Allow bizarre overriding of SOURCE/DEST with ipsets

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-07-20 16:03:12 -07:00
parent 1de257be19
commit d897635af5
2 changed files with 18 additions and 3 deletions

View File

@ -2469,7 +2469,7 @@ sub get_set_flags( $$ ) {
$setname = $1; $setname = $1;
my $count = $2; my $count = $2;
$options .= ",$option" while --$count > 0; $options .= ",$option" while --$count > 0;
} elsif ( $setname =~ /^(.*)\[(.*)\]$/ ) { } elsif ( $setname =~ /^(.*)\[(src|dst)(,(src|dst))*\]$/ ) {
$setname = $1; $setname = $1;
$options = $2; $options = $2;
} }
@ -2498,7 +2498,7 @@ sub match_source_net( $;$ ) {
} elsif ( $net =~ /^!?~/ ) { } elsif ( $net =~ /^!?~/ ) {
fatal_error "MAC address cannot be used in this context" if $restriction >= OUTPUT_RESTRICT; fatal_error "MAC address cannot be used in this context" if $restriction >= OUTPUT_RESTRICT;
mac_match $net; mac_match $net;
} elsif ( $net =~ /^(!?)\+[a-zA-Z]\w*$/ ) { } elsif ( $net =~ /^(!?)\+[a-zA-Z]\w*(\[.*\])?/ ) {
require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' ); require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' );
join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) ); join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
} elsif ( $net =~ s/^!// ) { } elsif ( $net =~ s/^!// ) {
@ -2522,7 +2522,7 @@ sub match_dest_net( $ ) {
$net =~ s/!// if my $invert = $1 ? '! ' : ''; $net =~ s/!// if my $invert = $1 ? '! ' : '';
validate_range $addr1, $addr2; validate_range $addr1, $addr2;
iprange_match . "${invert}--dst-range $net "; iprange_match . "${invert}--dst-range $net ";
} elsif ( $net =~ /^(!?)\+[a-zA-Z]\w*$/ ) { } elsif ( $net =~ /^(!?)\+[a-zA-Z]\w*(\[.*\])?$/ ) {
require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , ''); require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '');
join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) ); join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) );
} elsif ( $net =~ /^!/ ) { } elsif ( $net =~ /^!/ ) {

View File

@ -120,6 +120,21 @@
<para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT net:+sshok $FW tcp 22</programlisting></para> ACCEPT net:+sshok $FW tcp 22</programlisting></para>
<para>The name of the ipset can be optionally followed by a
comma-separated list of flags enclosed in square brackets ([...]). Each
flag is either <emphasis role="bold">src</emphasis> or <emphasis
role="bold">dst</emphasis> and specifies whether it is the SOURCE address
or port number or the DESTINATION address or port number that should be
matched. The number of flags must be appropriate for the type of ipset. If
no flags are given, Shorewall assumes that the set takes a single flag and
will select the flag based on the context. For example, in the blacklist
file and when the ipset appears in the SOURCE column of the rules file,
<emphasis role="bold">src</emphasis> is assumed. If the ipset appears in
the DEST column of the rules file, <emphasis role="bold">dst</emphasis> is
assumed. Note that by using <emphasis role="bold">[dst]</emphasis> in the
blacklist file, you can coerce the rule into matching the destination IP
address rather than the source.</para>
<para>Shorewall can save/restore your ipset contents with certain <para>Shorewall can save/restore your ipset contents with certain
restrictions:</para> restrictions:</para>