mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 14:20:40 +01:00
Allow 'nodbl' for classic blacklisting
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
337a4bd6ec
commit
e8f28fa564
@ -188,6 +188,7 @@ our %EXPORT_TAGS = (
|
||||
input_option_chain
|
||||
nodbl_src_chain
|
||||
nodbl_dst_chain
|
||||
nodbl_classic_chain
|
||||
zone_input_chain
|
||||
use_interface_chain
|
||||
output_chain
|
||||
@ -2456,6 +2457,14 @@ sub nodbl_dst_chain($) {
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_nodbl';
|
||||
}
|
||||
|
||||
#
|
||||
# Blacklist Destination Exclusion Chain for an interface
|
||||
#
|
||||
sub nodbl_classic_chain($) {
|
||||
my $interface = shift;
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_nocbl';
|
||||
}
|
||||
|
||||
#
|
||||
# Forward Option Chain for an interface
|
||||
#
|
||||
|
@ -951,12 +951,13 @@ sub add_common_rules ( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
my @nodbl = @{$interfaceref->{nodbl}};
|
||||
my ( $src_target, $dst_target, $classic_target ) = ( $dbl_src_target, $dbl_dst_target , $dynamicref->{name} );
|
||||
|
||||
if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ) ) {
|
||||
if ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) != DBL_NONE ) {
|
||||
|
||||
my ( $src_target, $dst_target ) = ( $dbl_src_target, $dbl_dst_target );
|
||||
my ( @src_exclude, @dst_exclude );
|
||||
my ( @src_exclude, @dst_exclude, @classic_exclude );
|
||||
|
||||
my @nodbl = @{$interfaceref->{nodbl}};
|
||||
|
||||
if ( @nodbl ) {
|
||||
#
|
||||
@ -966,22 +967,35 @@ sub add_common_rules ( $ ) {
|
||||
#
|
||||
# We need to create an intermediate chain
|
||||
#
|
||||
$chainref = new_standard_chain( $src_target = nodbl_src_chain( $interface ));
|
||||
if ( $dbl_ipset ) {
|
||||
$chainref = new_standard_chain( $src_target = nodbl_src_chain( $interface ));
|
||||
|
||||
for (@nodbl) {
|
||||
add_ijump( $chainref, j => 'RETURN', s => $_ );
|
||||
}
|
||||
|
||||
add_ijump( $chainref, j => $dbl_src_target );
|
||||
|
||||
if ( $dbl_src_target ne $dbl_dst_target ) {
|
||||
$chainref = new_standard_chain( $dst_target = nodbl_dst_chain( $interface ));
|
||||
|
||||
for ( @nodbl ){
|
||||
add_ijump( $chainref, j => 'RETURN', -d => $_ );
|
||||
for (@nodbl) {
|
||||
add_ijump( $chainref, j => 'RETURN', s => $_ );
|
||||
}
|
||||
|
||||
add_ijump( $chainref, j => $dbl_dst_target );
|
||||
add_ijump( $chainref, j => $dbl_src_target );
|
||||
|
||||
if ( $dbl_src_target ne $dbl_dst_target ) {
|
||||
$chainref = new_standard_chain( $dst_target = nodbl_dst_chain( $interface ));
|
||||
|
||||
for ( @nodbl ){
|
||||
add_ijump( $chainref, j => 'RETURN', -d => $_ );
|
||||
}
|
||||
|
||||
add_ijump( $chainref, j => $dbl_dst_target );
|
||||
}
|
||||
}
|
||||
|
||||
if ( $setting & DBL_CLASSIC ) {
|
||||
$chainref = new_standard_chain( $classic_target = nodbl_classic_chain( $interface ));
|
||||
|
||||
for (@nodbl) {
|
||||
add_ijump( $chainref, j => 'RETURN', s => $_ );
|
||||
add_ijump( $chainref, j => 'RETURN', d => $_ );
|
||||
}
|
||||
|
||||
add_ijump( $chainref, j => $dynamicref->{name} );
|
||||
}
|
||||
} else {
|
||||
#
|
||||
@ -992,26 +1006,28 @@ sub add_common_rules ( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
if ( $setting & DBL_SRC) {
|
||||
#
|
||||
# src or src-dst
|
||||
#
|
||||
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $src_target, $origin{DYNAMIC_BLACKLIST}, @src_exclude, @state, set => "--match-set $dbl_ipset src" );
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $src_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset src" );
|
||||
}
|
||||
if ( $dbl_ipset ) {
|
||||
if ( $setting & DBL_SRC) {
|
||||
#
|
||||
# src or src-dst
|
||||
#
|
||||
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $src_target, $origin{DYNAMIC_BLACKLIST}, @src_exclude, @state, set => "--match-set $dbl_ipset src" );
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $src_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset src" );
|
||||
}
|
||||
|
||||
if ( $setting & DBL_DST ) {
|
||||
#
|
||||
# dst or src-dst
|
||||
#
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" );
|
||||
add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" );
|
||||
if ( $setting & DBL_DST ) {
|
||||
#
|
||||
# src-dst
|
||||
#
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" );
|
||||
add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
for ( option_chains( $interface ) ) {
|
||||
add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) & DBL_CLASSIC );
|
||||
add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
|
||||
add_ijump_extended( $filter_table->{$_}, j => $classic_target, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) & DBL_CLASSIC );
|
||||
add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -2264,8 +2264,7 @@ sub process_host( ) {
|
||||
$options{mss} = $1;
|
||||
$zoneref->{options}{complex} = 1;
|
||||
} elsif ( $option eq 'nodbl' ) {
|
||||
fatal_error "The 'nodbl' option is only allowed when using ipset-based dynamic blacklisting" unless $config{DYNAMIC_BLACKLIST} =~ /^ipset/;
|
||||
fatal_error "The 'nodbl' option is only allowed in 'ip' zones" unless $type & IP;
|
||||
fatal_error "The 'nodbl' option is only allowed in 'ip' zones" unless $type & IP;
|
||||
push @{$interfaceref->{nodbl}}, $hosts;
|
||||
$options{nodbl} = 1;
|
||||
} elsif ( $validhostoptions{$option}) {
|
||||
|
Loading…
Reference in New Issue
Block a user