forked from extern/shorewall_code
A number of corrections to split blacklisting.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
64544f4ab5
commit
50300a60b7
@ -287,8 +287,8 @@ sub setup_blacklist() {
|
|||||||
$chainref1 ,
|
$chainref1 ,
|
||||||
NO_RESTRICT ,
|
NO_RESTRICT ,
|
||||||
do_proto( $protocol , $ports, '' ) ,
|
do_proto( $protocol , $ports, '' ) ,
|
||||||
$networks,
|
|
||||||
'',
|
'',
|
||||||
|
$networks,
|
||||||
'' ,
|
'' ,
|
||||||
$target ,
|
$target ,
|
||||||
'' ,
|
'' ,
|
||||||
@ -323,24 +323,22 @@ sub setup_blacklist() {
|
|||||||
progress_message " Type 1 blacklisting enabled on ${interface}:${network}";
|
progress_message " Type 1 blacklisting enabled on ${interface}:${network}";
|
||||||
}
|
}
|
||||||
|
|
||||||
for my $hostref ( @$hosts1 ) {
|
if ( @{$chainref1->{rules}} ) {
|
||||||
my $interface = $hostref->[0];
|
for my $hostref ( @$hosts1 ) {
|
||||||
my $ipsec = $hostref->[1];
|
my $interface = $hostref->[0];
|
||||||
my $policy = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
|
my $ipsec = $hostref->[1];
|
||||||
my $network = $hostref->[2];
|
my $policy = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
|
||||||
my $source = match_source_net $network;
|
my $network = $hostref->[2];
|
||||||
my $target = source_exclusion( $hostref->[3], $chainref1 );
|
my $source = match_source_net $network;
|
||||||
|
my $target = source_exclusion( $hostref->[3], $chainref1 );
|
||||||
for my $chain ( first_chains $interface ) {
|
|
||||||
add_jump $filter_table->{$chain} , $target, 0, "${source}${state}${policy}";
|
add_jump $filter_table->{forward_chain $interface} , $target, 0, "${source}${state}${policy}";
|
||||||
|
|
||||||
|
set_interface_option $interface, 'use_forward_chain', 1;
|
||||||
|
|
||||||
|
progress_message " Type 2 blacklisting enabled on ${interface}:${network}";
|
||||||
}
|
}
|
||||||
|
|
||||||
set_interface_option $interface, 'use_input_chain', 1;
|
|
||||||
set_interface_option $interface, 'use_forward_chain', 1;
|
|
||||||
|
|
||||||
progress_message " Type 2 blacklisting enabled on ${interface}:${network}";
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1875,6 +1873,8 @@ sub generate_matrix() {
|
|||||||
my $preroutingref = ensure_chain 'nat', 'dnat';
|
my $preroutingref = ensure_chain 'nat', 'dnat';
|
||||||
my $fw = firewall_zone;
|
my $fw = firewall_zone;
|
||||||
my $notrackref = $raw_table->{notrack_chain $fw};
|
my $notrackref = $raw_table->{notrack_chain $fw};
|
||||||
|
my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
|
||||||
|
my $blackout = @{$filter_table->{blackout}{rules}};
|
||||||
my @zones = off_firewall_zones;
|
my @zones = off_firewall_zones;
|
||||||
my @vservers = vserver_zones;
|
my @vservers = vserver_zones;
|
||||||
my $interface_jumps_added = 0;
|
my $interface_jumps_added = 0;
|
||||||
@ -2010,7 +2010,7 @@ sub generate_matrix() {
|
|||||||
my $ipsec_in_match = match_ipsec_in $zone , $hostref;
|
my $ipsec_in_match = match_ipsec_in $zone , $hostref;
|
||||||
my $ipsec_out_match = match_ipsec_out $zone , $hostref;
|
my $ipsec_out_match = match_ipsec_out $zone , $hostref;
|
||||||
my $exclusions = $hostref->{exclusions};
|
my $exclusions = $hostref->{exclusions};
|
||||||
my $blacklist = $hostref->{options}{blacklist} & BL_OUT;
|
my $blacklist = $blackout && $hostref->{options}{blacklist} & BL_IN;
|
||||||
|
|
||||||
for my $net ( @{$hostref->{hosts}} ) {
|
for my $net ( @{$hostref->{hosts}} ) {
|
||||||
my $dest = match_dest_net $net;
|
my $dest = match_dest_net $net;
|
||||||
@ -2291,7 +2291,7 @@ sub generate_matrix() {
|
|||||||
add_jump $frwd_ref , $last_chain, 1 if $frwd_ref && $last_chain;
|
add_jump $frwd_ref , $last_chain, 1 if $frwd_ref && $last_chain;
|
||||||
}
|
}
|
||||||
|
|
||||||
add_jump( $filter_table->{$_}, $filter_table->{blackout} , 0 , '' , 0 , 0 ) for keys %needs_bl_jump;
|
add_jump( $filter_table->{$_}, $filter_table->{blackout} , 0 , $state , 0 , 0 ) for keys %needs_bl_jump;
|
||||||
add_interface_jumps @interfaces unless $interface_jumps_added;
|
add_interface_jumps @interfaces unless $interface_jumps_added;
|
||||||
|
|
||||||
my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
|
my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
|
||||||
|
|||||||
@ -685,7 +685,7 @@ sub add_group_to_zone($$$$$)
|
|||||||
# Make 'find_hosts_by_option()' work correctly for this zone
|
# Make 'find_hosts_by_option()' work correctly for this zone
|
||||||
#
|
#
|
||||||
for ( qw/blacklist maclist nosmurfs tcpflags/ ) {
|
for ( qw/blacklist maclist nosmurfs tcpflags/ ) {
|
||||||
$options->{$_} = 1 if $interfaceref->{options}{$_};
|
$options->{$_} = $interfaceref->{options}{$_} if $interfaceref->{options}{$_};
|
||||||
}
|
}
|
||||||
|
|
||||||
$allip = 1;
|
$allip = 1;
|
||||||
@ -977,7 +977,7 @@ sub process_interface( $$ ) {
|
|||||||
} elsif ( $option eq 'blacklist' ) {
|
} elsif ( $option eq 'blacklist' ) {
|
||||||
$value = BL_IN unless ( defined $value && $value ne '' );
|
$value = BL_IN unless ( defined $value && $value ne '' );
|
||||||
fatal_error "Invalid 'blacklist' value ( $value )" unless $value =~ /^[12]$/;
|
fatal_error "Invalid 'blacklist' value ( $value )" unless $value =~ /^[12]$/;
|
||||||
$options{blacklist} = $value eq 1 ? BL_IN | BL_OUT : BL_OUT;
|
$options{blacklist} = $value;
|
||||||
$hostoptions{blacklist} = $options{blacklist} & BL_IN;
|
$hostoptions{blacklist} = $options{blacklist} & BL_IN;
|
||||||
} else {
|
} else {
|
||||||
assert( 0 );
|
assert( 0 );
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user