forked from extern/shorewall_code
Allow bizarre overriding of SOURCE/DEST with ipsets
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
1de257be19
commit
d897635af5
@ -2469,7 +2469,7 @@ sub get_set_flags( $$ ) {
|
||||
$setname = $1;
|
||||
my $count = $2;
|
||||
$options .= ",$option" while --$count > 0;
|
||||
} elsif ( $setname =~ /^(.*)\[(.*)\]$/ ) {
|
||||
} elsif ( $setname =~ /^(.*)\[(src|dst)(,(src|dst))*\]$/ ) {
|
||||
$setname = $1;
|
||||
$options = $2;
|
||||
}
|
||||
@ -2498,7 +2498,7 @@ sub match_source_net( $;$ ) {
|
||||
} elsif ( $net =~ /^!?~/ ) {
|
||||
fatal_error "MAC address cannot be used in this context" if $restriction >= OUTPUT_RESTRICT;
|
||||
mac_match $net;
|
||||
} elsif ( $net =~ /^(!?)\+[a-zA-Z]\w*$/ ) {
|
||||
} elsif ( $net =~ /^(!?)\+[a-zA-Z]\w*(\[.*\])?/ ) {
|
||||
require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' );
|
||||
join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
|
||||
} elsif ( $net =~ s/^!// ) {
|
||||
@ -2522,7 +2522,7 @@ sub match_dest_net( $ ) {
|
||||
$net =~ s/!// if my $invert = $1 ? '! ' : '';
|
||||
validate_range $addr1, $addr2;
|
||||
iprange_match . "${invert}--dst-range $net ";
|
||||
} elsif ( $net =~ /^(!?)\+[a-zA-Z]\w*$/ ) {
|
||||
} elsif ( $net =~ /^(!?)\+[a-zA-Z]\w*(\[.*\])?$/ ) {
|
||||
require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '');
|
||||
join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) );
|
||||
} elsif ( $net =~ /^!/ ) {
|
||||
|
@ -120,6 +120,21 @@
|
||||
<para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT net:+sshok $FW tcp 22</programlisting></para>
|
||||
|
||||
<para>The name of the ipset can be optionally followed by a
|
||||
comma-separated list of flags enclosed in square brackets ([...]). Each
|
||||
flag is either <emphasis role="bold">src</emphasis> or <emphasis
|
||||
role="bold">dst</emphasis> and specifies whether it is the SOURCE address
|
||||
or port number or the DESTINATION address or port number that should be
|
||||
matched. The number of flags must be appropriate for the type of ipset. If
|
||||
no flags are given, Shorewall assumes that the set takes a single flag and
|
||||
will select the flag based on the context. For example, in the blacklist
|
||||
file and when the ipset appears in the SOURCE column of the rules file,
|
||||
<emphasis role="bold">src</emphasis> is assumed. If the ipset appears in
|
||||
the DEST column of the rules file, <emphasis role="bold">dst</emphasis> is
|
||||
assumed. Note that by using <emphasis role="bold">[dst]</emphasis> in the
|
||||
blacklist file, you can coerce the rule into matching the destination IP
|
||||
address rather than the source.</para>
|
||||
|
||||
<para>Shorewall can save/restore your ipset contents with certain
|
||||
restrictions:</para>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user