[Firewall] Extend fw cli script to accept ipset names

Lupul · Lupul · commit 6cb207db7bee · 2020-05-21T06:04:54.000+03:00
diff --git a/bin/v-add-firewall-rule b/bin/v-add-firewall-rule
@@ -47,14 +47,21 @@ sort_fw_rules() {
 #----------------------------------------------------------#
 
 check_args '3' "$#" 'ACTION IP PORT [PROTOCOL] [COMMENT] [RULE]'
-is_format_valid 'action' 'protocol' 'port_ext' 'ip'
+is_format_valid 'action' 'protocol' 'port_ext'
 is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
 get_next_fw_rule
 is_format_valid 'rule'
 is_object_new '../../data/firewall/rules' 'RULE' "$rule"
 if [ ! -z "$comment" ]; then
     is_format_valid 'comment'
 fi
+if [[ "$ip" =~ ^ipset: ]]; then
+    ipset_name="${ip#ipset:}"
+    v-list-firewall-ipset plain | grep "^$ipset_name\s" >/dev/null
+    check_result $? 'ipset object not found' $E_NOTEXIST
+else
+    is_format_valid 'ip'
+fi
 
 # Perform verification if read-only mode is enabled
 check_hestia_demo_mode
diff --git a/bin/v-change-firewall-rule b/bin/v-change-firewall-rule
@@ -40,13 +40,21 @@ sort_fw_rules() {
 #----------------------------------------------------------#
 
 check_args '5' "$#" 'RULE ACTION IP  PORT [PROTOCOL] [COMMENT]'
-is_format_valid 'rule' 'action' 'protocol' 'port_ext' 'ip'
+is_format_valid 'rule' 'action' 'protocol' 'port_ext'
 if [ ! -z "$comment" ]; then
     is_format_valid 'comment'
 fi
 is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
 is_object_valid '../../data/firewall/rules' 'RULE' "$rule"
 
+if [[ "$ip" =~ ^ipset: ]]; then
+    ipset_name="${ip#ipset:}"
+    v-list-firewall-ipset plain | grep "^$ipset_name\s" >/dev/null
+    check_result $? 'ipset object not found' $E_NOTEXIST
+else
+    is_format_valid 'ip'
+fi
+
 # Perform verification if read-only mode is enabled
 check_hestia_demo_mode
 
diff --git a/bin/v-update-firewall b/bin/v-update-firewall
@@ -56,6 +56,9 @@ if [[ "$sshport" =~ ^[0-9]+$ ]] && [ "$sshport" -ne "22"  ]; then
     sed -i "s/PORT='22'/PORT=\'$sshport\'/" $rules
 fi
 
+# Load ipset lists before adding Hestia iptables rules
+$BIN/v-update-firewall-ipset
+
 # Creating temporary file
 tmp=$(mktemp)
 
@@ -83,10 +86,17 @@ for line in $(sort -r -n -k 2 -t \' $rules); do
     if [ "$SUSPENDED" = 'no' ]; then
         proto="-p $PROTOCOL"
         port="--dport $PORT"
-        ip="-s $IP"
         state=""
         action="-j $ACTION"
 
+        if [[ "$IP" =~ ^ipset: ]]; then
+            ipset_name="${IP#ipset:}"
+            $(v-list-firewall-ipset plain | grep "^$ipset_name\s" >/dev/null) || log_event $E_NOTEXIST "ipset object ($ipset_name) not found"
+            ip="-m set --match-set '${ipset_name}' src"
+        else
+            ip="-s $IP"
+        fi
+
         # Adding multiport module
         if [[ "$PORT" =~ ,|-|: ]] ; then
             port="-m multiport --dports ${PORT//-/:}"
