From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] firewall: Load ipset list before creating rules for DROP_HOSTILE. Date: Fri, 18 Feb 2022 08:26:59 +0000 Message-ID: In-Reply-To: <20220218050351.9708-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4293591103732898904==" List-Id: --===============4293591103732898904== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Reviewed-by: Michael Tremer > On 18 Feb 2022, at 05:03, Stefan Schantl wrot= e: >=20 > Otherwise there is no ipset list use-able and the feature will not work. >=20 > Signed-off-by: Stefan Schantl > --- > src/initscripts/system/firewall | 5 +++++ > 1 file changed, 5 insertions(+) >=20 > diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firew= all > index adb2240bb..2ae6157aa 100644 > --- a/src/initscripts/system/firewall > +++ b/src/initscripts/system/firewall > @@ -22,6 +22,8 @@ IPS_REPEAT_MASK=3D"0x80000000" > IPS_BYPASS_MARK=3D"0x40000000" > IPS_BYPASS_MASK=3D"0x40000000" >=20 > +IPSET_DB_DIR=3D"/var/lib/location/ipset" > + > function iptables() { > /sbin/iptables --wait "$@" > } > @@ -146,6 +148,9 @@ iptables_init() { > # a technical threat to our users (i. e. listed at Spamhaus DROP et al.) > iptables -N HOSTILE > if [ "$DROPHOSTILE" =3D=3D "on" ]; then > + # Call ipset and load the list which contains the hostile networks. > + ipset restore < $IPSET_DB_DIR/CC_XD.ipset4 > + > iptables -A HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP= _HOSTILE " > iptables -A INPUT -i $IFACE -m set --match-set CC_XD src -j HOSTILE > iptables -A FORWARD -i $IFACE -m set --match-set CC_XD src -j HOSTILE > --=20 > 2.30.2 >=20 --===============4293591103732898904==--