From: Stefan Schantl Date: Mon, 4 Apr 2022 19:43:49 +0000 (+0200) Subject: rules.pl: Refactor logic to handle the IP blocklist feature. X-Git-Tag: v2.27-core170~4^2~149^2~16 X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff_plain;h=aba4e1cd1ecc4620b3d90b2111167b4d3f523a76 rules.pl: Refactor logic to handle the IP blocklist feature. * Fixes that the same chain would be created each time a firewall reload is performed. * Also fixes multiple log and drop rules inside the the BLOCKLIST_DROP chains after doing a firewall reload. * Orphaned BLOCKLIST_DROP chains now will be flushed and removed in case the blocklist gets disabled or the entire feature will be swithed off. Signed-off-by: Stefan Schantl --- diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 1bd2920591..9198fec1d5 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -731,35 +731,43 @@ sub ipblocklist () { run("$IPTABLES -F BLOCKLISTIN"); run("$IPTABLES -F BLOCKLISTOUT"); - # If the blocklist feature is disabled we are finished here. - if($blocklistsettings{'ENABLE'} ne "on") { - # Bye. - return; - } - # Loop through the array of blocklists. foreach my $blocklist (@blocklists) { - # Skip disabled blocklists. - next unless($blocklistsettings{$blocklist}) && ($blocklistsettings{$blocklist} eq "on")); - - # Call function to load the blocklist. - &ipset_restore($blocklist); + # Check if the blocklist feature and the current processed blocklist is enabled. + if(($blocklistsettings{'ENABLE'} eq "on") && ($blocklistsettings{$blocklist}) && ($blocklistsettings{$blocklist} eq "on")) { + # Call function to load the blocklist. + &ipset_restore($blocklist); + + # Call function to check if the corresponding iptables drop chain already has been created. + if(&firewall_chain_exists("${blocklist}_DROP")) { + # Create iptables chain. + run("$IPTABLES -N ${blocklist}_DROP"); + + # Check if logging is enabled. + if($blocklistsettings{'LOGGING'} eq "on") { + # Create logging rule. + run("$IPTABLES -A ${blocklist}_DROP -j LOG -m limit --limit 10/second --log-prefix \"BLKLST_$blocklist\" "); + } - # Create iptables chain. - run("$IPTABLES -N ${blocklist}_DROP"); + # Create Drop rule. + run("$IPTABLES -A ${blocklist}_DROP -j DROP"); + } - # Check if logging is enables. - if($blocklistsettings{'LOGGING'} eq "on") { - # Create logging rule. - run("$IPTABLES -A ${blocklist}_DROP -j LOG -m limit --limit 10/second --log-prefix \"BLKLST_$blocklist\" "); - } + # Add the rules to check against the set + run("$IPTABLES -A BLOCKLISTIN -p ALL -i $RED_DEV -m set --match-set $blocklist src -j ${blocklist}_DROP"); + run("$IPTABLES -A BLOCKLISTOUT -p ALL -o $RED_DEV -m set --match-set $blocklist dst -j ${blocklist}_DROP"); - # Create Drop rule. - run("$IPTABLES -A ${blocklist}_DROP -j DROP"); + # IP blocklist or the blocklist is disabled. + } else { + # Check if the blocklist related iptables drop chain exits. + unless(&firewall_chain_exists("${blocklist}_DROP")) { + # Flush the chain. + run("$IPTABLES -F ${blocklist}_DROP"); - # Add the rules to check against the set - run("$IPTABLES -A BLOCKLISTIN -p ALL -i $RED_DEV -m set --match-set $blocklist src -j ${blocklist}_DROP"); - run("$IPTABLES -A BLOCKLISTOUT -p ALL -o $RED_DEV -m set --match-set $blocklist dst -j ${blocklist}_DROP"); + # Drop the chain. + run("$IPTABLES -X ${blocklist}_DROP"); + } + } } }