On 10/7/2013 6:18 AM, Simon Matter wrote: > Hi Tom and all, > > I started to play a bit with the AutoBL action on a CentOS 6 box and ran > into the following problems: > > 1) The action.AutoBL doesn't work for me until I patch it like so: > > --- /usr/share/shorewall/action.AutoBL.orig 2013-10-01 > 00:59:42.000000000 +0200 > +++ /usr/share/shorewall/action.AutoBL 2013-10-07 14:44:31.530841099 +0200 > @@ -22,6 +22,9 @@ > DEFAULTS -,60,5,2,300,DROP,info > > ?begin perl > + > +use Shorewall::Config; > + > my ( $event, $interval, $count, $successive, $bltime, $disposition, > $level ) = get_action_params(7); > > fatal_error "The event name parameter to AutoBL is required" > unless supplied $event; > > > 2) The iptables package of CentOS 6 doesn't have the "--reap" option. From > some Google searches it seems that the same applies to a number of > distributions and iptables version, even new iptables versions. My > question is, is there a way to change action.IfEvent to work without the > "--reap" option?
Hi Simon, Please try the attached patch. It implements a REAP_OPTION capability that should allow AutoBL to work without --reap. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 76206ab..2e4f1da 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -316,6 +316,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
LENGTH_MATCH => 'Packet length Match',
IPRANGE_MATCH => 'IP Range Match',
RECENT_MATCH => 'Recent Match',
+ REAP_OPTION => 'Recent Match "--reap" option',
OWNER_MATCH => 'Owner Match',
OWNER_NAME_MATCH
=> 'Owner Name Match',
@@ -947,6 +948,7 @@ sub initialize( $;$$) {
MASQUERADE_TGT => undef,
UDPLITEREDIRECT => undef,
NEW_TOS_MATCH => undef,
+ REAP_OPTION => undef,
AMANDA_HELPER => undef,
FTP_HELPER => undef,
@@ -3819,6 +3821,11 @@ sub Recent_Match() {
qt1( "$iptables $iptablesw -A $sillyname -m recent --update -j ACCEPT" );
}
+sub Reap_Option() {
+ ( have_capability( 'RECENT_MATCH' ) &&
+ qt1( "$iptables $iptablesw -A $sillyname -m recent --rcheck --seconds 10 --reap" ) );
+}
+
sub Owner_Match() {
qt1( "$iptables $iptablesw -A $sillyname -m owner --uid-owner 0 -j ACCEPT" );
}
@@ -4286,6 +4293,7 @@ our %detect_capability =
RAW_TABLE => \&Raw_Table,
RAWPOST_TABLE => \&Rawpost_Table,
REALM_MATCH => \&Realm_Match,
+ REAP_OPTION => \&Reap_Option,
RECENT_MATCH => \&Recent_Match,
RPFILTER_MATCH => \&RPFilter_Match,
SANE_HELPER => \&SANE_Helper,
@@ -4385,6 +4393,7 @@ sub determine_capabilities() {
$capabilities{IPRANGE_MATCH} = detect_capability( 'IPRANGE_MATCH' );
$capabilities{RECENT_MATCH} = detect_capability( 'RECENT_MATCH' );
+ $capabilities{REAP_OPTION} = detect_capability( 'REAP_OPTION' );
$capabilities{OWNER_MATCH} = detect_capability( 'OWNER_MATCH' );
$capabilities{OWNER_NAME_MATCH}
= detect_capability( 'OWNER_NAME_MATCH' );
diff --git a/Shorewall/action.AutoBL b/Shorewall/action.AutoBL
index c33201e..c5e0f77 100644
--- a/Shorewall/action.AutoBL
+++ b/Shorewall/action.AutoBL
@@ -22,6 +22,9 @@
DEFAULTS -,60,5,2,300,DROP,info
?begin perl
+
+use Shorewall::Config;
+
my ( $event, $interval, $count, $successive, $bltime, $disposition, $level ) = get_action_params(7);
fatal_error "The event name parameter to AutoBL is required" unless supplied $event;
@@ -37,11 +40,16 @@ validate_level( $level );
#
# Silently reject the client if blacklisted
#
-IfEvent(${1}_BL,$6,$5,1,src,check:reap)
+?if $REAP_OPTION
+?set check_param 'check:reap'
+?else
+?set check_param 'check'
+?endif
+IfEvent(${1}_BL,$6,$5,1,src,$check_param)
#
# Blacklist if M attempts in the last N seconds
#
-IfEvent($1,AutoBLL($1,$6,$7),$2,$3,src,check:reap)
+IfEvent($1,AutoBLL($1,$6,$7),$2,$3,src,$check_param)
#
# Log and reject if the client has tried to connect
# in the last N seconds
diff --git a/Shorewall/action.IfEvent b/Shorewall/action.IfEvent
index f2da938..87e208f 100644
--- a/Shorewall/action.IfEvent
+++ b/Shorewall/action.IfEvent
@@ -97,7 +97,8 @@ set_action_name_to_caller;
require_capability 'RECENT_MATCH', 'Use of events', 's';
if ( $command & $REAP_OPT ) {
- fatal_error "${command}reap requires a time limit" if ! $duration;
+ require_capability( 'REAP_OPTION', q(The 'reap' option), 's' );
+ fatal_error "${command}reap requires a time limit" unless $duration;
$duration .= '--reap ';
}
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
