {
    PHYSDEV_BRIDGE=
    IPRANGE_MATCH=
    RECENT_MATCH=
+    REAP_OPTION=
    OWNER_MATCH=
    OWNER_NAME_MATCH=
    IPSET_MATCH=
@ -2429,7 +2430,11 @@ determine_capabilities() {
 	fi
    fi

-    qt $g_tool -A $chain -m recent --update -j ACCEPT     && RECENT_MATCH=Yes
+    if qt $g_tool -A $chain -m recent --update -j ACCEPT; then
+	RECENT_MATCH=Yes
+	qt $g_tool -A $chain -m recent --rcheck --seconds 10 --reap && REAP_OPTION=Yes
+    fi
+
    qt $g_tool -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes

    local name
@ -2676,6 +2681,7 @@ report_capabilities_unsorted() {
    report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH
    report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH
    report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH
+    [ -n "$RECENT_MATCH" ] && report_capability 'Recent Match "--reap" option'
    report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
    report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
    if [ -n "$IPSET_MATCH" ]; then
@ -2797,6 +2803,7 @@ report_capabilities_unsorted1() {
    report_capability1 LENGTH_MATCH
    report_capability1 IPRANGE_MATCH
    report_capability1 RECENT_MATCH
+    report_capability1 REAP_OPTION
    report_capability1 OWNER_MATCH
    report_capability1 OWNER_NAME_MATCH
    report_capability1 IPSET_MATCH
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -316,6 +316,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 LENGTH_MATCH    => 'Packet length Match',
 		 IPRANGE_MATCH   => 'IP Range Match',
 		 RECENT_MATCH    => 'Recent Match',
+                 REAP_OPTION     => 'Recent Match "--reap" option',
 		 OWNER_MATCH     => 'Owner Match',
 		 OWNER_NAME_MATCH
 		                 => 'Owner Name Match',
@ -947,6 +948,7 @@ sub initialize( $;$$) {
 	       MASQUERADE_TGT => undef,
 	       UDPLITEREDIRECT => undef,
 	       NEW_TOS_MATCH => undef,
+	       REAP_OPTION => undef,

 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@ -3819,6 +3821,11 @@ sub Recent_Match() {
    qt1( "$iptables $iptablesw -A $sillyname -m recent --update -j ACCEPT" );
 }

+sub Reap_Option() {
+    ( have_capability( 'RECENT_MATCH' ) &&
+      qt1( "$iptables $iptablesw -A $sillyname -m recent --rcheck --seconds 10 --reap" ) );
+}
+
 sub Owner_Match() {
    qt1( "$iptables $iptablesw -A $sillyname -m owner --uid-owner 0 -j ACCEPT" );
 }
@ -4286,6 +4293,7 @@ our %detect_capability =
      RAW_TABLE => \&Raw_Table,
      RAWPOST_TABLE => \&Rawpost_Table,
      REALM_MATCH => \&Realm_Match,
+      REAP_OPTION => \&Reap_Option,
      RECENT_MATCH => \&Recent_Match,
      RPFILTER_MATCH => \&RPFilter_Match,
      SANE_HELPER => \&SANE_Helper,
@ -4385,6 +4393,7 @@ sub determine_capabilities() {

 	$capabilities{IPRANGE_MATCH}   = detect_capability( 'IPRANGE_MATCH' );
 	$capabilities{RECENT_MATCH}    = detect_capability( 'RECENT_MATCH' );
+	$capabilities{REAP_OPTION}     = detect_capability( 'REAP_OPTION' );
 	$capabilities{OWNER_MATCH}     = detect_capability( 'OWNER_MATCH' );
 	$capabilities{OWNER_NAME_MATCH}
                                       = detect_capability( 'OWNER_NAME_MATCH' );
--- a/Shorewall/action.AutoBL
+++ b/Shorewall/action.AutoBL
@ -22,6 +22,9 @@
 DEFAULTS -,60,5,2,300,DROP,info

 ?begin perl
+
+use Shorewall::Config;
+
 my ( $event, $interval, $count, $successive, $bltime, $disposition, $level ) = get_action_params(7);

 fatal_error "The event name parameter to AutoBL is required"            unless supplied $event;
@ -37,11 +40,16 @@ validate_level( $level );
 #
 # Silently reject the client if blacklisted
 #
-IfEvent(${1}_BL,$6,$5,1,src,check:reap)
+?if $REAP_OPTION
+?set check_param 'check:reap'
+?else
+?set check_param 'check'
+?endif
+IfEvent(${1}_BL,$6,$5,1,src,$check_param)
 #
 # Blacklist if M attempts in the last N seconds
 #
-IfEvent($1,AutoBLL($1,$6,$7),$2,$3,src,check:reap)
+IfEvent($1,AutoBLL($1,$6,$7),$2,$3,src,$check_param)
 #
 # Log and reject if the client has tried to connect
 # in the last N seconds
--- a/Shorewall/action.IfEvent
+++ b/Shorewall/action.IfEvent
@ -97,7 +97,8 @@ set_action_name_to_caller;
 require_capability 'RECENT_MATCH', 'Use of events', 's';

 if ( $command & $REAP_OPT ) {
-    fatal_error "${command}reap requires a time limit" if ! $duration;
+    require_capability( 'REAP_OPTION', q(The 'reap' option), 's' );
+    fatal_error "${command}reap requires a time limit" unless $duration;
    $duration .= '--reap ';
 }