forked from extern/shorewall_code
Implement REAP_OPTION capability
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
8a278a3dd6
commit
8c4bbf0c85
@ -2260,6 +2260,7 @@ determine_capabilities() {
|
||||
PHYSDEV_BRIDGE=
|
||||
IPRANGE_MATCH=
|
||||
RECENT_MATCH=
|
||||
REAP_OPTION=
|
||||
OWNER_MATCH=
|
||||
OWNER_NAME_MATCH=
|
||||
IPSET_MATCH=
|
||||
@ -2429,7 +2430,11 @@ determine_capabilities() {
|
||||
fi
|
||||
fi
|
||||
|
||||
qt $g_tool -A $chain -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
||||
if qt $g_tool -A $chain -m recent --update -j ACCEPT; then
|
||||
RECENT_MATCH=Yes
|
||||
qt $g_tool -A $chain -m recent --rcheck --seconds 10 --reap && REAP_OPTION=Yes
|
||||
fi
|
||||
|
||||
qt $g_tool -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
|
||||
|
||||
local name
|
||||
@ -2676,6 +2681,7 @@ report_capabilities_unsorted() {
|
||||
report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH
|
||||
report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH
|
||||
report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH
|
||||
[ -n "$RECENT_MATCH" ] && report_capability 'Recent Match "--reap" option'
|
||||
report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
|
||||
report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
|
||||
if [ -n "$IPSET_MATCH" ]; then
|
||||
@ -2797,6 +2803,7 @@ report_capabilities_unsorted1() {
|
||||
report_capability1 LENGTH_MATCH
|
||||
report_capability1 IPRANGE_MATCH
|
||||
report_capability1 RECENT_MATCH
|
||||
report_capability1 REAP_OPTION
|
||||
report_capability1 OWNER_MATCH
|
||||
report_capability1 OWNER_NAME_MATCH
|
||||
report_capability1 IPSET_MATCH
|
||||
|
@ -316,6 +316,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
||||
LENGTH_MATCH => 'Packet length Match',
|
||||
IPRANGE_MATCH => 'IP Range Match',
|
||||
RECENT_MATCH => 'Recent Match',
|
||||
REAP_OPTION => 'Recent Match "--reap" option',
|
||||
OWNER_MATCH => 'Owner Match',
|
||||
OWNER_NAME_MATCH
|
||||
=> 'Owner Name Match',
|
||||
@ -947,6 +948,7 @@ sub initialize( $;$$) {
|
||||
MASQUERADE_TGT => undef,
|
||||
UDPLITEREDIRECT => undef,
|
||||
NEW_TOS_MATCH => undef,
|
||||
REAP_OPTION => undef,
|
||||
|
||||
AMANDA_HELPER => undef,
|
||||
FTP_HELPER => undef,
|
||||
@ -3819,6 +3821,11 @@ sub Recent_Match() {
|
||||
qt1( "$iptables $iptablesw -A $sillyname -m recent --update -j ACCEPT" );
|
||||
}
|
||||
|
||||
sub Reap_Option() {
|
||||
( have_capability( 'RECENT_MATCH' ) &&
|
||||
qt1( "$iptables $iptablesw -A $sillyname -m recent --rcheck --seconds 10 --reap" ) );
|
||||
}
|
||||
|
||||
sub Owner_Match() {
|
||||
qt1( "$iptables $iptablesw -A $sillyname -m owner --uid-owner 0 -j ACCEPT" );
|
||||
}
|
||||
@ -4286,6 +4293,7 @@ our %detect_capability =
|
||||
RAW_TABLE => \&Raw_Table,
|
||||
RAWPOST_TABLE => \&Rawpost_Table,
|
||||
REALM_MATCH => \&Realm_Match,
|
||||
REAP_OPTION => \&Reap_Option,
|
||||
RECENT_MATCH => \&Recent_Match,
|
||||
RPFILTER_MATCH => \&RPFilter_Match,
|
||||
SANE_HELPER => \&SANE_Helper,
|
||||
@ -4385,6 +4393,7 @@ sub determine_capabilities() {
|
||||
|
||||
$capabilities{IPRANGE_MATCH} = detect_capability( 'IPRANGE_MATCH' );
|
||||
$capabilities{RECENT_MATCH} = detect_capability( 'RECENT_MATCH' );
|
||||
$capabilities{REAP_OPTION} = detect_capability( 'REAP_OPTION' );
|
||||
$capabilities{OWNER_MATCH} = detect_capability( 'OWNER_MATCH' );
|
||||
$capabilities{OWNER_NAME_MATCH}
|
||||
= detect_capability( 'OWNER_NAME_MATCH' );
|
||||
|
@ -22,6 +22,9 @@
|
||||
DEFAULTS -,60,5,2,300,DROP,info
|
||||
|
||||
?begin perl
|
||||
|
||||
use Shorewall::Config;
|
||||
|
||||
my ( $event, $interval, $count, $successive, $bltime, $disposition, $level ) = get_action_params(7);
|
||||
|
||||
fatal_error "The event name parameter to AutoBL is required" unless supplied $event;
|
||||
@ -37,11 +40,16 @@ validate_level( $level );
|
||||
#
|
||||
# Silently reject the client if blacklisted
|
||||
#
|
||||
IfEvent(${1}_BL,$6,$5,1,src,check:reap)
|
||||
?if $REAP_OPTION
|
||||
?set check_param 'check:reap'
|
||||
?else
|
||||
?set check_param 'check'
|
||||
?endif
|
||||
IfEvent(${1}_BL,$6,$5,1,src,$check_param)
|
||||
#
|
||||
# Blacklist if M attempts in the last N seconds
|
||||
#
|
||||
IfEvent($1,AutoBLL($1,$6,$7),$2,$3,src,check:reap)
|
||||
IfEvent($1,AutoBLL($1,$6,$7),$2,$3,src,$check_param)
|
||||
#
|
||||
# Log and reject if the client has tried to connect
|
||||
# in the last N seconds
|
||||
|
@ -97,7 +97,8 @@ set_action_name_to_caller;
|
||||
require_capability 'RECENT_MATCH', 'Use of events', 's';
|
||||
|
||||
if ( $command & $REAP_OPT ) {
|
||||
fatal_error "${command}reap requires a time limit" if ! $duration;
|
||||
require_capability( 'REAP_OPTION', q(The 'reap' option), 's' );
|
||||
fatal_error "${command}reap requires a time limit" unless $duration;
|
||||
$duration .= '--reap ';
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user