extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-07 16:24:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

Create DBL ipset with 'timeout 0'

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2020-05-31 12:37:42 -07:00
parent 67b421dc00
commit eb5bc3d8a4
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
2 changed files with 27 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
Shorewall-core/lib.cli
View File

@ -3622,6 +3622,7 @@ reject_command() {
blacklist_command() { blacklist_command() {
local family local family
local timeout
[ $# -gt 0 ] || fatal_error "Missing address" [ $# -gt 0 ] || fatal_error "Missing address"
@ -3639,7 +3640,9 @@ blacklist_command() {
;; ;;
esac esac
if $IPSET -A $g_blacklistipset $@ -exist; then echo "$@" | fgrep -q ' timeout ' || timeout="timeout $g_dbltimeout"
if $IPSET -A $g_blacklistipset $@ $timeout -exist; then
local message local message
progress_message2 "$1 Blacklisted" progress_message2 "$1 Blacklisted"
@ -3908,8 +3911,26 @@ setup_dbl() {
case $DYNAMIC_BLACKLIST in case $DYNAMIC_BLACKLIST in
ipset*,timeout*) ipset*,timeout*)
# #
# This utility doesn't need to know about 'timeout=nnn' # Capture timeout
# #
local ifs
local f
ifs=$IFS
IFS=','
for f in $DYNAMIC_BLACKLIST; do
case $f in
timeout=*)
g_dbltimeout=${f#timeout=}
g_dbltimeout=${g_dbltimeout%%:*}
break
;;
esac
done
IFS=$ifs
DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//') DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
;; ;;
esac esac
@ -4458,6 +4479,7 @@ shorewall_cli() {
g_disconnect= g_disconnect=
g_havemutex= g_havemutex=
g_trace= g_trace=
g_dbltimeout=
VERBOSE= VERBOSE=
VERBOSITY=1 VERBOSITY=1

6
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -8890,7 +8890,7 @@ sub ensure_ipsets( @ ) {
my $set; my $set;
my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : ''; my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) { if ( $_[0] eq $globals{DBL_IPSET} ) {
shift; shift;
emit( qq( if ! qt \$IPSET list $globals{DBL_IPSET}; then)); emit( qq( if ! qt \$IPSET list $globals{DBL_IPSET}; then));
@ -8901,12 +8901,12 @@ sub ensure_ipsets( @ ) {
emit( q( #), emit( q( #),
q( # Set the timeout for the dynamic blacklisting ipset), q( # Set the timeout for the dynamic blacklisting ipset),
q( #), q( #),
qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) ); qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet timeout 0${counters}) );
} else { } else {
emit( q( #), emit( q( #),
q( # Set the timeout for the dynamic blacklisting ipset), q( # Set the timeout for the dynamic blacklisting ipset),
q( #), q( #),
qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) ); qq( \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout 0${counters}) );
} }
pop_indent; pop_indent;