From aa475546041671dad62634ee66d7c804e973cf1f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 6 Jun 2020 10:14:32 -0700 Subject: [PATCH] Add 'noupdate' DYNAMIC_BLACKLIST option Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 9 +++++++++ Shorewall/Perl/Shorewall/Config.pm | 2 +- Shorewall/Perl/Shorewall/Misc.pm | 12 +++++++----- Shorewall/manpages/shorewall.conf.xml | 15 +++++++++++++++ 4 files changed, 32 insertions(+), 6 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 9af730a82..d705f4f31 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -3926,6 +3926,15 @@ setup_dbl() { ;; esac + case $DYNAMIC_BLACKLIST in + ipset*,noupdate*) + # + # This utility doesn't use this option + # + DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,noupdate//') + ;; + esac + case $DYNAMIC_BLACKLIST in ipset*,timeout*) # diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index b8b064e68..ceac0c6b8 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -6695,7 +6695,7 @@ sub get_configuration( $$$ ) { if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) { if ( $val =~ /^ipset/ ) { - my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1, 'log' => 1 ); + my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1, 'log' => 1, 'noupdate' => 1, ); my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 ); diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 87fe7407c..7c40981ac 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -735,6 +735,7 @@ sub add_common_rules ( $ ) { my $dbl_tag; my $dbl_src_target; my $dbl_dst_target; + my $dbl_options; if ( $config{REJECT_ACTION} ) { process_reject_action; @@ -796,9 +797,10 @@ sub add_common_rules ( $ ) { if ( $dbl_ipset ) { if ( $val = $globals{DBL_TIMEOUT} ) { - $dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log'; + $dbl_options = $globals{DBL_OPTIONS}; + $dbl_src_target = $dbl_options =~ /src-dst/ ? 'dbl_src' : 'dbl_log'; - my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE ); + my $chainref = new_standard_chain( $dbl_src_target ); log_rule_limit( $dbl_level, $chainref, @@ -809,11 +811,11 @@ sub add_common_rules ( $ ) { 'add', '', $origin{DYNAMIC_BLACKLIST} ) if $dbl_level; - add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} ); + add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} ) unless $dbl_options =~ /noupdate/; add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} ); if ( $dbl_src_target eq 'dbl_src' ) { - $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE ); + $chainref = new_standard_chain( $dbl_dst_target = 'dbl_dst' ); log_rule_limit( $dbl_level, $chainref, @@ -830,7 +832,7 @@ sub add_common_rules ( $ ) { $dbl_dst_target = $dbl_src_target; } } elsif ( $dbl_level ) { - my $chainref = set_optflags( new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE ); + my $chainref = new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' ); log_rule_limit( $dbl_level, $chainref, diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index d2b893003..8ea9696ef 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -951,6 +951,21 @@ system log. + + + noupdate + + + Added in Shorewall 5.2.5. Normally, once an address has + been blacklisted, each time that a packet is received from the + packet, the ipset's entry for the address is updated to reset + the timeout to the value specifyed in the + option above. Setting the + option, inhibits this resetting of + the entry's timeout. This option is ignored when the + option is not specified. + + When ipset-based dynamic blacklisting is enabled, the contents