From 91d5dbb7ba5c597f9fbb3b9b6364c6c369cba212 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 2 Mar 2024 13:53:31 -0800 Subject: [PATCH] Fix some blacklisting bugs: - src-dst didn't work - typo in shorewall.conf(5) Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Misc.pm | 2 +- Shorewall/Perl/Shorewall/Zones.pm | 27 +++++++++++++++++++++++---- Shorewall/manpages/shorewall.conf.xml | 2 +- 3 files changed, 25 insertions(+), 6 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 61216b0c3..c8c8ecbe0 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -1010,7 +1010,7 @@ sub add_common_rules ( $ ) { } for ( option_chains( $interface ) ) { - add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) ne '0:0' ); + add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) & DBL_CLASSIC ); add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT}; } } diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 1856a6b8d..5bc06acd9 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -53,6 +53,7 @@ our @EXPORT = ( qw( NOTHING DBL_SRC DBL_DST DBL_SRC_DST + DBL_CLASSIC determine_zones zone_report @@ -224,7 +225,9 @@ use constant { NOTHING => 'NOTHING', use constant { DBL_NONE => 0, DBL_SRC => 1, DBL_DST => 2, - DBL_SRC_DST => 3 }; + DBL_SRC_DST => 3, + DBL_CLASSIC => 4, + }; sub NETWORK() { $family == F_IPV4 ? '\d+.\d+.\d+.\d+(\/\d+)?' : '(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/d+)?'; @@ -1333,7 +1336,18 @@ sub process_interface( $$ ) { my %options; $options{port} = 1 if $port; - $options{dbl} = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? DBL_SRC_DST : $config{DYNAMIC_BLACKLIST} ? DBL_SRC : DBL_NONE; + + my $setting = DBL_NONE; + + if ( my $dbl = $config{DYNAMIC_BLACKLIST} ) { + unless ( $dbl =~ /^No/i ) { + $setting |= DBL_SRC; + $setting |= DBL_CLASSIC unless ( $dbl =~ /^ipset-only/ ); + $setting |= DBL_DST if ( $dbl =~ /,(src-)?dst[,:]/ ); + } + } + + $options{dbl} = $setting; my $hostoptionsref = {}; @@ -1399,10 +1413,15 @@ sub process_interface( $$ ) { $options{arp_ignore} = 1; } } elsif ( $option eq 'dbl' ) { - my %values = ( none => 0, src => DBL_SRC, dst => DBL_DST, 'src-dst' => DBL_SRC_DST ); + my %values = ( src => DBL_SRC, dst => DBL_DST, 'src-dst' => DBL_SRC_DST ); fatal_error q(The 'dbl' option requires a value) unless defined $value; - fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $options{dbl} = $values{$value} ); + if ( $value eq 'none' ) { + $options{dbl} = DBL_NONE; + } else { + fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $setting = $values{$value} ); + $options{dbl} |= $setting; + } } else { assert( 0 ); } diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 5153ed6c7..7a3a2cae7 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -888,7 +888,7 @@ name is SW_DBL4 and the default IPv6 set name is SW_DBL6. The default log level is (no logging). If is given, then chain-based dynamic - blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been + blacklisting is disabled just as if DYNAMIC_BLACKLIST=No had been specified. Possible options are: