mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-22 07:33:43 +01:00
Handle ipsec correctly in ipset-based dynamic blacklisting
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
cbe2935fce
commit
f1317f919f
@ -1015,6 +1015,11 @@ sub add_common_rules ( $ ) {
|
|||||||
|
|
||||||
my @nodbl = @{$interfaceref->{nodbl}};
|
my @nodbl = @{$interfaceref->{nodbl}};
|
||||||
|
|
||||||
|
my $have_ipsec = have_ipsec;
|
||||||
|
|
||||||
|
my @in_policy = $have_ipsec ? ( policy => "--pol none --dir in" ) : ();
|
||||||
|
my @out_policy = $have_ipsec ? ( policy => "--pol none --dir out" ) : ();
|
||||||
|
|
||||||
if ( @nodbl ) {
|
if ( @nodbl ) {
|
||||||
#
|
#
|
||||||
# We have blacklisting exclusions defined in the hosts file
|
# We have blacklisting exclusions defined in the hosts file
|
||||||
@ -1029,8 +1034,8 @@ sub add_common_rules ( $ ) {
|
|||||||
add_host_exclusion_ijump( $chainref, 'RETURN', $hostref, 1 );
|
add_host_exclusion_ijump( $chainref, 'RETURN', $hostref, 1 );
|
||||||
}
|
}
|
||||||
|
|
||||||
add_ijump( $input_option_chainref, j => $chainref->{name} );
|
add_ijump( $input_option_chainref, j => $chainref->{name} , @in_policy );
|
||||||
add_ijump( $forward_option_chainref, j => $chainref->{name} );
|
add_ijump( $forward_option_chainref, j => $chainref->{name} , @in_policy );
|
||||||
|
|
||||||
$input_option_chainref = $forward_option_chainref = $chainref;
|
$input_option_chainref = $forward_option_chainref = $chainref;
|
||||||
|
|
||||||
@ -1041,11 +1046,14 @@ sub add_common_rules ( $ ) {
|
|||||||
add_host_exclusion_ijump( $chainref, 'RETURN', $hostref, 0 );
|
add_host_exclusion_ijump( $chainref, 'RETURN', $hostref, 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
add_ijump( $output_option_chainref, j => $chainref->{name} );
|
add_ijump( $forward_option_chainref, j => $chainref->{name} , @out_policy );
|
||||||
|
add_ijump( $output_option_chainref, j => $chainref->{name}, @out_policy );
|
||||||
|
|
||||||
$output_option_chainref = $chainref,
|
$output_option_chainref = $chainref,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@in_policy = @out_policy = ();
|
||||||
|
|
||||||
} elsif ( $dbl_ipset ) {
|
} elsif ( $dbl_ipset ) {
|
||||||
#
|
#
|
||||||
# Easy case
|
# Easy case
|
||||||
@ -1053,17 +1061,16 @@ sub add_common_rules ( $ ) {
|
|||||||
my $hostref = $nodbl[0];
|
my $hostref = $nodbl[0];
|
||||||
|
|
||||||
if ( $setting & DBL_SRC ) {
|
if ( $setting & DBL_SRC ) {
|
||||||
add_dbl_exclusion_ijump( $input_option_chainref, $dbl_src_target, $hostref, $dbl_ipset, 1, @state );
|
add_dbl_exclusion_ijump( $input_option_chainref, $dbl_src_target, $hostref, $dbl_ipset, 1, @state , @in_policy );
|
||||||
add_dbl_exclusion_ijump( $forward_option_chainref, $dbl_src_target, $hostref, $dbl_ipset, 1, @state );
|
add_dbl_exclusion_ijump( $forward_option_chainref, $dbl_src_target, $hostref, $dbl_ipset, 1, @state , @in_policy );
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $setting & DBL_DST ) {
|
if ( $setting & DBL_DST ) {
|
||||||
add_dbl_exclusion_ijump( $forward_option_chainref, $dbl_dst_target, $hostref, $dbl_ipset, 0, @state );
|
add_dbl_exclusion_ijump( $forward_option_chainref, $dbl_dst_target, $hostref, $dbl_ipset, 0, @state, @out_policy );
|
||||||
add_dbl_exclusion_ijump( $output_option_chainref, $dbl_dst_target, $hostref, $dbl_ipset, 1, @state );
|
add_dbl_exclusion_ijump( $output_option_chainref, $dbl_dst_target, $hostref, $dbl_ipset, 1, @state, @out_policy );
|
||||||
}
|
}
|
||||||
|
|
||||||
$dbl_ipset = '';
|
$dbl_ipset = ''; # All ipset jumps have been added
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $setting & DBL_CLASSIC ) {
|
if ( $setting & DBL_CLASSIC ) {
|
||||||
@ -1085,16 +1092,16 @@ sub add_common_rules ( $ ) {
|
|||||||
#
|
#
|
||||||
# src or src-dst
|
# src or src-dst
|
||||||
#
|
#
|
||||||
add_ipset_dbl_ijump( $input_option_chainref, $dbl_src_target, "$dbl_ipset src", @state );
|
add_ipset_dbl_ijump( $input_option_chainref, $dbl_src_target, "$dbl_ipset src", @state, @in_policy );
|
||||||
add_ipset_dbl_ijump( $forward_option_chainref, $dbl_src_target, "$dbl_ipset src", @state );
|
add_ipset_dbl_ijump( $forward_option_chainref, $dbl_src_target, "$dbl_ipset src", @state, @in_policy);
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $setting & DBL_DST ) {
|
if ( $setting & DBL_DST ) {
|
||||||
#
|
#
|
||||||
# src-dst
|
# src-dst
|
||||||
#
|
#
|
||||||
add_ipset_dbl_ijump( $forward_option_chainref, $dbl_dst_target, "$dbl_ipset dst", @state );
|
add_ipset_dbl_ijump( $forward_option_chainref, $dbl_dst_target, "$dbl_ipset dst", @state, @out_policy );
|
||||||
add_ipset_dbl_ijump( $output_option_chainref, $dbl_dst_target, "$dbl_ipset dst", @state );
|
add_ipset_dbl_ijump( $output_option_chainref, $dbl_dst_target, "$dbl_ipset dst", @state, @out_policy );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user