From e7690506ec02e63eb36be02e3275578b607f802a Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Mon, 2 May 2022 20:52:42 +0200 Subject: [PATCH] rules.pl: Flush ipblocklist DROP chains. Flush the DROP chains of the blocklist chains while reloading the firewall. Otherwise the log rules will stay even if logging has been disabled in the meantime. Signed-off-by: Stefan Schantl --- config/firewall/rules.pl | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 799b2667d8..62fae8c025 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -742,17 +742,20 @@ sub ipblocklist () { if(&firewall_chain_exists("${blocklist}_DROP")) { # Create iptables chain. run("$IPTABLES -N ${blocklist}_DROP"); + } else { + # Flush the chain. + run("$IPTABLES -F ${blocklist}_DROP"); + } - # Check if logging is enabled. - if($blocklistsettings{'LOGGING'} eq "on") { - # Create logging rule. - run("$IPTABLES -A ${blocklist}_DROP -j LOG -m limit --limit 10/second --log-prefix \"BLKLST_$blocklist\" "); - } - - # Create Drop rule. - run("$IPTABLES -A ${blocklist}_DROP -j DROP"); + # Check if logging is enabled. + if($blocklistsettings{'LOGGING'} eq "on") { + # Create logging rule. + run("$IPTABLES -A ${blocklist}_DROP -j LOG -m limit --limit 10/second --log-prefix \"BLKLST_$blocklist\" "); } + # Create Drop rule. + run("$IPTABLES -A ${blocklist}_DROP -j DROP"); + # Add the rules to check against the set run("$IPTABLES -A BLOCKLISTIN -p ALL -i $RED_DEV -m set --match-set $blocklist src -j ${blocklist}_DROP"); run("$IPTABLES -A BLOCKLISTOUT -p ALL -o $RED_DEV -m set --match-set $blocklist dst -j ${blocklist}_DROP"); -- 2.39.5