diff mbox series

firewall: Load ipset list before creating rules for DROP_HOSTILE.

Message ID 20220218050351.9708-1-stefan.schantl@ipfire.org
State Accepted
Commit 83085ae97c0576b1d038c1c5d52ec7707b543b99
Headers
Series firewall: Load ipset list before creating rules for DROP_HOSTILE. |

Commit Message

Stefan Schantl Feb. 18, 2022, 5:03 a.m. UTC 
  Otherwise there is no ipset list use-able and the feature will not work.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 src/initscripts/system/firewall | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Michael Tremer Feb. 18, 2022, 8:26 a.m. UTC | #1 
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>

> On 18 Feb 2022, at 05:03, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
> 
> Otherwise there is no ipset list use-able and the feature will not work.
> 
> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
> ---
> src/initscripts/system/firewall | 5 +++++
> 1 file changed, 5 insertions(+)
> 
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index adb2240bb..2ae6157aa 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -22,6 +22,8 @@ IPS_REPEAT_MASK="0x80000000"
> IPS_BYPASS_MARK="0x40000000"
> IPS_BYPASS_MASK="0x40000000"
> 
> +IPSET_DB_DIR="/var/lib/location/ipset"
> +
> function iptables() {
> 	/sbin/iptables --wait "$@"
> }
> @@ -146,6 +148,9 @@ iptables_init() {
> 	# a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
> 	iptables -N HOSTILE
> 	if [ "$DROPHOSTILE" == "on" ]; then
> +		# Call ipset and load the list which contains the hostile networks.
> +		ipset restore < $IPSET_DB_DIR/CC_XD.ipset4
> +
> 		iptables -A HOSTILE -m limit --limit 10/second -j LOG  --log-prefix "DROP_HOSTILE "
> 		iptables -A INPUT   -i $IFACE -m set --match-set CC_XD src -j HOSTILE
> 		iptables -A FORWARD -i $IFACE -m set --match-set CC_XD src -j HOSTILE
> -- 
> 2.30.2
>
diff mbox series

Patch

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index adb2240bb..2ae6157aa 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -22,6 +22,8 @@  IPS_REPEAT_MASK="0x80000000"
 IPS_BYPASS_MARK="0x40000000"
 IPS_BYPASS_MASK="0x40000000"
 
+IPSET_DB_DIR="/var/lib/location/ipset"
+
 function iptables() {
 	/sbin/iptables --wait "$@"
 }
@@ -146,6 +148,9 @@  iptables_init() {
 	# a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
 	iptables -N HOSTILE
 	if [ "$DROPHOSTILE" == "on" ]; then
+		# Call ipset and load the list which contains the hostile networks.
+		ipset restore < $IPSET_DB_DIR/CC_XD.ipset4
+
 		iptables -A HOSTILE -m limit --limit 10/second -j LOG  --log-prefix "DROP_HOSTILE "
 		iptables -A INPUT   -i $IFACE -m set --match-set CC_XD src -j HOSTILE
 		iptables -A FORWARD -i $IFACE -m set --match-set CC_XD src -j HOSTILE