extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-18 15:46:55 +02:00
Code Issues Packages Projects Releases Wiki Activity

Renew timeout on matched dbl entries

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-10-16 09:42:45 -07:00
parent fad9dce3e6
commit e6f3d429a1
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
2 changed files with 53 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
Shorewall/Perl/Shorewall/Config.pm
View File

@ -6262,16 +6262,20 @@ sub get_configuration( $$$$ ) {
( $key , my @options ) = split_list( $key, 'option' ); ( $key , my @options ) = split_list( $key, 'option' );
my $options = '';
for ( @options ) { for ( @options ) {
unless ( $simple_options{$_} ) { if ( $simple_options{$_} ) {
if ( $_ =~ s/^timeout=(\d+)$// ) { $options = join( ',' , $options, $_ );
$globals{DBL_TIMEOUT} = $1; } elsif ( $_ =~ s/^timeout=(\d+)$// ) {
} else { $globals{DBL_TIMEOUT} = $1;
fatal_error "Invalid ipset option ($_)"; } else {
} fatal_error "Invalid ipset option ($_)";
} }
} }
$globals{DBL_OPTIONS} = $options;
fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest; fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest;
if ( supplied( $set ) ) { if ( supplied( $set ) ) {

51
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -688,7 +688,8 @@ sub add_common_rules ( $ ) {
my $dbl_ipset; my $dbl_ipset;
my $dbl_level; my $dbl_level;
my $dbl_tag; my $dbl_tag;
my $dbl_target; my $dbl_src_target;
my $dbl_dst_target;
if ( $config{REJECT_ACTION} ) { if ( $config{REJECT_ACTION} ) {
process_reject_action; process_reject_action;
@ -749,8 +750,42 @@ sub add_common_rules ( $ ) {
} }
if ( $dbl_ipset ) { if ( $dbl_ipset ) {
if ( $dbl_level ) { if ( $val = $globals{DBL_TIMEOUT} ) {
my $chainref = set_optflags( new_standard_chain( $dbl_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE ); $dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
log_rule_limit( $dbl_level,
$chainref,
'dbl_log',
'DROP',
$globals{LOGLIMIT},
$dbl_tag,
'add',
'',
$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
if ( $dbl_src_target eq 'dbl_src' ) {
$chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
log_rule_limit( $dbl_level,
$chainref,
'dbl_log',
'DROP',
$globals{LOGLIMIT},
$dbl_tag,
'add',
'',
$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset dst --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
} else {
$dbl_dst_target = $dbl_src_target;
}
} elsif ( $dbl_level ) {
my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
log_rule_limit( $dbl_level, log_rule_limit( $dbl_level,
$chainref, $chainref,
@ -763,7 +798,7 @@ sub add_common_rules ( $ ) {
$origin{DYNAMIC_BLACKLIST} ); $origin{DYNAMIC_BLACKLIST} );
add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} ); add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
} else { } else {
$dbl_target = 'DROP'; $dbl_src_target = $dbl_dst_target = 'DROP';
} }
} }
} }
@ -877,17 +912,17 @@ sub add_common_rules ( $ ) {
# #
# src # src
# #
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" ); add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" ); add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
} elsif ( $in == 2 ) { } elsif ( $in == 2 ) {
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ); add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
} }
if ( $out == 2 ) { if ( $out == 2 ) {
# #
# dst # dst
# #
add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ); add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
} }
} }