forked from extern/shorewall_code
Add 'disconnect' option to ipset-based dynamic blacklisting
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
6ad7d47eb6
commit
8d731c81e4
@ -3555,10 +3555,34 @@ blacklist_command() {
|
||||
;;
|
||||
esac
|
||||
|
||||
$IPSET -A $g_blacklistipset $@ && progress_message2 "$1 Blacklisted" || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
|
||||
if $IPSET -A $g_blacklistipset $@ -exist; then
|
||||
local message
|
||||
|
||||
progress_message2 "$1 Blacklisted"
|
||||
|
||||
if [ -n "g_disconnect" ]; then
|
||||
message=$(conntrack -D -s $1 2>&1)
|
||||
if [ -n "$message" ]; then
|
||||
message=$(echo $message | sed 's/^.*: //; s/ / src /')
|
||||
progress_message2 $message
|
||||
fi
|
||||
|
||||
if [ $g_disconnect = src-dst ]; then
|
||||
message=$(conntrack -D -d $1 2>&1)
|
||||
if [ -n "$message" ]; then
|
||||
message=$(echo $message | sed 's/^.*: //; s/ / dst /')
|
||||
progress_message2 $message
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
else
|
||||
error_message "ERROR: Address $1 not blacklisted"
|
||||
return 1
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
save_command() {
|
||||
local finished
|
||||
finished=0
|
||||
@ -3761,6 +3785,59 @@ verify_firewall_script() {
|
||||
fi
|
||||
}
|
||||
|
||||
setup_dbl() {
|
||||
local original
|
||||
|
||||
original=$DYNAMIC_BLACKLIST
|
||||
|
||||
case $DYNAMIC_BLACKLIST in
|
||||
*:*,)
|
||||
fatal_error "Invalid value ($original) for DYNAMIC_BLACKLIST"
|
||||
;;
|
||||
ipset*,disconnect*)
|
||||
if qt mywhich conntrack; then
|
||||
g_disconnect=src
|
||||
DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,disconnect//')
|
||||
else
|
||||
fatal_error "The 'disconnect' option requires that the conntrack utility be installed"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
case $DYNAMIC_BLACKLIST in
|
||||
ipset*,src-dst*)
|
||||
#
|
||||
# This utility doesn't need to know about 'src-dst'
|
||||
#
|
||||
DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//')
|
||||
|
||||
[ -n "$g_disconnect" ] && g_disconnect=src-dst
|
||||
;;
|
||||
esac
|
||||
|
||||
case $DYNAMIC_BLACKLIST in
|
||||
[Nn]o)
|
||||
DYNAMIC_BLACKLIST='';
|
||||
;;
|
||||
[Yy]es)
|
||||
;;
|
||||
ipset|ipset::*|ipset-only|ipset-only::*)
|
||||
g_blacklistipset=SW_DBL$g_family
|
||||
;;
|
||||
ipset:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
ipset-only:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid value ($original) for DYNAMIC_BLACKLIST"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
################################################################################
|
||||
# The remaining functions are used by the Lite cli - they are overloaded by
|
||||
# the Standard CLI by loading lib.cli-std
|
||||
@ -3920,35 +3997,7 @@ get_config() {
|
||||
fi
|
||||
|
||||
if [ -n "$DYNAMIC_BLACKLIST" ]; then
|
||||
case $DYNAMIC_BLACKLIST in
|
||||
[Nn]o)
|
||||
DYNAMIC_BLACKLIST='';
|
||||
;;
|
||||
[Yy]es)
|
||||
;;
|
||||
ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
|
||||
g_blacklistipset=SW_DBL$g_family
|
||||
;;
|
||||
ipset:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
ipset,src-dst:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
ipset-only:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
ipset-only,src-dst:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
|
||||
;;
|
||||
esac
|
||||
setup_dbl
|
||||
fi
|
||||
|
||||
lib=$(find_file lib.cli-user)
|
||||
@ -4294,6 +4343,7 @@ shorewall_cli() {
|
||||
g_compiled=
|
||||
g_pager=
|
||||
g_blacklistipset=
|
||||
g_disconnect=
|
||||
|
||||
VERBOSE=
|
||||
VERBOSITY=1
|
||||
|
||||
@ -6253,9 +6253,17 @@ sub get_configuration( $$$$ ) {
|
||||
|
||||
if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
|
||||
if ( $val =~ /^ipset/ ) {
|
||||
my %valid_options = ( 'src-dst' => 1, 'disconnect' => 1 );
|
||||
|
||||
my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
|
||||
|
||||
fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?(?:,src-dst)?$/ || defined $rest;
|
||||
( $key, my @options ) = split_list( $key, 'option' );
|
||||
|
||||
for ( @options ) {
|
||||
fatal_error "Invalid ipset option ($_)" unless $valid_options{$_};
|
||||
}
|
||||
|
||||
fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest;
|
||||
|
||||
if ( supplied( $set ) ) {
|
||||
fatal_error "Invalid DYNAMIC_BLACKLIST ipset name" unless $set =~ /^[A-Za-z][\w-]*/;
|
||||
|
||||
@ -336,35 +336,7 @@ get_config() {
|
||||
fi
|
||||
|
||||
if [ -n "$DYNAMIC_BLACKLIST" ]; then
|
||||
case $DYNAMIC_BLACKLIST in
|
||||
[Nn]o)
|
||||
DYNAMIC_BLACKLIST='';
|
||||
;;
|
||||
[Yy]es)
|
||||
;;
|
||||
ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
|
||||
g_blacklistipset=SW_DBL$g_family
|
||||
;;
|
||||
ipset:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
ipset,src-dst:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
ipset-only:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
ipset-only,src-dst:[a-zA-Z]*)
|
||||
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
|
||||
g_blacklistipset=${g_blacklistipset%%:*}
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
|
||||
;;
|
||||
esac
|
||||
setup_dbl
|
||||
fi
|
||||
|
||||
lib=$(find_file lib.cli-user)
|
||||
|
||||
@ -485,7 +485,7 @@
|
||||
<para>ALL sends all packets through the blacklist chains.</para>
|
||||
|
||||
<para>Note: The ESTABLISHED state may not be specified if
|
||||
FASTACCEPT=Yes is specified.</para>
|
||||
FASTACCEPT=Yes is specified. </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -769,7 +769,8 @@
|
||||
role="bold">No</emphasis>||<emphasis
|
||||
role="bold">ipset</emphasis>[<emphasis
|
||||
role="bold">-only</emphasis>][,<emphasis
|
||||
role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
|
||||
role="bold">src-dst</emphasis>][,<emphasis
|
||||
role="bold">disconnect</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.7. When set to <emphasis
|
||||
@ -792,6 +793,14 @@
|
||||
<option>src-dst</option> is included, then packets whose destination
|
||||
address matches an entry in the ipset are also dropped.</para>
|
||||
|
||||
<para>The <option>disconnect</option> option was added in Shorewall
|
||||
5.0.13 and requires that the conntrack utility be installed on the
|
||||
firewall system. When an address is blacklisted using the
|
||||
<command>blacklist</command> command, all connections originating
|
||||
from that address are disconnected. if the <option>src-dst</option>
|
||||
option was also specified, then all connections to that address are
|
||||
also disconnected.</para>
|
||||
|
||||
<para>When ipset-based dynamic blacklisting is enabled, the contents
|
||||
of the blacklist will be preserved over
|
||||
<command>stop</command>/<command>reboot</command>/<command>start</command>
|
||||
|
||||
@ -630,7 +630,8 @@
|
||||
role="bold">No</emphasis>||<emphasis
|
||||
role="bold">ipset</emphasis>[<emphasis
|
||||
role="bold">-only</emphasis>][,<emphasis
|
||||
role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
|
||||
role="bold">src-dst</emphasis>][,<emphasis
|
||||
role="bold">disconnect</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.7. When set to <emphasis
|
||||
@ -653,6 +654,14 @@
|
||||
<option>src-dst</option> is included, then packets whose destination
|
||||
address matches an entry in the ipset are also dropped.</para>
|
||||
|
||||
<para>The <option>disconnect</option> option was added in Shorewall
|
||||
5.0.13 and requires that the conntrack utility be installed on the
|
||||
firewall system. When an address is blacklisted using the
|
||||
<command>blacklist</command> command, all connections originating
|
||||
from that address are disconnected. if the <option>src-dst</option>
|
||||
option was also specified, then all connections to that address are
|
||||
also disconnected.</para>
|
||||
|
||||
<para>When ipset-based dynamic blacklisting is enabled, the contents
|
||||
of the blacklist will be preserved over
|
||||
<command>stop</command>/<command>reboot</command>/<command>start</command>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user