extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-04-15 14:58:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Major cleanup of DYNAMIC_BLACKLIST code

Browse Source 
1) Avoid having to parse the setting in the Zones, Misc and rules modules
2) Apply ipset match rule after dealing with exclusions rather than before
3) Correct handling of src-dst

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2024-03-05 14:45:41 -08:00
parent dfd40ee208
commit a9c2ee3a76
5 changed files with 121 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -8919,10 +8919,10 @@ sub ensure_ipsets( @ ) {
my $set; my $set;
my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : ''; my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
if ( $_[0] eq $globals{DBL_IPSET} ) { if ( $_[0] eq $globals{DBL_IPSET_NAME} ) {
shift; shift;
emit( qq( if ! qt \$IPSET list $globals{DBL_IPSET}; then)); emit( qq( if ! qt \$IPSET list $globals{DBL_IPSET_NAME}; then));
push_indent; push_indent;
@ -8930,12 +8930,12 @@ sub ensure_ipsets( @ ) {
emit( q( #), emit( q( #),
q( # Set the timeout for the dynamic blacklisting ipset), q( # Set the timeout for the dynamic blacklisting ipset),
q( #), q( #),
qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet timeout 0${counters}) ); qq( \$IPSET -exist create $globals{DBL_IPSET_NAME} hash:net family inet timeout 0${counters}) );
} else { } else {
emit( q( #), emit( q( #),
q( # Set the timeout for the dynamic blacklisting ipset), q( # Set the timeout for the dynamic blacklisting ipset),
q( #), q( #),
qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout 0${counters}) ); qq( \$IPSET -exist create $globals{DBL_IPSET_NAME} hash:net family inet6 timeout 0${counters}) );
} }
pop_indent; pop_indent;
@ -9158,7 +9158,7 @@ sub create_load_ipsets() {
if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) { if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
emit( ' if [ -f ${VARDIR}/ipsets.save ]; then' ); emit( ' if [ -f ${VARDIR}/ipsets.save ]; then' );
if ( my $set = $globals{DBL_IPSET} ) { if ( my $set = $globals{DBL_IPSET_NAME} ) {
emit( ' #', emit( ' #',
' # Update the dynamic blacklisting ipset timeout value', ' # Update the dynamic blacklisting ipset timeout value',
' #', ' #',

69
Shorewall/Perl/Shorewall/Config.pm
View File

@ -313,6 +313,16 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
OPTIMIZE_POLICY_MASK OPTIMIZE_POLICY_MASK
OPTIMIZE_RULESET_MASK OPTIMIZE_RULESET_MASK
OPTIMIZE_ALL OPTIMIZE_ALL
DBL_NONE
DBL_SRC
DBL_DST
DBL_SRC_DST
DBL_IPSET
DBL_CLASSIC
DBL_DISCONNECT
DBL_LOG
DBL_NOUPDATE
) , ] , ) , ] ,
protocols => [ qw ( protocols => [ qw (
TCP TCP
@ -822,6 +832,19 @@ our %filecache;
our $compiletime; our $compiletime;
our $test; our $test;
#
# Dynamic blacklisting values
#
use constant { DBL_NONE => 0,
DBL_SRC => 1,
DBL_DST => 2,
DBL_SRC_DST => 3,
DBL_CLASSIC => 4,
DBL_IPSET => 8,
DBL_DISCONNECT => 16,
DBL_LOG => 32,
DBL_NOUPDATE => 64
};
sub process_shorewallrc($$); sub process_shorewallrc($$);
sub add_variables( \% ); sub add_variables( \% );
@ -894,8 +917,11 @@ sub initialize($;$$$$) {
RPFILTER_LOG_TAG => '', RPFILTER_LOG_TAG => '',
INVALID_LOG_TAG => '', INVALID_LOG_TAG => '',
UNTRACKED_LOG_TAG => '', UNTRACKED_LOG_TAG => '',
DBL_IPSET => '', DBL => DBL_NONE,
DBL_IPSET_NAME => '',
DBL_TIMEOUT => 0, DBL_TIMEOUT => 0,
DBL_TAG => '',
DBL_LEVEL => '',
POSTROUTING => 'POSTROUTING', POSTROUTING => 'POSTROUTING',
); );
# #
@ -5322,7 +5348,7 @@ sub determine_capabilities() {
fatal_error 'Your kernel/iptables do not include state match support. No version of Shorewall will run on this system' fatal_error 'Your kernel/iptables do not include state match support. No version of Shorewall will run on this system'
unless unless
qt1( "$iptables $iptablesw -A $sillyname -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT") || qt1( "$iptables $iptablesw -A $sillyname -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT") ||
qt1( "$iptables $iptablesw -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");; qt1( "$iptables $iptablesw -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");
$globals{KLUDGEFREE} = $capabilities{KLUDGEFREE} = detect_capability 'KLUDGEFREE'; $globals{KLUDGEFREE} = $capabilities{KLUDGEFREE} = detect_capability 'KLUDGEFREE';
} }
@ -5742,7 +5768,7 @@ sub process_shorewall_conf( $$ ) {
# Now update the config file if asked # Now update the config file if asked
# #
if ( $update ) { if ( $update ) {
update_config_file( $annotate ); update_config_file( $annotate );
# #
# Config file update requires that the option values not have # Config file update requires that the option values not have
# Shell variables expanded. We do that now. # Shell variables expanded. We do that now.
@ -6712,26 +6738,38 @@ sub get_configuration( $$$ ) {
if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) { if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
if ( $val =~ /^ipset/ ) { if ( $val =~ /^ipset/ ) {
my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1, 'log' => 1, 'noupdate' => 1, ); my $setting = DBL_IPSET;
$setting |= DBL_SRC;
$setting |= DBL_CLASSIC unless ( $val =~ /^ipset-only/ );
$setting |= DBL_DST if ( $val =~ /,(src-)?dst[,:]/ );
my %simple_options = ( 'src-dst' => DBL_SRC_DST,
'disconnect' => DBL_DISCONNECT,
'log' => DBL_LOG,
'noupdate' => DBL_NOUPDATE,
);
my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 ); my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
( $key , my @options ) = split_list( $key, 'option' ); ( $key , my @options ) = split_list( $key, 'option' );
my $options = '';
for ( @options ) { for ( @options ) {
if ( $simple_options{$_} ) { my $tmp;
$options = join( ',' , $options, $_ );
} elsif ( $_ =~ s/^timeout=(\d+)$// ) { if ( $_ =~ s/^timeout=(\d+)$// ) {
$globals{DBL_TIMEOUT} = $1; $globals{DBL_TIMEOUT} = $1;
} elsif ( $tmp = $simple_options {$_} ) {
$setting |= $tmp;
} else { } else {
fatal_error "Invalid ipset option ($_)"; if ( $_ =~ /^timeout=(.+)/ ) {
fatal_error( "Invalid Timeout ($1)" )
} else {
fatal_error "Invalid ipset option ($_)";
}
} }
} }
$globals{DBL_OPTIONS} = $options;
fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest; fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest;
if ( supplied( $set ) ) { if ( supplied( $set ) ) {
@ -6740,7 +6778,7 @@ sub get_configuration( $$$ ) {
$set = 'SW_DBL' . $family; $set = 'SW_DBL' . $family;
} }
add_ipset( $globals{DBL_IPSET} = $set ); add_ipset( $globals{DBL_IPSET_NAME} = $set );
$level = validate_level( $level ); $level = validate_level( $level );
@ -6753,11 +6791,16 @@ sub get_configuration( $$$ ) {
$variables{SW_DBL_IPSET} = $set; $variables{SW_DBL_IPSET} = $set;
$variables{SW_DBL_TIMEOUT} = $globals{DBL_TIMEOUT}; $variables{SW_DBL_TIMEOUT} = $globals{DBL_TIMEOUT};
$globals{DBL} = $setting;
$globals{DBL_LEVEL} = $level;
$globals{DBL_TAG} = $tag;
} else { } else {
default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' ); default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
$globals{DBL} = $config{DYNAMIC_BLACKLIST} ? DBL_CLASSIC : DBL_NONE;
} }
} else { } else {
default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' ); default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
$globals{DBL} = $config{DYNAMIC_BLACKLIST} ? DBL_CLASSIC : DBL_NONE;
} }
add_variables( %variables ); add_variables( %variables );

88
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -710,10 +710,10 @@ sub create_docker_rules() {
sub setup_mss(); sub setup_mss();
sub add_ipset_dbl_jump( $$$@) { sub add_ipset_dbl_ijump( $$$@) {
my ( $chainref, $target, $ipset_dir ) = ( shift, shift, shift ); my ( $chainref, $target, $ipset_dir ) = ( shift, shift, shift );
add_ijump_extended( $chainref, j => $target, $origin{DYNAMIC_BLACKLIST}, @_, "--match-set $ipset_dir" ); add_ijump_extended( $chainref, j => $target, $origin{DYNAMIC_BLACKLIST}, @_, "set --match-set" => $ipset_dir );
} }
# #
@ -739,9 +739,9 @@ sub add_common_rules ( $ ) {
my $dbl_ipset; my $dbl_ipset;
my $dbl_level; my $dbl_level;
my $dbl_tag; my $dbl_tag;
my $dbl_timeout;
my $dbl_src_target; my $dbl_src_target;
my $dbl_dst_target; my $dbl_dst_target;
my $dbl_options;
if ( $config{REJECT_ACTION} ) { if ( $config{REJECT_ACTION} ) {
process_reject_action; process_reject_action;
@ -791,13 +791,8 @@ sub add_common_rules ( $ ) {
# #
create_docker_rules if $config{DOCKER}; create_docker_rules if $config{DOCKER};
if ( my $val = $config{DYNAMIC_BLACKLIST} ) { if ( my $dbl = $globals{DBL} ) {
# if ( $dbl & DBL_CLASSIC ) {
# $config{DYNAMIC_BLACKLIST} was normalized in Shorewall:Config:get_configuration - it is probably not what is specified in the shorewall[6].conf
#
( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $val );
unless ( $dbl_type =~ /^ipset-only/ ) {
# #
# Classic chain-based backlisting # Classic chain-based backlisting
# #
@ -807,13 +802,14 @@ sub add_common_rules ( $ ) {
add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' ); add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
} }
if ( $dbl_ipset ) { if ( $dbl & DBL_IPSET ) {
# #
# ipset-based blacklisting - not mutually exclusive with the classic type # ipset-based blacklisting - not mutually exclusive with the classic type
# #
if ( $val = $globals{DBL_TIMEOUT} ) { ( $dbl_ipset, $dbl_level, $dbl_tag , $dbl_timeout) = ( $globals{DBL_IPSET_NAME}, $globals{DBL_LEVEL}, $globals{DBL_TAG}, $globals{DBL_TIMEOUT} );
$dbl_options = $globals{DBL_OPTIONS};
$dbl_src_target = $dbl_options =~ /src-dst/ ? 'dbl_src' : 'dbl_log'; if ( $dbl_timeout ) {
$dbl_src_target = ( ($dbl & DBL_SRC_DST) == DBL_SRC_DST ) ? 'dbl_src' : 'dbl_log';
my $chainref = new_standard_chain( $dbl_src_target ); my $chainref = new_standard_chain( $dbl_src_target );
@ -826,7 +822,7 @@ sub add_common_rules ( $ ) {
'add', 'add',
'', '',
$origin{DYNAMIC_BLACKLIST} ) if $dbl_level; $origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} ) unless $dbl_options =~ /noupdate/; add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $globals{DBL_TIMEOUT}", $origin{DYNAMIC_BLACKLIST} ) unless $dbl & DBL_NOUPDATE;;
add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} ); add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
if ( $dbl_src_target eq 'dbl_src' ) { if ( $dbl_src_target eq 'dbl_src' ) {
@ -841,7 +837,7 @@ sub add_common_rules ( $ ) {
'add', 'add',
'', '',
$origin{DYNAMIC_BLACKLIST} ) if $dbl_level; $origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset dst --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} ); add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset dst --exist --timeout $globals{DBL_TIMEOUT}", $origin{DYNAMIC_BLACKLIST} );
add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} ); add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
} else { } else {
$dbl_dst_target = $dbl_src_target; $dbl_dst_target = $dbl_src_target;
@ -973,10 +969,22 @@ sub add_common_rules ( $ ) {
# #
# Dynamic Blacklisting # Dynamic Blacklisting
# #
my ( $src_target, $dst_target, $classic_target ) = ( $dbl_src_target, $dbl_dst_target , $dynamicref->{name} ); my ( $input_option_chainref,
$forward_option_chainref,
$output_option_chainref,
$classic_target_chain,
)
=
( $filter_table->{input_option_chain($interface)},
$filter_table->{forward_option_chain($interface)},
$filter_table->{output_option_chain($interface)},
$dynamicref,
);
if ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) != DBL_NONE ) { if ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) != DBL_NONE ) {
my @matches = @state;
my ( @src_exclude, @dst_exclude, @classic_exclude ); my ( @src_exclude, @dst_exclude, @classic_exclude );
my @nodbl = @{$interfaceref->{nodbl}}; my @nodbl = @{$interfaceref->{nodbl}};
@ -990,27 +998,32 @@ sub add_common_rules ( $ ) {
# We need to create an intermediate chain # We need to create an intermediate chain
# #
if ( $dbl_ipset ) { if ( $dbl_ipset ) {
$chainref = new_standard_chain( $src_target = nodbl_src_chain( $interface )); $chainref = new_standard_chain( nodbl_src_chain( $interface ));
for (@nodbl) { for (@nodbl) {
add_ijump( $chainref, j => 'RETURN', s => $_ ); add_ijump( $chainref, j => 'RETURN', s => $_ );
} }
add_ijump( $chainref, j => $dbl_src_target ); add_ijump( $input_option_chainref, j => $chainref->{name} );
add_ijump( $forward_option_chainref, j => $chainref->{name} );
$input_option_chainref = $forward_option_chainref = $chainref;
if ( $dbl_src_target ne $dbl_dst_target ) { if ( $dbl_src_target ne $dbl_dst_target ) {
$chainref = new_standard_chain( $dst_target = nodbl_dst_chain( $interface )); $chainref = new_standard_chain( nodbl_dst_chain( $interface ));
for ( @nodbl ){ for ( @nodbl ){
add_ijump( $chainref, j => 'RETURN', -d => $_ ); add_ijump( $chainref, j => 'RETURN', -d => $_ );
} }
add_ijump( $chainref, j => $dbl_dst_target ); add_ijump( $output_option_chainref, j => $chainref->{name} );
$output_option_chainref = $chainref,
} }
} }
if ( $setting & DBL_CLASSIC ) { if ( $setting & DBL_CLASSIC ) {
$chainref = new_standard_chain( $classic_target = nodbl_classic_chain( $interface )); $chainref = new_standard_chain( nodbl_classic_chain( $interface ));
for (@nodbl) { for (@nodbl) {
add_ijump( $chainref, j => 'RETURN', s => $_ ); add_ijump( $chainref, j => 'RETURN', s => $_ );
@ -1018,13 +1031,15 @@ sub add_common_rules ( $ ) {
} }
add_ijump( $chainref, j => $dynamicref->{name} ); add_ijump( $chainref, j => $dynamicref->{name} );
$classic_target_chain = $chainref;
} }
} else { } else {
# #
# Easy case # Easy case
# #
@src_exclude = ( s => "! $nodbl[0]" ); @matches = ( s => "! $nodbl[0]" , @matches );
@dst_exclude = ( d => "! $nodbl[0]" ); @matches = ( d => "! $nodbl[0]" , @matches );
} }
} }
@ -1033,27 +1048,34 @@ sub add_common_rules ( $ ) {
# #
# src or src-dst # src or src-dst
# #
add_ipset_dbl_ijump( $filter_table->{input_option_chain($interface)}, $src_target, "$dbl_ipset src", @state ); add_ipset_dbl_ijump( $input_option_chainref, $dbl_src_target, "$dbl_ipset src", @matches );
add_ipset_dbl_ijump( $filter_table->{forward_option_chain($interface)}, $src_target, "$dbl_ipset src", @state ); add_ipset_dbl_ijump( $forward_option_chainref, $dbl_src_target, "$dbl_ipset src", @matches );
} }
if ( $setting & DBL_DST ) { if ( $setting & DBL_DST ) {
# #
# src-dst # src-dst
# #
add_ipset_dbl_ijump( $filter_table->{forward_option_chain($interface)}, $dst_target, "$dbl_ipset dst", @state ); add_ipset_dbl_ijump( $forward_option_chainref, $dbl_dst_target, "$dbl_ipset dst", @matches );
add_ipset_dbl_ijump( $filter_table->{output_option_chain($interface)}, $dst_target, "$dbl_ipset dst", @state ); add_ipset_dbl_ijump( $output_option_chainref, $dbl_dst_target, "$dbl_ipset dst", @matches );
} }
} }
if ( $setting & DBL_CLASSIC ) {
add_ijump_extended( $input_option_chainref, j => $classic_target_chain, $origin{DYNAMIC_BLACKLIST}, @state );
add_ijump_extended( $forward_option_chainref, j => $classic_target_chain, $origin{DYNAMIC_BLACKLIST}, @state );
add_ijump_extended( $output_option_chainref, j => $classic_target_chain, $origin{DYNAMIC_BLACKLIST}, @state ) if $setting & DBL_DST;
}
} }
# #
# Finish blacklisting and FASTACCEPT # Finish FASTACCEPT
# #
for ( option_chains( $interface ) ) { if ( $config{FASTACCEPT} ) {
add_ijump_extended( $filter_table->{$_}, j => $classic_target, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) & DBL_CLASSIC ); for ( option_chains( $interface ) ) {
add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT}; add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '';
}
} }
} } #Not loopback interface
} }
# #
# Delete 'sfilter' chains unless there are referenced to them # Delete 'sfilter' chains unless there are referenced to them

8
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -748,7 +748,7 @@ sub process_a_policy1($$$$$$$) {
fatal_error "NONE policy not allowed to/from firewall zone" fatal_error "NONE policy not allowed to/from firewall zone"
if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL ); if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL );
} elsif ( $policy eq 'BLACKLIST' ) { } elsif ( $policy eq 'BLACKLIST' ) {
fatal_error 'BLACKLIST policies require ipset-based dynamic blacklisting' unless $config{DYNAMIC_BLACKLIST} =~ /^ipset/; fatal_error 'BLACKLIST policies require ipset-based dynamic blacklisting' unless $globals{DBL} & DBL_IPSET;
} }
unless ( $clientwild || $serverwild ) { unless ( $clientwild || $serverwild ) {
@ -1078,12 +1078,10 @@ sub add_policy_rules( $$$$$ ) {
assert( $target ); assert( $target );
if ( $target eq 'BLACKLIST' ) { if ( $target eq 'BLACKLIST' ) {
my ( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $config{DYNAMIC_BLACKLIST} );
if ( my $timeout = $globals{DBL_TIMEOUT} ) { if ( my $timeout = $globals{DBL_TIMEOUT} ) {
add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $timeout" ); add_ijump( $chainref, j => "SET --add-set $globals{DBL_IPSET_NAME} src --exist --timeout $globals{DBL_TIMEOUT}" );
} else { } else {
add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist" ); add_ijump( $chainref, j => "SET --add-set $globals{DBL_IPSET_NAME} src --exist" );
} }
$target = 'DROP'; $target = 'DROP';

29
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -49,11 +49,6 @@ our @EXPORT = ( qw( NOTHING
GROUP GROUP
NO_UPDOWN NO_UPDOWN
NO_SFILTER NO_SFILTER
DBL_NONE
DBL_SRC
DBL_DST
DBL_SRC_DST
DBL_CLASSIC
determine_zones determine_zones
zone_report zone_report
@ -219,16 +214,6 @@ use constant { NOTHING => 'NOTHING',
IPSECMODE => 'tunnel|transport' IPSECMODE => 'tunnel|transport'
}; };
#
# Dynamic blacklisting values
#
use constant { DBL_NONE => 0,
DBL_SRC => 1,
DBL_DST => 2,
DBL_SRC_DST => 3,
DBL_CLASSIC => 4,
};
sub NETWORK() { sub NETWORK() {
$family == F_IPV4 ? '\d+.\d+.\d+.\d+(\/\d+)?' : '(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/d+)?'; $family == F_IPV4 ? '\d+.\d+.\d+.\d+(\/\d+)?' : '(?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(?:\/d+)?';
} }
@ -1337,17 +1322,7 @@ sub process_interface( $$ ) {
$options{port} = 1 if $port; $options{port} = 1 if $port;
my $setting = DBL_NONE; $options{dbl} = $globals{DBL};
if ( my $dbl = $config{DYNAMIC_BLACKLIST} ) {
unless ( $dbl =~ /^No/i ) {
$setting |= DBL_SRC;
$setting |= DBL_CLASSIC unless ( $dbl =~ /^ipset-only/ );
$setting |= DBL_DST if ( $dbl =~ /,(src-)?dst[,:]/ );
}
}
$options{dbl} = $setting;
my $hostoptionsref = {}; my $hostoptionsref = {};
@ -1419,7 +1394,7 @@ sub process_interface( $$ ) {
if ( $value eq 'none' ) { if ( $value eq 'none' ) {
$options{dbl} = DBL_NONE; $options{dbl} = DBL_NONE;
} else { } else {
fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $setting = $values{$value} ); fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( my $setting = $values{$value} );
$options{dbl} |= $setting; $options{dbl} |= $setting;
} }
} else { } else {