extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-21 15:13:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix some blacklisting bugs:

Browse Source 
- src-dst didn't work
- typo in shorewall.conf(5)

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2024-03-02 13:53:31 -08:00
parent 4ca77b109c
commit 91d5dbb7ba
3 changed files with 25 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -1010,7 +1010,7 @@ sub add_common_rules ( $ ) {
}
for ( option_chains( $interface ) ) {
add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) ne '0:0' );
add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) & DBL_CLASSIC );
add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
}
}

27
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -53,6 +53,7 @@ our @EXPORT = ( qw( NOTHING
DBL_SRC
DBL_DST
DBL_SRC_DST
DBL_CLASSIC
determine_zones
zone_report
@ -224,7 +225,9 @@ use constant { NOTHING => 'NOTHING',
use constant { DBL_NONE => 0,
DBL_SRC => 1,
DBL_DST => 2,
DBL_SRC_DST => 3 };
DBL_SRC_DST => 3,
DBL_CLASSIC => 4,
};
sub NETWORK() {
$family == F_IPV4 ? '\d+.\d+.\d+.\d+(\/\d+)?' : '(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/d+)?';
@ -1333,7 +1336,18 @@ sub process_interface( $$ ) {
my %options;
$options{port} = 1 if $port;
$options{dbl} = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? DBL_SRC_DST : $config{DYNAMIC_BLACKLIST} ? DBL_SRC : DBL_NONE;
my $setting = DBL_NONE;
if ( my $dbl = $config{DYNAMIC_BLACKLIST} ) {
unless ( $dbl =~ /^No/i ) {
$setting |= DBL_SRC;
$setting |= DBL_CLASSIC unless ( $dbl =~ /^ipset-only/ );
$setting |= DBL_DST if ( $dbl =~ /,(src-)?dst[,:]/ );
}
}
$options{dbl} = $setting;
my $hostoptionsref = {};
@ -1399,10 +1413,15 @@ sub process_interface( $$ ) {
$options{arp_ignore} = 1;
}
} elsif ( $option eq 'dbl' ) {
my %values = ( none => 0, src => DBL_SRC, dst => DBL_DST, 'src-dst' => DBL_SRC_DST );
my %values = ( src => DBL_SRC, dst => DBL_DST, 'src-dst' => DBL_SRC_DST );
fatal_error q(The 'dbl' option requires a value) unless defined $value;
fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $options{dbl} = $values{$value} );
if ( $value eq 'none' ) {
$options{dbl} = DBL_NONE;
} else {
fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $setting = $values{$value} );
$options{dbl} |= $setting;
}
} else {
assert( 0 );
}

2
Shorewall/manpages/shorewall.conf.xml
View File

@ -888,7 +888,7 @@
name is SW_DBL4 and the default IPv6 set name is SW_DBL6. The
default log level is <option>none</option> (no logging). If
<option>ipset-only</option> is given, then chain-based dynamic
blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been
blacklisting is disabled just as if DYNAMIC_BLACKLIST=No had been
specified.</para>
<para>Possible <replaceable>option</replaceable>s are:</para>