extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-21 15:13:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow 'nodbl' for classic blacklisting

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2024-03-02 16:16:02 -08:00
parent 337a4bd6ec
commit e8f28fa564
3 changed files with 58 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -188,6 +188,7 @@ our %EXPORT_TAGS = (
input_option_chain
nodbl_src_chain
nodbl_dst_chain
nodbl_classic_chain
zone_input_chain
use_interface_chain
output_chain
@ -2456,6 +2457,14 @@ sub nodbl_dst_chain($) {
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_nodbl';
}
#
# Blacklist Destination Exclusion Chain for an interface
#
sub nodbl_classic_chain($) {
my $interface = shift;
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_nocbl';
}
#
# Forward Option Chain for an interface
#

80
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -951,12 +951,13 @@ sub add_common_rules ( $ ) {
}
}
my @nodbl = @{$interfaceref->{nodbl}};
my ( $src_target, $dst_target, $classic_target ) = ( $dbl_src_target, $dbl_dst_target , $dynamicref->{name} );
if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ) ) {
if ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) != DBL_NONE ) {
my ( $src_target, $dst_target ) = ( $dbl_src_target, $dbl_dst_target );
my ( @src_exclude, @dst_exclude );
my ( @src_exclude, @dst_exclude, @classic_exclude );
my @nodbl = @{$interfaceref->{nodbl}};
if ( @nodbl ) {
#
@ -966,22 +967,35 @@ sub add_common_rules ( $ ) {
#
# We need to create an intermediate chain
#
$chainref = new_standard_chain( $src_target = nodbl_src_chain( $interface ));
if ( $dbl_ipset ) {
$chainref = new_standard_chain( $src_target = nodbl_src_chain( $interface ));
for (@nodbl) {
add_ijump( $chainref, j => 'RETURN', s => $_ );
}
add_ijump( $chainref, j => $dbl_src_target );
if ( $dbl_src_target ne $dbl_dst_target ) {
$chainref = new_standard_chain( $dst_target = nodbl_dst_chain( $interface ));
for ( @nodbl ){
add_ijump( $chainref, j => 'RETURN', -d => $_ );
for (@nodbl) {
add_ijump( $chainref, j => 'RETURN', s => $_ );
}
add_ijump( $chainref, j => $dbl_dst_target );
add_ijump( $chainref, j => $dbl_src_target );
if ( $dbl_src_target ne $dbl_dst_target ) {
$chainref = new_standard_chain( $dst_target = nodbl_dst_chain( $interface ));
for ( @nodbl ){
add_ijump( $chainref, j => 'RETURN', -d => $_ );
}
add_ijump( $chainref, j => $dbl_dst_target );
}
}
if ( $setting & DBL_CLASSIC ) {
$chainref = new_standard_chain( $classic_target = nodbl_classic_chain( $interface ));
for (@nodbl) {
add_ijump( $chainref, j => 'RETURN', s => $_ );
add_ijump( $chainref, j => 'RETURN', d => $_ );
}
add_ijump( $chainref, j => $dynamicref->{name} );
}
} else {
#
@ -992,26 +1006,28 @@ sub add_common_rules ( $ ) {
}
}
if ( $setting & DBL_SRC) {
#
# src or src-dst
#
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $src_target, $origin{DYNAMIC_BLACKLIST}, @src_exclude, @state, set => "--match-set $dbl_ipset src" );
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $src_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset src" );
}
if ( $dbl_ipset ) {
if ( $setting & DBL_SRC) {
#
# src or src-dst
#
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $src_target, $origin{DYNAMIC_BLACKLIST}, @src_exclude, @state, set => "--match-set $dbl_ipset src" );
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $src_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset src" );
}
if ( $setting & DBL_DST ) {
#
# dst or src-dst
#
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" );
add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" );
if ( $setting & DBL_DST ) {
#
# src-dst
#
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" );
add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" );
}
}
}
for ( option_chains( $interface ) ) {
add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) & DBL_CLASSIC );
add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
add_ijump_extended( $filter_table->{$_}, j => $classic_target, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) & DBL_CLASSIC );
add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
}
}
}

3
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -2264,8 +2264,7 @@ sub process_host( ) {
$options{mss} = $1;
$zoneref->{options}{complex} = 1;
} elsif ( $option eq 'nodbl' ) {
fatal_error "The 'nodbl' option is only allowed when using ipset-based dynamic blacklisting" unless $config{DYNAMIC_BLACKLIST} =~ /^ipset/;
fatal_error "The 'nodbl' option is only allowed in 'ip' zones" unless $type & IP;
fatal_error "The 'nodbl' option is only allowed in 'ip' zones" unless $type & IP;
push @{$interfaceref->{nodbl}}, $hosts;
$options{nodbl} = 1;
} elsif ( $validhostoptions{$option}) {