webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

rules.pl: Refactor logic to handle the IP blocklist feature.

Browse Source 
* Fixes that the same chain would be created each time a firewall
reload is performed.

* Also fixes multiple log and drop rules inside the the BLOCKLIST_DROP
  chains after doing a firewall reload.

* Orphaned BLOCKLIST_DROP chains now will be flushed and removed in case
  the blocklist gets disabled or the entire feature will be swithed off.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This commit is contained in:
Stefan Schantl
2022-04-04 21:43:49 +02:00
parent 960608c8b5
commit aba4e1cd1e
1 changed files with 31 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
config/firewall/rules.pl
View File

@@ -731,35 +731,43 @@ sub ipblocklist () {
run("$IPTABLES -F BLOCKLISTIN");
run("$IPTABLES -F BLOCKLISTOUT");
# If the blocklist feature is disabled we are finished here.
if($blocklistsettings{'ENABLE'} ne "on") {
# Bye.
return;
}
# Loop through the array of blocklists.
foreach my $blocklist (@blocklists) {
# Skip disabled blocklists.
next unless($blocklistsettings{$blocklist}) && ($blocklistsettings{$blocklist} eq "on"));
# Check if the blocklist feature and the current processed blocklist is enabled.
if(($blocklistsettings{'ENABLE'} eq "on") && ($blocklistsettings{$blocklist}) && ($blocklistsettings{$blocklist} eq "on")) {
# Call function to load the blocklist.
&ipset_restore($blocklist);
# Call function to load the blocklist.
&ipset_restore($blocklist);
# Call function to check if the corresponding iptables drop chain already has been created.
if(&firewall_chain_exists("${blocklist}_DROP")) {
# Create iptables chain.
run("$IPTABLES -N ${blocklist}_DROP");
# Create iptables chain.
run("$IPTABLES -N ${blocklist}_DROP");
# Check if logging is enabled.
if($blocklistsettings{'LOGGING'} eq "on") {
# Create logging rule.
run("$IPTABLES -A ${blocklist}_DROP -j LOG -m limit --limit 10/second --log-prefix \"BLKLST_$blocklist\" ");
}
# Check if logging is enables.
if($blocklistsettings{'LOGGING'} eq "on") {
# Create logging rule.
run("$IPTABLES -A ${blocklist}_DROP -j LOG -m limit --limit 10/second --log-prefix \"BLKLST_$blocklist\" ");
# Create Drop rule.
run("$IPTABLES -A ${blocklist}_DROP -j DROP");
}
# Add the rules to check against the set
run("$IPTABLES -A BLOCKLISTIN -p ALL -i $RED_DEV -m set --match-set $blocklist src -j ${blocklist}_DROP");
run("$IPTABLES -A BLOCKLISTOUT -p ALL -o $RED_DEV -m set --match-set $blocklist dst -j ${blocklist}_DROP");
# IP blocklist or the blocklist is disabled.
} else {
# Check if the blocklist related iptables drop chain exits.
unless(&firewall_chain_exists("${blocklist}_DROP")) {
# Flush the chain.
run("$IPTABLES -F ${blocklist}_DROP");
# Drop the chain.
run("$IPTABLES -X ${blocklist}_DROP");
}
}
# Create Drop rule.
run("$IPTABLES -A ${blocklist}_DROP -j DROP");
# Add the rules to check against the set
run("$IPTABLES -A BLOCKLISTIN -p ALL -i $RED_DEV -m set --match-set $blocklist src -j ${blocklist}_DROP");
run("$IPTABLES -A BLOCKLISTOUT -p ALL -o $RED_DEV -m set --match-set $blocklist dst -j ${blocklist}_DROP");
}
}