From 22d4c450e5189737e8df42c6a0d126b1c3c746ad Mon Sep 17 00:00:00 2001 From: "bbruns@gmail.com" Date: Tue, 1 Apr 2014 00:46:35 +0000 Subject: [PATCH] --- bin/srfirewall | 2 +- etc/ipv4/easyblock.conf | 2 +- etc/ipv6/easyblock.conf | 2 +- lib/iptables.inc | 16 +++++++++------- 4 files changed, 12 insertions(+), 10 deletions(-) diff --git a/bin/srfirewall b/bin/srfirewall index 1ef6136..98c38bb 100755 --- a/bin/srfirewall +++ b/bin/srfirewall @@ -169,6 +169,6 @@ if [ "${EnableIPv6}" == "yes" ]; then [ "${Enablev6MSSClamp}" == "yes" ] && enable_mss_clamp ipv6 [ "${DNSClientUsev6ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv6 [ "${DNSClientManualv6Servers}" ] && allow_dnsclient_manual ipv6 "${DNSClientManualv6Servers}" - [ "${Enablev6EasyBlock" == "yes" ] && enable_easyblock ipv6 + [ "${Enablev6EasyBlock}" == "yes" ] && enable_easyblock ipv6 fi diff --git a/etc/ipv4/easyblock.conf b/etc/ipv4/easyblock.conf index 04d0b31..f8c4aee 100644 --- a/etc/ipv4/easyblock.conf +++ b/etc/ipv4/easyblock.conf @@ -1,7 +1,7 @@ # Easy Block List # Use this file to set up quick and easy blocking of traffic # Use tabs or single space to separate - +# #
# # Direction: Required ( IN | OUT ) diff --git a/etc/ipv6/easyblock.conf b/etc/ipv6/easyblock.conf index 7375481..da7146b 100644 --- a/etc/ipv6/easyblock.conf +++ b/etc/ipv6/easyblock.conf @@ -1,7 +1,7 @@ # Easy Block List # Use this file to set up quick and easy blocking of traffic # Use tabs or single space to separate - +# #
# # Direction: Required ( IN | OUT ) diff --git a/lib/iptables.inc b/lib/iptables.inc index 1dc6680..2f501d7 100644 --- a/lib/iptables.inc +++ b/lib/iptables.inc @@ -167,6 +167,7 @@ function enable_mss_clamp { ${debug} ${DebugColor} "${FUNCNAME}: read ${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf successful" while read -r interface mss type; do [[ ${interface} = \#* ]] && continue + [[ ${interface} = "" ]] && continue [[ ${mss} == "-" ]] && mss="1400:1536" [[ ${type} == "-" ]] && type="${OutFilter}" [[ ${type} == "out" ]] && type="${OutFilter}" @@ -198,6 +199,7 @@ function allow_resolvconf_servers { ${debug} ${DebugColor} "${FUNCNAME}: Using ${ResolvConfFile} as resolv.conf" while read -r type server; do [[ ${type} != "nameserver" ]] && continue + [[ ${type} = "" ]] && continue # If we see a : in the server variable, we are most likely dealing with an ipv6 address ([[ ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv4" ]]) && continue ([[ ! ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv6" ]]) && continue @@ -243,13 +245,14 @@ function enable_easyblock { ${debug} ${DebugColor} "${FUNCNAME}: read ${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf successful" while read -r direction interface address port protocol; do [[ ${direction} = \#* ]] && continue + [[ ${direction} = "" ]] && continue # Do some creative work with variables to make building the iptables rules fairly painless [[ ${port} != "-" ]] && port="--dport ${port}" - ([[ ${address} != "-" ]] && [[ ${direction} == "IN" ]] && address="-s ${address}" - ([[ ${address} != "-" ]] && [[ ${direction} == "OUT" ]] && address="-d ${address}" - ([[ ${interface} != "-" ]] && [[ ${direction} == "IN" ]] && interface="-i ${interface}" - ([[ ${interface} != "-" ]] && [[ ${direction} == "OUT" ]] && interface="-o ${interface}" + ([[ ${address} != "-" ]] && [[ ${direction} == "IN" ]]) && address="-s ${address}" + ([[ ${address} != "-" ]] && [[ ${direction} == "OUT" ]]) && address="-d ${address}" + ([[ ${interface} != "-" ]] && [[ ${direction} == "IN" ]]) && interface="-i ${interface}" + ([[ ${interface} != "-" ]] && [[ ${direction} == "OUT" ]]) && interface="-o ${interface}" [[ ${direction} == "OUT" ]] && chain="${OutEasyBlock}" [[ ${direction} == "IN" ]] && chain="${InEasyBlock}" [[ ${protocol} != "-" ]] && protocol="-p ${protocol}" @@ -262,10 +265,9 @@ function enable_easyblock { [[ ${address} == "-" ]] && address="" [[ ${protocol} == "-" ]] && protocol="" - ${VER_IPTABLES} -A ${chain} ${interface} ${address} ${protocol} ${port} + done < "${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf" - ${debug} ${DebugColor} "${FUNCNAME}: done" - + fi } \ No newline at end of file