mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-21 23:23:13 +01:00
Allow 'nodbl' for classic blacklisting
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
337a4bd6ec
commit
e8f28fa564
@ -188,6 +188,7 @@ our %EXPORT_TAGS = (
|
|||||||
input_option_chain
|
input_option_chain
|
||||||
nodbl_src_chain
|
nodbl_src_chain
|
||||||
nodbl_dst_chain
|
nodbl_dst_chain
|
||||||
|
nodbl_classic_chain
|
||||||
zone_input_chain
|
zone_input_chain
|
||||||
use_interface_chain
|
use_interface_chain
|
||||||
output_chain
|
output_chain
|
||||||
@ -2456,6 +2457,14 @@ sub nodbl_dst_chain($) {
|
|||||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_nodbl';
|
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_nodbl';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Blacklist Destination Exclusion Chain for an interface
|
||||||
|
#
|
||||||
|
sub nodbl_classic_chain($) {
|
||||||
|
my $interface = shift;
|
||||||
|
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_nocbl';
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Forward Option Chain for an interface
|
# Forward Option Chain for an interface
|
||||||
#
|
#
|
||||||
|
|||||||
@ -951,12 +951,13 @@ sub add_common_rules ( $ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
my @nodbl = @{$interfaceref->{nodbl}};
|
my ( $src_target, $dst_target, $classic_target ) = ( $dbl_src_target, $dbl_dst_target , $dynamicref->{name} );
|
||||||
|
|
||||||
if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ) ) {
|
if ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) != DBL_NONE ) {
|
||||||
|
|
||||||
my ( $src_target, $dst_target ) = ( $dbl_src_target, $dbl_dst_target );
|
my ( @src_exclude, @dst_exclude, @classic_exclude );
|
||||||
my ( @src_exclude, @dst_exclude );
|
|
||||||
|
my @nodbl = @{$interfaceref->{nodbl}};
|
||||||
|
|
||||||
if ( @nodbl ) {
|
if ( @nodbl ) {
|
||||||
#
|
#
|
||||||
@ -966,22 +967,35 @@ sub add_common_rules ( $ ) {
|
|||||||
#
|
#
|
||||||
# We need to create an intermediate chain
|
# We need to create an intermediate chain
|
||||||
#
|
#
|
||||||
$chainref = new_standard_chain( $src_target = nodbl_src_chain( $interface ));
|
if ( $dbl_ipset ) {
|
||||||
|
$chainref = new_standard_chain( $src_target = nodbl_src_chain( $interface ));
|
||||||
|
|
||||||
for (@nodbl) {
|
for (@nodbl) {
|
||||||
add_ijump( $chainref, j => 'RETURN', s => $_ );
|
add_ijump( $chainref, j => 'RETURN', s => $_ );
|
||||||
}
|
|
||||||
|
|
||||||
add_ijump( $chainref, j => $dbl_src_target );
|
|
||||||
|
|
||||||
if ( $dbl_src_target ne $dbl_dst_target ) {
|
|
||||||
$chainref = new_standard_chain( $dst_target = nodbl_dst_chain( $interface ));
|
|
||||||
|
|
||||||
for ( @nodbl ){
|
|
||||||
add_ijump( $chainref, j => 'RETURN', -d => $_ );
|
|
||||||
}
|
}
|
||||||
|
|
||||||
add_ijump( $chainref, j => $dbl_dst_target );
|
add_ijump( $chainref, j => $dbl_src_target );
|
||||||
|
|
||||||
|
if ( $dbl_src_target ne $dbl_dst_target ) {
|
||||||
|
$chainref = new_standard_chain( $dst_target = nodbl_dst_chain( $interface ));
|
||||||
|
|
||||||
|
for ( @nodbl ){
|
||||||
|
add_ijump( $chainref, j => 'RETURN', -d => $_ );
|
||||||
|
}
|
||||||
|
|
||||||
|
add_ijump( $chainref, j => $dbl_dst_target );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $setting & DBL_CLASSIC ) {
|
||||||
|
$chainref = new_standard_chain( $classic_target = nodbl_classic_chain( $interface ));
|
||||||
|
|
||||||
|
for (@nodbl) {
|
||||||
|
add_ijump( $chainref, j => 'RETURN', s => $_ );
|
||||||
|
add_ijump( $chainref, j => 'RETURN', d => $_ );
|
||||||
|
}
|
||||||
|
|
||||||
|
add_ijump( $chainref, j => $dynamicref->{name} );
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
#
|
#
|
||||||
@ -992,26 +1006,28 @@ sub add_common_rules ( $ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $setting & DBL_SRC) {
|
if ( $dbl_ipset ) {
|
||||||
#
|
if ( $setting & DBL_SRC) {
|
||||||
# src or src-dst
|
#
|
||||||
#
|
# src or src-dst
|
||||||
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $src_target, $origin{DYNAMIC_BLACKLIST}, @src_exclude, @state, set => "--match-set $dbl_ipset src" );
|
#
|
||||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $src_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset src" );
|
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $src_target, $origin{DYNAMIC_BLACKLIST}, @src_exclude, @state, set => "--match-set $dbl_ipset src" );
|
||||||
}
|
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $src_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset src" );
|
||||||
|
}
|
||||||
|
|
||||||
if ( $setting & DBL_DST ) {
|
if ( $setting & DBL_DST ) {
|
||||||
#
|
#
|
||||||
# dst or src-dst
|
# src-dst
|
||||||
#
|
#
|
||||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" );
|
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" );
|
||||||
add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" );
|
add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @dst_exclude, @state, set => "--match-set $dbl_ipset dst" );
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for ( option_chains( $interface ) ) {
|
for ( option_chains( $interface ) ) {
|
||||||
add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) & DBL_CLASSIC );
|
add_ijump_extended( $filter_table->{$_}, j => $classic_target, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) & DBL_CLASSIC );
|
||||||
add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
|
add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -2264,8 +2264,7 @@ sub process_host( ) {
|
|||||||
$options{mss} = $1;
|
$options{mss} = $1;
|
||||||
$zoneref->{options}{complex} = 1;
|
$zoneref->{options}{complex} = 1;
|
||||||
} elsif ( $option eq 'nodbl' ) {
|
} elsif ( $option eq 'nodbl' ) {
|
||||||
fatal_error "The 'nodbl' option is only allowed when using ipset-based dynamic blacklisting" unless $config{DYNAMIC_BLACKLIST} =~ /^ipset/;
|
fatal_error "The 'nodbl' option is only allowed in 'ip' zones" unless $type & IP;
|
||||||
fatal_error "The 'nodbl' option is only allowed in 'ip' zones" unless $type & IP;
|
|
||||||
push @{$interfaceref->{nodbl}}, $hosts;
|
push @{$interfaceref->{nodbl}}, $hosts;
|
||||||
$options{nodbl} = 1;
|
$options{nodbl} = 1;
|
||||||
} elsif ( $validhostoptions{$option}) {
|
} elsif ( $validhostoptions{$option}) {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user