diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index b0c6b4211..74d3e5738 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -6262,16 +6262,20 @@ sub get_configuration( $$$$ ) { ( $key , my @options ) = split_list( $key, 'option' ); + my $options = ''; + for ( @options ) { - unless ( $simple_options{$_} ) { - if ( $_ =~ s/^timeout=(\d+)$// ) { - $globals{DBL_TIMEOUT} = $1; - } else { - fatal_error "Invalid ipset option ($_)"; - } + if ( $simple_options{$_} ) { + $options = join( ',' , $options, $_ ); + } elsif ( $_ =~ s/^timeout=(\d+)$// ) { + $globals{DBL_TIMEOUT} = $1; + } else { + fatal_error "Invalid ipset option ($_)"; } } + $globals{DBL_OPTIONS} = $options; + fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest; if ( supplied( $set ) ) { diff --git a/Shorewall/Perl/Shorewall/IPAddrs.pm b/Shorewall/Perl/Shorewall/IPAddrs.pm index c9d6abb1b..2d1ae2603 100644 --- a/Shorewall/Perl/Shorewall/IPAddrs.pm +++ b/Shorewall/Perl/Shorewall/IPAddrs.pm @@ -432,13 +432,18 @@ sub validate_port( $$ ) { sub validate_portpair( $$ ) { my ($proto, $portpair) = @_; my $what; + my $pair = $portpair; + # + # Accept '-' as a port-range separator + # + $pair =~ tr/-/:/; - fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1; + fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1; - $portpair = "0$portpair" if substr( $portpair, 0, 1 ) eq ':'; - $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':'; + $pair = "0$pair" if substr( $pair, 0, 1 ) eq ':'; + $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':'; - my @ports = split /:/, $portpair, 2; + my @ports = split /:/, $pair, 2; my $protonum = resolve_proto( $proto ) || 0; @@ -497,7 +502,7 @@ sub validate_port_list( $$ ) { my ( $proto, $list ) = @_; my @list = split_list( $list, 'port' ); - if ( @list > 1 && $list =~ /:/ ) { + if ( @list > 1 && $list =~ /[:-]/ ) { require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' ); } diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 7218abbd7..f3eb03e41 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -688,7 +688,8 @@ sub add_common_rules ( $ ) { my $dbl_ipset; my $dbl_level; my $dbl_tag; - my $dbl_target; + my $dbl_src_target; + my $dbl_dst_target; if ( $config{REJECT_ACTION} ) { process_reject_action; @@ -749,8 +750,42 @@ sub add_common_rules ( $ ) { } if ( $dbl_ipset ) { - if ( $dbl_level ) { - my $chainref = set_optflags( new_standard_chain( $dbl_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE ); + if ( $val = $globals{DBL_TIMEOUT} ) { + $dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log'; + + my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE ); + + log_rule_limit( $dbl_level, + $chainref, + 'dbl_log', + 'DROP', + $globals{LOGLIMIT}, + $dbl_tag, + 'add', + '', + $origin{DYNAMIC_BLACKLIST} ) if $dbl_level; + add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} ); + add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} ); + + if ( $dbl_src_target eq 'dbl_src' ) { + $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE ); + + log_rule_limit( $dbl_level, + $chainref, + 'dbl_log', + 'DROP', + $globals{LOGLIMIT}, + $dbl_tag, + 'add', + '', + $origin{DYNAMIC_BLACKLIST} ) if $dbl_level; + add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset dst --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} ); + add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} ); + } else { + $dbl_dst_target = $dbl_src_target; + } + } elsif ( $dbl_level ) { + my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE ); log_rule_limit( $dbl_level, $chainref, @@ -763,7 +798,7 @@ sub add_common_rules ( $ ) { $origin{DYNAMIC_BLACKLIST} ); add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} ); } else { - $dbl_target = 'DROP'; + $dbl_src_target = $dbl_dst_target = 'DROP'; } } } @@ -877,17 +912,17 @@ sub add_common_rules ( $ ) { # # src # - add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" ); - add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" ); + add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" ); + add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" ); } elsif ( $in == 2 ) { - add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ); + add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ); } if ( $out == 2 ) { # # dst # - add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ); + add_ijump_extended( $filter_table->{output_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ); } } diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml index 8c84a48aa..fb4ffb6bd 100644 --- a/docs/configuration_file_basics.xml +++ b/docs/configuration_file_basics.xml @@ -2619,6 +2619,12 @@ DNAT net loc:192.168.1.3 tcp 4000:4100< Also, unless otherwise documented, a port range can be preceded by '!' to specify "All ports except those in this range" (e.g., "!4000:4100"). + + Beginning with Shorewall 5.0.14, a hyphen ("-") may also be used to + separate the two port numbers. + + #ACTION SOURCE DESTINATION PROTO DPORT +DNAT net loc:192.168.1.3 tcp 4000-4100
@@ -2969,8 +2975,8 @@ redirect => 137 then again for another hour from 23:00 onwards. If this is unwanted, e.g. if you would like 'match for two hours from Montay 23:00 onwards' you need to also specify the contiguous option in the example above. - + role="bold">contiguous option in the example + above.