From b8848a1527b0d60444df9653f3206ceaee7a40bd Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 16 Mar 2007 22:19:32 +0000 Subject: [PATCH] Fix blacklist handling git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5557 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- New/Shorewall/Rules.pm | 124 ++++++++++++++++++++++++----------------- New/compiler.pl | 18 +++--- 2 files changed, 80 insertions(+), 62 deletions(-) diff --git a/New/Shorewall/Rules.pm b/New/Shorewall/Rules.pm index 8544ca110..7a0c5d64b 100644 --- a/New/Shorewall/Rules.pm +++ b/New/Shorewall/Rules.pm @@ -154,55 +154,75 @@ sub setup_syn_flood_chains() { sub setup_blacklist() { - my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' }; - - progress_message2 " Setting up Blacklist..."; - - open BL, "$ENV{TMP_DIR}/blacklist" or fatal_error "Unable to open stripped blacklist file: $!"; - - progress_message( " Processing " . find_file 'blacklist' . '...' ); - - while ( $line = ) { - - chomp $line; - $line =~ s/\s+/ /g; - - my ( $networks, $protocol, $ports , $extra ) = split /\s+/, $line; - - fatal_error "Invalid blacklist entry: \"$line\"" if $extra; - - expand_rule - ensure_filter_chain( 'blacklst' , 0 ) , - do_proto( $protocol , $ports, '' ) , - $networks , - '' , - '' , - '-j ' . ($disposition eq 'REJECT' ? 'reject' : $disposition), - $level , - $disposition , - ''; - - progress_message " \"$line\" added to blacklist"; - } - - close BL; - my $hosts = find_hosts_by_option 'blacklist'; - my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : ''; - - for my $hostref ( @$hosts ) { - my $interface = $hostref->[0]; - my $ipsec = $hostref->[1]; - my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; - my $network = $hostref->[2]; - my $source = match_source_net $network; - - for my $chain ( @{first_chains $interface}) { - add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst"; + if ( @$hosts ) { + + my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' }; + + progress_message2 " Setting up Blacklist..."; + + new_standard_chain 'blacklst'; + + my $target = $disposition eq 'REJECT' ? 'reject' : $disposition; + + if ( $level ) { + my $chainref = new_standard_chain 'blacklog'; + + log_rule_limit( $level , $chainref , 'blacklst' , $disposition , "$env{LOGLIMIT}" , '', 'add', '' ); + + add_rule $chainref, "-j $target" ; + + $target = 'blacklog'; } - progress_message " Blacklisting enabled on ${interface}:${network}"; + if ( -s "$ENV{TMP_DIR}/blacklist" ) { + + open BL, "$ENV{TMP_DIR}/blacklist" or fatal_error "Unable to open stripped blacklist file: $!"; + + progress_message( " Processing " . find_file 'blacklist' . '...' ); + + while ( $line = ) { + + chomp $line; + $line =~ s/\s+/ /g; + + my ( $networks, $protocol, $ports , $extra ) = split /\s+/, $line; + + fatal_error "Invalid blacklist entry: \"$line\"" if $extra; + + expand_rule + ensure_filter_chain( 'blacklst' , 0 ) , + do_proto( $protocol , $ports, '' ) , + $networks , + '' , + '' , + "-j $target" , + '' , + $disposition , + ''; + + progress_message " \"$line\" added to blacklist"; + } + } + + close BL; + + my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : ''; + + for my $hostref ( @$hosts ) { + my $interface = $hostref->[0]; + my $ipsec = $hostref->[1]; + my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; + my $network = $hostref->[2]; + my $source = match_source_net $network; + + for my $chain ( @{first_chains $interface}) { + add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst"; + } + + progress_message " Blacklisting enabled on ${interface}:${network}"; + } } } @@ -363,10 +383,15 @@ sub add_common_rules() { my $rejectref = new_standard_chain 'reject'; + $level = $env{BLACKLIST_LOG_LEVEL} || 'info'; + + add_rule_pair new_standard_chain( 'logdrop' ), ' ' , 'DROP' , $level ; + add_rule_pair new_standard_chain( 'logreject' ), ' ' , 'REJECT' , $level ; + new_standard_chain 'dynamic'; - my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID' : ''; - + my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : ''; + for $interface ( @interfaces ) { for $chain ( input_chain $interface , forward_chain $interface ) { add_rule new_standard_chain( $chain ) , "$state -j dynamic"; @@ -375,11 +400,6 @@ sub add_common_rules() { new_standard_chain output_chain( $interface ); } - $level = $env{BLACKLIST_LOG_LEVEL} || 'info'; - - add_rule_pair new_standard_chain( 'logdrop' ), ' ' , 'DROP' , $level ; - add_rule_pair new_standard_chain( 'logreject' ), ' ' , 'REJECT' , $level ; - setup_blacklist; $list = find_hosts_by_option 'nosmurfs'; diff --git a/New/compiler.pl b/New/compiler.pl index b37e13aab..fb4a8e136 100755 --- a/New/compiler.pl +++ b/New/compiler.pl @@ -329,8 +329,8 @@ stop_firewall() { emit " for chain in INPUT OUTPUT; do setpolicy \$chain DROP - done"; - emit ''; + done +"; } else { emit " for chain in INPUT OUTPUT; do @@ -339,9 +339,8 @@ stop_firewall() { setpolicy FORWARD DROP - deleteallchains"; - - emit ''; + deleteallchains +"; for my $hosts ( @$criticalhosts ) { my ( $interface, $host ) = ( split /,/, $hosts ); @@ -357,9 +356,9 @@ stop_firewall() { for chain in INPUT FORWARD; do setcontinue \$chain - done"; + done +"; - emit ''; } } elsif ( ! $config{ADMINISABSENTMINDED} ) { emit " @@ -380,9 +379,8 @@ stop_firewall() { for chain in INPUT FORWARD; do setcontinue \$chain - done"; - - emit ''; + done +"; } push_indent;