extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-16 11:20:53 +01:00
Code Issues Packages Projects Releases Wiki Activity

Issue Warning if blacklist file is non-empty and there are no 'blacklist' interfaces

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5774 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-31 18:44:48 +00:00
parent 5abdc94ff6
commit b1587a7b1f
4 changed files with 62 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
New/Shorewall/Config.pm
View File

@ -34,6 +34,7 @@ our @EXPORT = qw(
find_file
split_line
open_file
close_file
push_open
pop_open
read_a_line
@ -255,9 +256,7 @@ sub find_file($)
{
my $filename=$_[0];
if ( $filename =~ '/.*' ) {
return $filename;
}
return $filename if $filename =~ '/.*';
my $directory;
@ -325,6 +324,25 @@ sub open_file( $ ) {
}
}
#
# This function is normally called in read_a_line() when EOF is reached. Clients of the
# module may also call the function to close the file before EOF
#
sub close_file() {
if ( $currentfile ) {
close $currentfile;
my $arrayref = pop @openstack;
if ( $arrayref ) {
( $currentfile, $currentfilename, $currentlinenumber ) = @$arrayref;
} else {
$currentfile = undef;
}
}
}
#
# Allow nested opens
#
@ -402,6 +420,7 @@ sub read_a_line {
$currentfile = undef;
open $currentfile, $filename or fatal_error "Unable to open $filename: $!";
$currentfilename = $filename;
$currentlinenumber = 0;
$line = '';
@ -410,15 +429,7 @@ sub read_a_line {
}
}
close $currentfile;
my $arrayref = pop @openstack;
if ( $arrayref ) {
( $currentfile, $currentfilename, $currentlinenumber ) = @$arrayref;
} else {
$currentfile = undef;
}
close_file;
}
}
@ -601,6 +612,9 @@ sub get_configuration( $ ) {
default_yes_no 'HIGH_ROUTE_MARKS' , '';
default_yes_no 'TC_EXPERT' , '';
default_yes_no 'USE_ACTIONS' , 'Yes';
warning_message 'USE_ACTIONS=No is not supported by Shorewall-perl ' . $globals{VERSION} unless $config{USE_ACTIONS};
default_yes_no 'EXPORTPARAMS' , '';
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
@ -688,8 +702,7 @@ sub get_configuration( $ ) {
fatal_error "Invalid LOGFORMAT ($val)" if $@;
fatal_error "LOGFORMAT string is longer than 29 characters: \"$val\""
if length $result > 29;
fatal_error "LOGFORMAT string is longer than 29 characters: \"$val\"" if length $result > 29;
$globals{MAXZONENAMELENGTH} = int ( 5 + ( ( 29 - (length $result ) ) / 2) );
} else {

6
New/Shorewall/Interfaces.pm
View File

@ -50,6 +50,7 @@ our @VERSION = 1.00;
# ...
# }
# zone => <zone name>
# }
# }
#
our @interfaces;
@ -164,10 +165,7 @@ sub validate_interfaces_file()
( $interfaces{$interface}{root} = $interface ) =~ s/\+$// ;
if ( $networks && $networks ne 'detect' )
{
warning_message 'Shorewall no longer uses broadcast addresses in rule generation:' . $networks;
}
warning_message 'Shorewall no longer uses broadcast addresses in rule generation:' . $networks if $networks && $networks ne 'detect';
my $optionsref = {};

53
New/Shorewall/Rules.pm
View File

@ -256,25 +256,26 @@ sub setup_syn_flood_chains() {
sub setup_blacklist() {
my $hosts = find_hosts_by_option 'blacklist';
my $chainref;
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
if ( @$hosts ) {
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
new_standard_chain 'blacklst';
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
$chainref = new_standard_chain 'blacklst';
if ( $level ) {
my $chainref = new_standard_chain 'blacklog';
my $logchainref = new_standard_chain 'blacklog';
log_rule_limit( $level , $chainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
add_rule $chainref, "-j $target" ;
add_rule $logchainref, "-j $target" ;
$target = 'blacklog';
}
}
BLACKLIST:
{
if ( my $fn = open_file 'blacklist' ) {
my $first_entry = 1;
@ -284,22 +285,28 @@ sub setup_blacklist() {
my ( $networks, $protocol, $ports ) = split_line 3, 'blacklist file';
if ( $first_entry ) {
unless ( @$hosts ) {
warning_message "The entries in $fn have been ignored because there are no 'blacklist' interfaces";
close_file;
last BLACKLIST;
}
progress_message2 "$doing $fn...";
$first_entry = 0;
}
expand_rule
ensure_filter_chain( 'blacklst' , 0 ) ,
NO_RESTRICT ,
do_proto( $protocol , $ports, '' ) ,
$networks ,
'' ,
'' ,
"-j $target" ,
'' ,
$disposition ,
'';
expand_rule(
$chainref ,
NO_RESTRICT ,
do_proto( $protocol , $ports, '' ) ,
$networks ,
'' ,
'' ,
"-j $target" ,
'' ,
$disposition ,
'' );
progress_message " \"$line\" added to blacklist";
}
}
@ -312,11 +319,11 @@ sub setup_blacklist() {
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
my $network = $hostref->[2];
my $source = match_source_net $network;
for my $chain ( @{first_chains $interface}) {
add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst";
}
progress_message " Blacklisting enabled on ${interface}:${network}";
}
}

3
New/releasenotes.txt
View File

@ -170,6 +170,9 @@ h) Line continuation (lines ending in '\' are concatinated with the next
because it is combined with the preceding line; with the Perl-based
compiler, it is processed normally.
i) USE_ACTIONS=No is not supported. That option is intended to minimize
Shorewall's footprint in embedded applications. As a consequence,
Default Macros are not supported.
Installation
------------