forked from extern/shorewall_code
Merge branch '5.0.13'
This commit is contained in:
Tom Eastep
commit
2ca86d9abd
@ -6262,16 +6262,20 @@ sub get_configuration( $$$$ ) {
|
||||
|
||||
( $key , my @options ) = split_list( $key, 'option' );
|
||||
|
||||
my $options = '';
|
||||
|
||||
for ( @options ) {
|
||||
unless ( $simple_options{$_} ) {
|
||||
if ( $_ =~ s/^timeout=(\d+)$// ) {
|
||||
$globals{DBL_TIMEOUT} = $1;
|
||||
} else {
|
||||
fatal_error "Invalid ipset option ($_)";
|
||||
}
|
||||
if ( $simple_options{$_} ) {
|
||||
$options = join( ',' , $options, $_ );
|
||||
} elsif ( $_ =~ s/^timeout=(\d+)$// ) {
|
||||
$globals{DBL_TIMEOUT} = $1;
|
||||
} else {
|
||||
fatal_error "Invalid ipset option ($_)";
|
||||
}
|
||||
}
|
||||
|
||||
$globals{DBL_OPTIONS} = $options;
|
||||
|
||||
fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest;
|
||||
|
||||
if ( supplied( $set ) ) {
|
||||
|
||||
@ -432,13 +432,18 @@ sub validate_port( $$ ) {
|
||||
sub validate_portpair( $$ ) {
|
||||
my ($proto, $portpair) = @_;
|
||||
my $what;
|
||||
my $pair = $portpair;
|
||||
#
|
||||
# Accept '-' as a port-range separator
|
||||
#
|
||||
$pair =~ tr/-/:/;
|
||||
|
||||
fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;
|
||||
fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
|
||||
|
||||
$portpair = "0$portpair" if substr( $portpair, 0, 1 ) eq ':';
|
||||
$portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
|
||||
$pair = "0$pair" if substr( $pair, 0, 1 ) eq ':';
|
||||
$pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
|
||||
|
||||
my @ports = split /:/, $portpair, 2;
|
||||
my @ports = split /:/, $pair, 2;
|
||||
|
||||
my $protonum = resolve_proto( $proto ) || 0;
|
||||
|
||||
@ -497,7 +502,7 @@ sub validate_port_list( $$ ) {
|
||||
my ( $proto, $list ) = @_;
|
||||
my @list = split_list( $list, 'port' );
|
||||
|
||||
if ( @list > 1 && $list =~ /:/ ) {
|
||||
if ( @list > 1 && $list =~ /[:-]/ ) {
|
||||
require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
|
||||
}
|
||||
|
||||
|
||||
@ -688,7 +688,8 @@ sub add_common_rules ( $ ) {
|
||||
my $dbl_ipset;
|
||||
my $dbl_level;
|
||||
my $dbl_tag;
|
||||
my $dbl_target;
|
||||
my $dbl_src_target;
|
||||
my $dbl_dst_target;
|
||||
|
||||
if ( $config{REJECT_ACTION} ) {
|
||||
process_reject_action;
|
||||
@ -749,8 +750,42 @@ sub add_common_rules ( $ ) {
|
||||
}
|
||||
|
||||
if ( $dbl_ipset ) {
|
||||
if ( $dbl_level ) {
|
||||
my $chainref = set_optflags( new_standard_chain( $dbl_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
|
||||
if ( $val = $globals{DBL_TIMEOUT} ) {
|
||||
$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
|
||||
|
||||
my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
|
||||
|
||||
log_rule_limit( $dbl_level,
|
||||
$chainref,
|
||||
'dbl_log',
|
||||
'DROP',
|
||||
$globals{LOGLIMIT},
|
||||
$dbl_tag,
|
||||
'add',
|
||||
'',
|
||||
$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
|
||||
add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
|
||||
add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
|
||||
|
||||
if ( $dbl_src_target eq 'dbl_src' ) {
|
||||
$chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
|
||||
|
||||
log_rule_limit( $dbl_level,
|
||||
$chainref,
|
||||
'dbl_log',
|
||||
'DROP',
|
||||
$globals{LOGLIMIT},
|
||||
$dbl_tag,
|
||||
'add',
|
||||
'',
|
||||
$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
|
||||
add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset dst --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
|
||||
add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
|
||||
} else {
|
||||
$dbl_dst_target = $dbl_src_target;
|
||||
}
|
||||
} elsif ( $dbl_level ) {
|
||||
my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
|
||||
|
||||
log_rule_limit( $dbl_level,
|
||||
$chainref,
|
||||
@ -763,7 +798,7 @@ sub add_common_rules ( $ ) {
|
||||
$origin{DYNAMIC_BLACKLIST} );
|
||||
add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
|
||||
} else {
|
||||
$dbl_target = 'DROP';
|
||||
$dbl_src_target = $dbl_dst_target = 'DROP';
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -877,17 +912,17 @@ sub add_common_rules ( $ ) {
|
||||
#
|
||||
# src
|
||||
#
|
||||
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
||||
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
|
||||
} elsif ( $in == 2 ) {
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
|
||||
add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
|
||||
}
|
||||
|
||||
if ( $out == 2 ) {
|
||||
#
|
||||
# dst
|
||||
#
|
||||
add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
|
||||
add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -2619,6 +2619,12 @@ DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000:4100<
|
||||
<para>Also, unless otherwise documented, a port range can be preceded by
|
||||
'!' to specify "All ports except those in this range" (e.g.,
|
||||
"!4000:4100").</para>
|
||||
|
||||
<para>Beginning with Shorewall 5.0.14, a hyphen ("-") may also be used to
|
||||
separate the two port numbers.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
||||
DNAT net loc:192.168.1.3 tcp <emphasis role="bold">4000-4100</emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section id="Portlists">
|
||||
@ -2969,8 +2975,8 @@ redirect => 137</programlisting>
|
||||
then again for another hour from 23:00 onwards. If this is unwanted,
|
||||
e.g. if you would like 'match for two hours from Montay 23:00
|
||||
onwards' you need to also specify the <emphasis
|
||||
role="bold">contiguous</emphasis> option in the example above.
|
||||
</para>
|
||||
role="bold">contiguous</emphasis> option in the example
|
||||
above.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user