Allow to configure the firewall action which will be performed.

This commit adds the posibility to configure which action will be
passed to the firewall engine when blocking an IP address.

To prevent from any missconfiguration, the requested action will be
validated by the responsible firewall engine module before it get
executed.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

diff --git a/modules/Events.pm b/modules/Events.pm
index 7e0b687db55ed5cc7c104fc0c03dc280d21e6861..2f4b561a15d5bfd914620ddb8dcdcf63b015f868 100644 (file)
--- a/modules/Events.pm
+++ b/modules/Events.pm
@@ -194,9 +194,8 @@ sub CallBlock ($@) {
        # not been blocked yet, call the responisible
        # function to do this now.
        unless (exists($blockhash{$address})) {
        # not been blocked yet, call the responisible
        # function to do this now.
        unless (exists($blockhash{$address})) {

-               # XXX
-               # Add posibility to use a configure-able action.
-               my $action;
+               # Obtain the configured FirewallAction.
+               my $action = $self->{FirewallAction};

 
                # Block the given address.
                my $error = &DoBlock($address, $action);
 
                # Block the given address.
                my $error = &DoBlock($address, $action);

diff --git a/modules/IPtables.pm b/modules/IPtables.pm
index e3c3d1beb92b56c08fb41511d31c249a3f761cff..7395d3e32c23855868764a9983cb2343ed17c4a4 100644 (file)
--- a/modules/IPtables.pm
+++ b/modules/IPtables.pm
@@ -6,6 +6,9 @@ use Exporter qw(import);
 
 our @EXPORT = qw(DoBlock DoUnblock DoFlush);
 
 
 our @EXPORT = qw(DoBlock DoUnblock DoFlush);
 

+# Array of supported block actions.
+my @supported_actions = ("DROP", "REJECT");
+

 # The path to the iptables executeable.
 my $iptables = "/usr/sbin/iptables";
 
 # The path to the iptables executeable.
 my $iptables = "/usr/sbin/iptables";
 


@@ -30,6 +33,14 @@ sub DoBlock (@) {
                $action = "DROP";
        }
 
                $action = "DROP";
        }
 

+       # Check if the given action is supported.
+       my $error = &_check_action($action);
+
+       # Abort and return the recieved error.
+       if ($error) {
+               return $error;
+       }
+

        # Call iptables to block the given address.
        system("$iptables --wait -A $chain -s $address -j $action");
 }
        # Call iptables to block the given address.
        system("$iptables --wait -A $chain -s $address -j $action");
 }


@@ -114,4 +125,26 @@ sub _get_rules_positions_by_address ($) {
        return @reversed_rules;
 }
 
        return @reversed_rules;
 }
 

+#
+## The _check_action function.
+#
+## This private function is used to check if the given action is supported by
+## the firewall engine.
+#
+sub _check_action ($) {
+       my $action = $_[0];
+
+       # Check if the recieved action is part of the supported_actions array.
+       foreach my $item (@supported_actions) {
+               # Exit the loop and return "nothing" if we found a match.
+               if($item eq $action) {
+                       return;
+               }
+       }
+
+       # If we got here, the given action is not part of the array of supported
+       # actions. Return an error message.
+       return "Unsupported action: $action";
+}
+

 1;
 1;