diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index 3de5fb6c0..312ca3336 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -3813,6 +3813,12 @@ setup_dbl() {
[ -n "$g_disconnect" ] && g_disconnect=src-dst
;;
+ ipset*,timeout*)
+ #
+ # This utility doesn't need to know about 'timeout=nnn'
+ #
+ DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
+ ;;
esac
case $DYNAMIC_BLACKLIST in
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index b51d0783f..ac450956b 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -8266,36 +8266,63 @@ EOF
sub ensure_ipsets( @ ) {
my $set;
- if ( @_ > 1 ) {
+ if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
+ shift;
+
+ emit( qq( if ! qt \$IPSET list $globals{DBL_IPSET}; then));
+
push_indent;
- emit( "for set in @_; do" );
- $set = '$set';
- } else {
- $set = $_[0];
+
+ if ( $family == F_IPV4 ) {
+ emit( q( #),
+ q( # Set the timeout for the dynamic blacklisting ipset),
+ q( #),
+ qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet timeout $globals{DBL_TIMEOUT} counters) );
+ } else {
+ emit( q( #),
+ q( # Set the timeout for the dynamic blacklisting ipset),
+ q( #),
+ qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT} counters) );
+ }
+
+ pop_indent;
+
+ emit( qq( fi\n) );
+
}
- if ( $family == F_IPV4 ) {
- if ( have_capability 'IPSET_V5' ) {
- emit ( qq( if ! qt \$IPSET -L $set -n; then) ,
- qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
- qq( \$IPSET -N $set hash:net family inet timeout 0 counters) ,
- qq( fi) );
+ if ( @_ ) {
+ if ( @_ > 1 ) {
+ push_indent;
+ emit( "for set in @_; do" );
+ $set = '$set';
} else {
- emit ( qq( if ! qt \$IPSET -L $set -n; then) ,
- qq( error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
- qq( \$IPSET -N $set iphash) ,
+ $set = $_[0];
+ }
+
+ if ( $family == F_IPV4 ) {
+ if ( have_capability 'IPSET_V5' ) {
+ emit ( qq( if ! qt \$IPSET list $set -n; then) ,
+ qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+ qq( \$IPSET create $set hash:net family inet timeout 0 counters) ,
+ qq( fi) );
+ } else {
+ emit ( qq( if ! qt \$IPSET -L $set -n; then) ,
+ qq( error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
+ qq( \$IPSET -N $set iphash) ,
+ qq( fi) );
+ }
+ } else {
+ emit ( qq( if ! qt \$IPSET list $set -n; then) ,
+ qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
+ qq( \$IPSET create $set hash:net family inet6 timeout 0 counters) ,
qq( fi) );
}
- } else {
- emit ( qq( if ! qt \$IPSET -L $set -n; then) ,
- qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
- qq( \$IPSET -N $set hash:net family inet6 timeout 0 counters) ,
- qq( fi) );
- }
- if ( @_ > 1 ) {
- emit 'done';
- pop_indent;
+ if ( @_ > 1 ) {
+ emit 'done';
+ pop_indent;
+ }
}
}
@@ -8473,10 +8500,21 @@ sub create_load_ipsets() {
'if [ "$COMMAND" = start ]; then' ); ##################### Start Command ##################
if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
- emit( ' if [ -f ${VARDIR}/ipsets.save ]; then',
- ' zap_ipsets',
- ' $IPSET -R < ${VARDIR}/ipsets.save',
- ' fi' );
+ emit( ' if [ -f ${VARDIR}/ipsets.save ]; then' );
+
+ if ( my $set = $globals{DBL_IPSET} ) {
+ emit( ' #',
+ ' # Update the dynamic blacklisting ipset timeout value',
+ ' #',
+ qq( awk '/create $set/ { sub( /timeout [0-9]+/, \"timeout $globals{DBL_TIMEOUT}\" ) }; {print};/' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
+ ' zap_ipsets',
+ ' $IPSET restore < ${VARDIR}/ipsets.temp',
+ ' fi' );
+ } else {
+ emit( ' zap_ipsets',
+ ' $IPSET -R < ${VARDIR}/ipsets.save',
+ ' fi' );
+ }
}
if ( @ipsets ) {
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index be18afb46..df028ab8f 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -754,6 +754,8 @@ sub initialize( $;$$) {
RPFILTER_LOG_TAG => '',
INVALID_LOG_TAG => '',
UNTRACKED_LOG_TAG => '',
+ DBL_IPSET => '',
+ DBL_TIMEOUT => 0,
POSTROUTING => 'POSTROUTING',
);
#
@@ -6253,14 +6255,20 @@ sub get_configuration( $$$$ ) {
if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
if ( $val =~ /^ipset/ ) {
- my %valid_options = ( 'src-dst' => 1, 'disconnect' => 1 );
+ my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
- ( $key, my @options ) = split_list( $key, 'option' );
+ ( $key , my @options ) = split_list( $key, 'option' );
for ( @options ) {
- fatal_error "Invalid ipset option ($_)" unless $valid_options{$_};
+ unless ( $simple_options{$_} ) {
+ if ( $_ =~ s/^timeout=(\d+)$// ) {
+ $globals{DBL_TIMEOUT} = $1;
+ } else {
+ fatal_error "Invalid ipset option ($_)";
+ }
+ }
}
fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest;
@@ -6271,7 +6279,7 @@ sub get_configuration( $$$$ ) {
$set = 'SW_DBL' . $family;
}
- add_ipset( $set );
+ add_ipset( $globals{DBL_IPSET} = $set );
$level = validate_level( $level );
diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index 6d5b7f7d3..7709d2abb 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -1193,7 +1193,7 @@ sub process_interface( $$ ) {
my %options;
$options{port} = 1 if $port;
- $options{dbl} = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
+ $options{dbl} = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
my $hostoptionsref = {};
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index c964c0c0a..18568f24b 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -485,7 +485,7 @@
ALL sends all packets through the blacklist chains.Note: The ESTABLISHED state may not be specified if
- FASTACCEPT=Yes is specified.
+ FASTACCEPT=Yes is specified.
@@ -768,9 +768,7 @@
role="bold">Yes|No||ipset[-only][,src-dst][,disconnect][:[setname][:log_level|:log_tag]]]}
+ role="bold">-only][,option[,...]][:[setname][:log_level|:log_tag]]]}
Added in Shorewall 4.4.7. When set to log_level), if any, at which blacklisted
traffic is to be logged may also be specified. The default set name
is SW_DBL4 and the default log level is (no
- logging). if is given, then chain-based
+ logging). If is given, then chain-based
dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
- had been specified. Normally, only packets whose source address
- matches an entry in the ipsec are dropped. If
- is included, then packets whose destination
- address matches an entry in the ipset are also dropped.
+ had been specified.
- The option was added in Shorewall
- 5.0.13 and requires that the conntrack utility be installed on the
- firewall system. When an address is blacklisted using the
- blacklist command, all connections originating
- from that address are disconnected. if the
- option was also specified, then all connections to that address are
- also disconnected.
+ Possible options are:
+
+
+
+ src-dst
+
+
+ Normally, only packets whose source address matches an
+ entry in the ipset are dropped. If is
+ included, then packets whose destination address matches an
+ entry in the ipset are also dropped.
+
+
+
+
+
+
+
+ The option was added in
+ Shorewall 5.0.13 and requires that the conntrack utility be
+ installed on the firewall system. When an address is
+ blacklisted using the blacklist command,
+ all connections originating from that address are
+ disconnected. if the option was also
+ specified, then all connections to that address are also
+ disconnected.
+
+
+
+
+ =seconds
+
+
+ Added in Shorewall 5.0.13. Normally, Shorewall creates
+ the dynamic blacklisting ipset with timeout 0 which means that
+ entries are permanent. If you want entries in the set that are
+ not accessed for a period of time to be deleted from the set,
+ you may specify that period using this option. Note that the
+ blacklist command can override the ipset's
+ timeout setting.
+
+
+ Once the dynamic blacklisting ipset has been created,
+ changing this option setting requires a complete restart of
+ the firewall; shorewall restart if
+ RESTART=restart, otherwise shorewall stop
+ && shorewall start
+
+
+
+ When ipset-based dynamic blacklisting is enabled, the contents
of the blacklist will be preserved over
diff --git a/Shorewall/manpages/shorewall.xml b/Shorewall/manpages/shorewall.xml
index 76d5c178b..24c3e2269 100644
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -59,7 +59,9 @@
- address
+ addressoption
+ ...
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index 9a727fd45..45a23308a 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -629,9 +629,7 @@
role="bold">Yes|No||ipset[-only][,src-dst][,disconnect][:[setname][:log_level|:log_tag]]]}
+ role="bold">-only][,option[,...]][:[setname][:log_level|:log_tag]]]}
Added in Shorewall 4.4.7. When set to none (no
logging). if is given, then chain-based
dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
- had been specified. Normally, only packets whose source address
- matches an entry in the ipsec are dropped. If
- is included, then packets whose destination
- address matches an entry in the ipset are also dropped.
+ had been specified.
- The option was added in Shorewall
- 5.0.13 and requires that the conntrack utility be installed on the
- firewall system. When an address is blacklisted using the
- blacklist command, all connections originating
- from that address are disconnected. if the
- option was also specified, then all connections to that address are
- also disconnected.
+ Possible options are:
+
+
+
+ src-dst
+
+
+ Normally, only packets whose source address matches an
+ entry in the ipset are dropped. If is
+ included, then packets whose destination address matches an
+ entry in the ipset are also dropped.
+
+
+
+
+
+
+
+ The option was added in
+ Shorewall 5.0.13 and requires that the conntrack utility be
+ installed on the firewall system. When an address is
+ blacklisted using the blacklist command,
+ all connections originating from that address are
+ disconnected. if the option was also
+ specified, then all connections to that address are also
+ disconnected.
+
+
+
+
+ =seconds
+
+
+ Added in Shorewall 5.0.13. Normally, Shorewall creates
+ the dynamic blacklisting ipset with timeout 0 which means that
+ entries are permanent. If you want entries in the set that are
+ not accessed for a period of time to be deleted from the set,
+ you may specify that period using this option. Note that the
+ blacklist command can override the ipset's
+ timeout setting.
+
+
+ Once the dynamic blacklisting ipset has been created,
+ changing this option setting requires a complete restart of
+ the firewall; shorewall6 restart if
+ RESTART=restart, otherwise shorewall6 stop
+ && shorewall6 start
+
+
+
+ When ipset-based dynamic blacklisting is enabled, the contents
of the blacklist will be preserved over
diff --git a/Shorewall6/manpages/shorewall6.xml b/Shorewall6/manpages/shorewall6.xml
index aed4f7b7b..cc1dd2e0e 100644
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -44,8 +44,6 @@
-options
-
- address
@@ -58,7 +56,9 @@
- address
+ addressoption
+ ...