diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 7ac97c4f5..577262c45 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -188,6 +188,7 @@ our %EXPORT_TAGS = ( input_option_chain nodbl_src_chain nodbl_dst_chain + nodbl_classic_chain zone_input_chain use_interface_chain output_chain @@ -2456,6 +2457,14 @@ sub nodbl_dst_chain($) { ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_nodbl'; } +# +# Blacklist Destination Exclusion Chain for an interface +# +sub nodbl_classic_chain($) { + my $interface = shift; + ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_nocbl'; +} + # # Forward Option Chain for an interface # diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index c231a78b1..8fbee29c1 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -951,12 +951,13 @@ sub add_common_rules ( $ ) { } } - my @nodbl = @{$interfaceref->{nodbl}}; + my ( $src_target, $dst_target, $classic_target ) = ( $dbl_src_target, $dbl_dst_target , $dynamicref->{name} ); - if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ) ) { + if ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) != DBL_NONE ) { - my ( $src_target, $dst_target ) = ( $dbl_src_target, $dbl_dst_target ); - my ( @src_exclude, @dst_exclude ); + my ( @src_exclude, @dst_exclude, @classic_exclude ); + + my @nodbl = @{$interfaceref->{nodbl}}; if ( @nodbl ) { # @@ -966,22 +967,35 @@ sub add_common_rules ( $ ) { # # We need to create an intermediate chain # - $chainref = new_standard_chain( $src_target = nodbl_src_chain( $interface )); + if ( $dbl_ipset ) { + $chainref = new_standard_chain( $src_target = nodbl_src_chain( $interface )); - for (@nodbl) { - add_ijump( $chainref, j => 'RETURN', s => $_ ); - } - - add_ijump( $chainref, j => $dbl_src_target ); - - if ( $dbl_src_target ne $dbl_dst_target ) { - $chainref = new_standard_chain( $dst_target = nodbl_dst_chain( $interface )); - - for ( @nodbl ){ - add_ijump( $chainref, j => 'RETURN', -d => $_ ); + for (@nodbl) { + add_ijump( $chainref, j => 'RETURN', s => $_ ); } - add_ijump( $chainref, j => $dbl_dst_target ); + add_ijump( $chainref, j => $dbl_src_target ); + + if ( $dbl_src_target ne $dbl_dst_target ) { + $chainref = new_standard_chain( $dst_target = nodbl_dst_chain( $interface )); + + for ( @nodbl ){ + add_ijump( $chainref, j => 'RETURN', -d => $_ ); + } + + add_ijump( $chainref, j => $dbl_dst_target ); + } + } + + if ( $setting & DBL_CLASSIC ) { + $chainref = new_standard_chain( $classic_target = nodbl_classic_chain( $interface )); + + for (@nodbl) { + add_ijump( $chainref, j => 'RETURN', s => $_ ); + add_ijump( $chainref, j => 'RETURN', d => $_ ); + } + + add_ijump( $chainref, j => $dynamicref->{name} ); } } else { # @@ -992,26 +1006,28 @@ sub add_common_rules ( $ ) { } } - if ( $setting & DBL_SRC) { - # - # src or src-dst - # - add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $src_target, $origin{DYNAMIC_BLACKLIST}, @src_exclude, @state, set => "--match-set $dbl_ipset src" ); - add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $src_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset src" ); - } + if ( $dbl_ipset ) { + if ( $setting & DBL_SRC) { + # + # src or src-dst + # + add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $src_target, $origin{DYNAMIC_BLACKLIST}, @src_exclude, @state, set => "--match-set $dbl_ipset src" ); + add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $src_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset src" ); + } - if ( $setting & DBL_DST ) { - # - # dst or src-dst - # - add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" ); - add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" ); + if ( $setting & DBL_DST ) { + # + # src-dst + # + add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" ); + add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" ); + } } } for ( option_chains( $interface ) ) { - add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) & DBL_CLASSIC ); - add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT}; + add_ijump_extended( $filter_table->{$_}, j => $classic_target, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) & DBL_CLASSIC ); + add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT}; } } } diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 5bc06acd9..1fa9c8954 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -2264,8 +2264,7 @@ sub process_host( ) { $options{mss} = $1; $zoneref->{options}{complex} = 1; } elsif ( $option eq 'nodbl' ) { - fatal_error "The 'nodbl' option is only allowed when using ipset-based dynamic blacklisting" unless $config{DYNAMIC_BLACKLIST} =~ /^ipset/; - fatal_error "The 'nodbl' option is only allowed in 'ip' zones" unless $type & IP; + fatal_error "The 'nodbl' option is only allowed in 'ip' zones" unless $type & IP; push @{$interfaceref->{nodbl}}, $hosts; $options{nodbl} = 1; } elsif ( $validhostoptions{$option}) {