mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-18 03:29:12 +01:00
Add a 'timeout' option to DYNAMIC_BLACKLIST
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
c19e732e42
commit
ca7ca4bdfe
@ -3813,6 +3813,12 @@ setup_dbl() {
|
|||||||
|
|
||||||
[ -n "$g_disconnect" ] && g_disconnect=src-dst
|
[ -n "$g_disconnect" ] && g_disconnect=src-dst
|
||||||
;;
|
;;
|
||||||
|
ipset*,timeout*)
|
||||||
|
#
|
||||||
|
# This utility doesn't need to know about 'timeout=nnn'
|
||||||
|
#
|
||||||
|
DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
|
||||||
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
case $DYNAMIC_BLACKLIST in
|
case $DYNAMIC_BLACKLIST in
|
||||||
|
@ -8266,36 +8266,63 @@ EOF
|
|||||||
sub ensure_ipsets( @ ) {
|
sub ensure_ipsets( @ ) {
|
||||||
my $set;
|
my $set;
|
||||||
|
|
||||||
if ( @_ > 1 ) {
|
if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
|
||||||
|
shift;
|
||||||
|
|
||||||
|
emit( qq( if ! qt \$IPSET list $globals{DBL_IPSET}; then));
|
||||||
|
|
||||||
push_indent;
|
push_indent;
|
||||||
emit( "for set in @_; do" );
|
|
||||||
$set = '$set';
|
if ( $family == F_IPV4 ) {
|
||||||
} else {
|
emit( q( #),
|
||||||
$set = $_[0];
|
q( # Set the timeout for the dynamic blacklisting ipset),
|
||||||
|
q( #),
|
||||||
|
qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet timeout $globals{DBL_TIMEOUT} counters) );
|
||||||
|
} else {
|
||||||
|
emit( q( #),
|
||||||
|
q( # Set the timeout for the dynamic blacklisting ipset),
|
||||||
|
q( #),
|
||||||
|
qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT} counters) );
|
||||||
|
}
|
||||||
|
|
||||||
|
pop_indent;
|
||||||
|
|
||||||
|
emit( qq( fi\n) );
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
if ( @_ ) {
|
||||||
if ( have_capability 'IPSET_V5' ) {
|
if ( @_ > 1 ) {
|
||||||
emit ( qq( if ! qt \$IPSET -L $set -n; then) ,
|
push_indent;
|
||||||
qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
|
emit( "for set in @_; do" );
|
||||||
qq( \$IPSET -N $set hash:net family inet timeout 0 counters) ,
|
$set = '$set';
|
||||||
qq( fi) );
|
|
||||||
} else {
|
} else {
|
||||||
emit ( qq( if ! qt \$IPSET -L $set -n; then) ,
|
$set = $_[0];
|
||||||
qq( error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
|
}
|
||||||
qq( \$IPSET -N $set iphash) ,
|
|
||||||
|
if ( $family == F_IPV4 ) {
|
||||||
|
if ( have_capability 'IPSET_V5' ) {
|
||||||
|
emit ( qq( if ! qt \$IPSET list $set -n; then) ,
|
||||||
|
qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
|
||||||
|
qq( \$IPSET create $set hash:net family inet timeout 0 counters) ,
|
||||||
|
qq( fi) );
|
||||||
|
} else {
|
||||||
|
emit ( qq( if ! qt \$IPSET -L $set -n; then) ,
|
||||||
|
qq( error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
|
||||||
|
qq( \$IPSET -N $set iphash) ,
|
||||||
|
qq( fi) );
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
emit ( qq( if ! qt \$IPSET list $set -n; then) ,
|
||||||
|
qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
|
||||||
|
qq( \$IPSET create $set hash:net family inet6 timeout 0 counters) ,
|
||||||
qq( fi) );
|
qq( fi) );
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
emit ( qq( if ! qt \$IPSET -L $set -n; then) ,
|
|
||||||
qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
|
|
||||||
qq( \$IPSET -N $set hash:net family inet6 timeout 0 counters) ,
|
|
||||||
qq( fi) );
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( @_ > 1 ) {
|
if ( @_ > 1 ) {
|
||||||
emit 'done';
|
emit 'done';
|
||||||
pop_indent;
|
pop_indent;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -8473,10 +8500,21 @@ sub create_load_ipsets() {
|
|||||||
'if [ "$COMMAND" = start ]; then' ); ##################### Start Command ##################
|
'if [ "$COMMAND" = start ]; then' ); ##################### Start Command ##################
|
||||||
|
|
||||||
if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
|
if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
|
||||||
emit( ' if [ -f ${VARDIR}/ipsets.save ]; then',
|
emit( ' if [ -f ${VARDIR}/ipsets.save ]; then' );
|
||||||
' zap_ipsets',
|
|
||||||
' $IPSET -R < ${VARDIR}/ipsets.save',
|
if ( my $set = $globals{DBL_IPSET} ) {
|
||||||
' fi' );
|
emit( ' #',
|
||||||
|
' # Update the dynamic blacklisting ipset timeout value',
|
||||||
|
' #',
|
||||||
|
qq( awk '/create $set/ { sub( /timeout [0-9]+/, \"timeout $globals{DBL_TIMEOUT}\" ) }; {print};/' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
|
||||||
|
' zap_ipsets',
|
||||||
|
' $IPSET restore < ${VARDIR}/ipsets.temp',
|
||||||
|
' fi' );
|
||||||
|
} else {
|
||||||
|
emit( ' zap_ipsets',
|
||||||
|
' $IPSET -R < ${VARDIR}/ipsets.save',
|
||||||
|
' fi' );
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( @ipsets ) {
|
if ( @ipsets ) {
|
||||||
|
@ -754,6 +754,8 @@ sub initialize( $;$$) {
|
|||||||
RPFILTER_LOG_TAG => '',
|
RPFILTER_LOG_TAG => '',
|
||||||
INVALID_LOG_TAG => '',
|
INVALID_LOG_TAG => '',
|
||||||
UNTRACKED_LOG_TAG => '',
|
UNTRACKED_LOG_TAG => '',
|
||||||
|
DBL_IPSET => '',
|
||||||
|
DBL_TIMEOUT => 0,
|
||||||
POSTROUTING => 'POSTROUTING',
|
POSTROUTING => 'POSTROUTING',
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
@ -6253,14 +6255,20 @@ sub get_configuration( $$$$ ) {
|
|||||||
|
|
||||||
if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
|
if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
|
||||||
if ( $val =~ /^ipset/ ) {
|
if ( $val =~ /^ipset/ ) {
|
||||||
my %valid_options = ( 'src-dst' => 1, 'disconnect' => 1 );
|
my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
|
||||||
|
|
||||||
my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
|
my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
|
||||||
|
|
||||||
( $key, my @options ) = split_list( $key, 'option' );
|
( $key , my @options ) = split_list( $key, 'option' );
|
||||||
|
|
||||||
for ( @options ) {
|
for ( @options ) {
|
||||||
fatal_error "Invalid ipset option ($_)" unless $valid_options{$_};
|
unless ( $simple_options{$_} ) {
|
||||||
|
if ( $_ =~ s/^timeout=(\d+)$// ) {
|
||||||
|
$globals{DBL_TIMEOUT} = $1;
|
||||||
|
} else {
|
||||||
|
fatal_error "Invalid ipset option ($_)";
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest;
|
fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest;
|
||||||
@ -6271,7 +6279,7 @@ sub get_configuration( $$$$ ) {
|
|||||||
$set = 'SW_DBL' . $family;
|
$set = 'SW_DBL' . $family;
|
||||||
}
|
}
|
||||||
|
|
||||||
add_ipset( $set );
|
add_ipset( $globals{DBL_IPSET} = $set );
|
||||||
|
|
||||||
$level = validate_level( $level );
|
$level = validate_level( $level );
|
||||||
|
|
||||||
|
@ -1193,7 +1193,7 @@ sub process_interface( $$ ) {
|
|||||||
my %options;
|
my %options;
|
||||||
|
|
||||||
$options{port} = 1 if $port;
|
$options{port} = 1 if $port;
|
||||||
$options{dbl} = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
|
$options{dbl} = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
|
||||||
|
|
||||||
my $hostoptionsref = {};
|
my $hostoptionsref = {};
|
||||||
|
|
||||||
|
@ -485,7 +485,7 @@
|
|||||||
<para>ALL sends all packets through the blacklist chains.</para>
|
<para>ALL sends all packets through the blacklist chains.</para>
|
||||||
|
|
||||||
<para>Note: The ESTABLISHED state may not be specified if
|
<para>Note: The ESTABLISHED state may not be specified if
|
||||||
FASTACCEPT=Yes is specified. </para>
|
FASTACCEPT=Yes is specified.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -768,9 +768,7 @@
|
|||||||
role="bold">Yes</emphasis>|<emphasis
|
role="bold">Yes</emphasis>|<emphasis
|
||||||
role="bold">No</emphasis>||<emphasis
|
role="bold">No</emphasis>||<emphasis
|
||||||
role="bold">ipset</emphasis>[<emphasis
|
role="bold">ipset</emphasis>[<emphasis
|
||||||
role="bold">-only</emphasis>][,<emphasis
|
role="bold">-only</emphasis>][<replaceable>,option</replaceable>[,...]][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
|
||||||
role="bold">src-dst</emphasis>][,<emphasis
|
|
||||||
role="bold">disconnect</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
|
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.7. When set to <emphasis
|
<para>Added in Shorewall 4.4.7. When set to <emphasis
|
||||||
@ -786,20 +784,61 @@
|
|||||||
(<replaceable>log_level</replaceable>), if any, at which blacklisted
|
(<replaceable>log_level</replaceable>), if any, at which blacklisted
|
||||||
traffic is to be logged may also be specified. The default set name
|
traffic is to be logged may also be specified. The default set name
|
||||||
is SW_DBL4 and the default log level is <option>none</option> (no
|
is SW_DBL4 and the default log level is <option>none</option> (no
|
||||||
logging). if <option>ipset-only</option> is given, then chain-based
|
logging). If <option>ipset-only</option> is given, then chain-based
|
||||||
dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
|
dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
|
||||||
had been specified. Normally, only packets whose source address
|
had been specified.</para>
|
||||||
matches an entry in the ipsec are dropped. If
|
|
||||||
<option>src-dst</option> is included, then packets whose destination
|
|
||||||
address matches an entry in the ipset are also dropped.</para>
|
|
||||||
|
|
||||||
<para>The <option>disconnect</option> option was added in Shorewall
|
<para>Possible <replaceable>option</replaceable>s are:</para>
|
||||||
5.0.13 and requires that the conntrack utility be installed on the
|
|
||||||
firewall system. When an address is blacklisted using the
|
<variablelist>
|
||||||
<command>blacklist</command> command, all connections originating
|
<varlistentry>
|
||||||
from that address are disconnected. if the <option>src-dst</option>
|
<term>src-dst</term>
|
||||||
option was also specified, then all connections to that address are
|
|
||||||
also disconnected.</para>
|
<listitem>
|
||||||
|
<para>Normally, only packets whose source address matches an
|
||||||
|
entry in the ipset are dropped. If <option>src-dst</option> is
|
||||||
|
included, then packets whose destination address matches an
|
||||||
|
entry in the ipset are also dropped. </para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><option>disconnect</option></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The <option>disconnect</option> option was added in
|
||||||
|
Shorewall 5.0.13 and requires that the conntrack utility be
|
||||||
|
installed on the firewall system. When an address is
|
||||||
|
blacklisted using the <command>blacklist</command> command,
|
||||||
|
all connections originating from that address are
|
||||||
|
disconnected. if the <option>src-dst</option> option was also
|
||||||
|
specified, then all connections to that address are also
|
||||||
|
disconnected.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><option>timeout</option>=<replaceable>seconds</replaceable></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added in Shorewall 5.0.13. Normally, Shorewall creates
|
||||||
|
the dynamic blacklisting ipset with timeout 0 which means that
|
||||||
|
entries are permanent. If you want entries in the set that are
|
||||||
|
not accessed for a period of time to be deleted from the set,
|
||||||
|
you may specify that period using this option. Note that the
|
||||||
|
<command>blacklist</command> command can override the ipset's
|
||||||
|
timeout setting.</para>
|
||||||
|
|
||||||
|
<important>
|
||||||
|
<para>Once the dynamic blacklisting ipset has been created,
|
||||||
|
changing this option setting requires a complete restart of
|
||||||
|
the firewall; <command>shorewall restart</command> if
|
||||||
|
RESTART=restart, otherwise <command>shorewall stop
|
||||||
|
&& shorewall start</command></para>
|
||||||
|
</important>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
<para>When ipset-based dynamic blacklisting is enabled, the contents
|
<para>When ipset-based dynamic blacklisting is enabled, the contents
|
||||||
of the blacklist will be preserved over
|
of the blacklist will be preserved over
|
||||||
|
@ -59,7 +59,9 @@
|
|||||||
|
|
||||||
<arg choice="plain"><option>blacklist</option></arg>
|
<arg choice="plain"><option>blacklist</option></arg>
|
||||||
|
|
||||||
<arg choice="plain"><replaceable>address</replaceable></arg>
|
<arg
|
||||||
|
choice="plain"><replaceable>address</replaceable><arg><replaceable>option</replaceable>
|
||||||
|
...</arg></arg>
|
||||||
</cmdsynopsis>
|
</cmdsynopsis>
|
||||||
|
|
||||||
<cmdsynopsis>
|
<cmdsynopsis>
|
||||||
|
@ -629,9 +629,7 @@
|
|||||||
role="bold">Yes</emphasis>|<emphasis
|
role="bold">Yes</emphasis>|<emphasis
|
||||||
role="bold">No</emphasis>||<emphasis
|
role="bold">No</emphasis>||<emphasis
|
||||||
role="bold">ipset</emphasis>[<emphasis
|
role="bold">ipset</emphasis>[<emphasis
|
||||||
role="bold">-only</emphasis>][,<emphasis
|
role="bold">-only</emphasis>][<replaceable>,option</replaceable>[,...]][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
|
||||||
role="bold">src-dst</emphasis>][,<emphasis
|
|
||||||
role="bold">disconnect</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
|
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall 4.4.7. When set to <emphasis
|
<para>Added in Shorewall 4.4.7. When set to <emphasis
|
||||||
@ -649,18 +647,59 @@
|
|||||||
is SW_DBL6 and the default log level is <option>none</option> (no
|
is SW_DBL6 and the default log level is <option>none</option> (no
|
||||||
logging). if <option>ipset-only</option> is given, then chain-based
|
logging). if <option>ipset-only</option> is given, then chain-based
|
||||||
dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
|
dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
|
||||||
had been specified. Normally, only packets whose source address
|
had been specified. </para>
|
||||||
matches an entry in the ipsec are dropped. If
|
|
||||||
<option>src-dst</option> is included, then packets whose destination
|
|
||||||
address matches an entry in the ipset are also dropped.</para>
|
|
||||||
|
|
||||||
<para>The <option>disconnect</option> option was added in Shorewall
|
<para>Possible <replaceable>option</replaceable>s are:</para>
|
||||||
5.0.13 and requires that the conntrack utility be installed on the
|
|
||||||
firewall system. When an address is blacklisted using the
|
<variablelist>
|
||||||
<command>blacklist</command> command, all connections originating
|
<varlistentry>
|
||||||
from that address are disconnected. if the <option>src-dst</option>
|
<term>src-dst</term>
|
||||||
option was also specified, then all connections to that address are
|
|
||||||
also disconnected.</para>
|
<listitem>
|
||||||
|
<para>Normally, only packets whose source address matches an
|
||||||
|
entry in the ipset are dropped. If <option>src-dst</option> is
|
||||||
|
included, then packets whose destination address matches an
|
||||||
|
entry in the ipset are also dropped.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><option>disconnect</option></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The <option>disconnect</option> option was added in
|
||||||
|
Shorewall 5.0.13 and requires that the conntrack utility be
|
||||||
|
installed on the firewall system. When an address is
|
||||||
|
blacklisted using the <command>blacklist</command> command,
|
||||||
|
all connections originating from that address are
|
||||||
|
disconnected. if the <option>src-dst</option> option was also
|
||||||
|
specified, then all connections to that address are also
|
||||||
|
disconnected.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><option>timeout</option>=<replaceable>seconds</replaceable></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added in Shorewall 5.0.13. Normally, Shorewall creates
|
||||||
|
the dynamic blacklisting ipset with timeout 0 which means that
|
||||||
|
entries are permanent. If you want entries in the set that are
|
||||||
|
not accessed for a period of time to be deleted from the set,
|
||||||
|
you may specify that period using this option. Note that the
|
||||||
|
<command>blacklist</command> command can override the ipset's
|
||||||
|
timeout setting.</para>
|
||||||
|
|
||||||
|
<important>
|
||||||
|
<para>Once the dynamic blacklisting ipset has been created,
|
||||||
|
changing this option setting requires a complete restart of
|
||||||
|
the firewall; <command>shorewall6 restart</command> if
|
||||||
|
RESTART=restart, otherwise <command>shorewall6 stop
|
||||||
|
&& shorewall6 start</command></para>
|
||||||
|
</important>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
<para>When ipset-based dynamic blacklisting is enabled, the contents
|
<para>When ipset-based dynamic blacklisting is enabled, the contents
|
||||||
of the blacklist will be preserved over
|
of the blacklist will be preserved over
|
||||||
|
@ -44,8 +44,6 @@
|
|||||||
<arg>-<replaceable>options</replaceable></arg>
|
<arg>-<replaceable>options</replaceable></arg>
|
||||||
|
|
||||||
<arg choice="plain"><option>allow</option></arg>
|
<arg choice="plain"><option>allow</option></arg>
|
||||||
|
|
||||||
<arg choice="plain"><replaceable>address</replaceable></arg>
|
|
||||||
</cmdsynopsis>
|
</cmdsynopsis>
|
||||||
|
|
||||||
<cmdsynopsis>
|
<cmdsynopsis>
|
||||||
@ -58,7 +56,9 @@
|
|||||||
|
|
||||||
<arg choice="plain"><option>blacklist</option></arg>
|
<arg choice="plain"><option>blacklist</option></arg>
|
||||||
|
|
||||||
<arg choice="plain"><replaceable>address</replaceable></arg>
|
<arg choice="plain"><replaceable>address</replaceable><arg
|
||||||
|
choice="plain"><arg><replaceable>option
|
||||||
|
...</replaceable></arg></arg></arg>
|
||||||
</cmdsynopsis>
|
</cmdsynopsis>
|
||||||
|
|
||||||
<cmdsynopsis>
|
<cmdsynopsis>
|
||||||
|
Loading…
Reference in New Issue
Block a user