Make the allow command work with both ipset and chain dynamic blacklisting

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Make ipset-based dynamic blacklisting work in the FORWARD chain
2016-06-14 13:42:20 -07:00 · 2016-06-13 15:02:12 -07:00 · 2016-06-13 12:21:16 -07:00 · 2016-06-09 14:47:44 -07:00 · 2016-06-09 09:00:12 -07:00 · 2016-06-09 08:44:25 -07:00
7 changed files with 76 additions and 24 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -2522,21 +2522,46 @@ hits_command() {
 # 'allow' command executor
 #
 allow_command() {
    [ -n "$g_debugging" ] && set -x
    [ $# -eq 1 ] && missing_argument
    if product_is_started ; then
 	local allowed
 	local which
 	which='-s'
 	local range
 	range='--src-range'
 	local dynexists
-	if ! chain_exists dynamic; then
+	if [ -n "$g_blacklistipset" ]; then
 	    case ${IPSET:=ipset} in
 		*/*)
 		    if [ ! -x "$IPSET" ]; then
 			fatal_error "IPSET=$IPSET does not exist or is not executable"
 		    fi
 		    ;;
 		*)
 		    IPSET="$(mywhich $IPSET)"
 		    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
 		    ;;
 	    esac
 	fi
 	if chain_exists dynamic; then
 	    dynexists=Yes
 	elif [ -z "$g_blacklistipset" ]; then
 	    fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
 	fi
 	[ -n "$g_nolock" ] || mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
 	    allowed=''
 	    case $1 in
 		from)
 		    which='-s'
@@ -2549,29 +2574,48 @@ allow_command() {
 		    continue
 		    ;;
 		*-*)
 		    if [ -n "$g_blacklistipset" ]; then
 			if qt $IPSET -D $g_blacklistipset $1; then
 			    allowed=Yes
 			fi
 		    fi
 		    if [ -n "$dynexists" ]; then
 			if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
 			    qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
 			    qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
 			    qt $g_tool -D dynamic -m iprange $range $1 -j logreject
 			then
-			echo "$1 Allowed"
+			    allowed=Yes
-		    else
+			fi
 			echo "$1 Not Dropped or Rejected"
 		    fi
 		    ;;
 		*)
 		    if [ -n "$g_blacklistipset" ]; then
 			if qt $IPSET -D $g_blacklistipset $1; then
 			    allowed=Yes
 			fi
 		    fi
 		    if [ -n "$dynexists" ]; then
 			if  qt $g_tool -D dynamic $which $1 -j reject    ||\
 			    qt $g_tool -D dynamic $which $1 -j DROP      ||\
 			    qt $g_tool -D dynamic $which $1 -j logdrop   ||\
 			    qt $g_tool -D dynamic $which $1 -j logreject
 			then
-			echo "$1 Allowed"
+			    allowed=Yes
-		    else
+			fi
 			echo "$1 Not Dropped or Rejected"
 		    fi
 		    ;;
 	    esac
 	    if [ -n "$allowed" ]; then
 		progress_message2 "$1 Allowed"
 	    else
 		error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
 	    fi
 	done
 	[ -n "$g_nolock" ] || mutex_off
    else
 	error_message "ERROR: $g_product is not started"
@@ -3507,7 +3551,7 @@ blacklist_command() {
 	    ;;
    esac
-    $IPSET -A $g_blacklistipset $@ || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
+    $IPSET -A $g_blacklistipset $@ && progress_message2 "$1 Blacklisted" || { error_message "ERROR: Address $1 not blacklisted"; return 1; }
    return 0
 }
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -702,7 +702,9 @@
          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
          role="bold">logdrop</emphasis>, <emphasis
          role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command.</para>
+          role="bold">logreject</emphasis> command. Beginning with Shorewall
          5.0.10, this command can also re-enable addresses blacklisted using
          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -380,7 +380,7 @@ loc     eth2            -</programlisting>
            </varlistentry>
            <varlistentry>
-              <term>loopback</term>
+              <term><emphasis role="bold">loopback</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.6. Designates the interface as
@@ -451,8 +451,8 @@ loc     eth2            -</programlisting>
            </varlistentry>
            <varlistentry>
-              <term><emphasis
+              <term><emphasis role="bold"><emphasis
-              role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
+              role="bold">mss</emphasis>=</emphasis><emphasis>number</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.0.3. Causes forwarded TCP SYN
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -964,7 +964,9 @@
          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
          role="bold">logdrop</emphasis>, <emphasis
          role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command.</para>
+          role="bold">logreject</emphasis> command. Beginning with Shorewall
          5.0.10, this command can also re-enable addresses blacklisted using
          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@@ -679,7 +679,9 @@
          <para>Re-enables receipt of packets from hosts previously
          blacklisted by a <command>drop</command>,
          <command>logdrop</command>, <command>reject</command>, or
-          <command>logreject</command> command.</para>
+          <command>logreject</command> command. Beginning with Shorewall
          5.0.10, this command can also re-enable addresses blacklisted using
          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@@ -321,7 +321,7 @@ loc     eth2            -</programlisting>
            </varlistentry>
            <varlistentry>
-              <term>loopback</term>
+              <term><emphasis role="bold">loopback</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.6. Designates the interface as
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -932,7 +932,9 @@
          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
          role="bold">logdrop</emphasis>, <emphasis
          role="bold">reject</emphasis>, or <emphasis
-          role="bold">logreject</emphasis> command.</para>
+          role="bold">logreject</emphasis> command. Beginning with Shorewall
          5.0.10, this command can also re-enable addresses blacklisted using
          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>
Author	SHA1	Message	Date
Tom Eastep	56b6db1a3d	Make the allow command work with both ipset and chain dynamic blacklisting Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-14 13:42:20 -07:00
Tom Eastep	ea56d4ed19	Make ipset-based dynamic blacklisting work in the FORWARD chain Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-13 15:02:12 -07:00
Tom Eastep	c65721a139	Correct a warning message Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-13 12:21:16 -07:00
Tom Eastep	f979ccb16d	Merge branch '5.0.9'	2016-06-09 14:47:44 -07:00
Tom Eastep	cd0837beb5	Avoid run-time Perl diagnostic when validating a null log level Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-09 09:00:12 -07:00
Tom Eastep	4869f61a25	'allow' now works with ipset-based dynamic blacklisting Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-06-09 08:44:25 -07:00