mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-08 16:54:10 +01:00
Drop support for the 'blacklist' zone option
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
d8d1e96e0d
commit
0f61bd34e6
@ -253,7 +253,6 @@ use constant { NO_UPDOWN => 1,
|
||||
our %validinterfaceoptions;
|
||||
|
||||
our %prohibitunmanaged = (
|
||||
blacklist => 1,
|
||||
bridge => 1,
|
||||
destonly => 1,
|
||||
detectnets => 1,
|
||||
@ -279,7 +278,6 @@ our %validhostoptions;
|
||||
|
||||
our %validzoneoptions = ( mss => NUMERIC,
|
||||
nomark => NOTHING,
|
||||
blacklist => NOTHING,
|
||||
dynamic_shared => NOTHING,
|
||||
strict => NOTHING,
|
||||
next => NOTHING,
|
||||
@ -296,7 +294,6 @@ use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
|
||||
# Hash of options that have their own key in the returned hash.
|
||||
#
|
||||
our %zonekey = ( mss => UNRESTRICTED | COMPLEX ,
|
||||
blacklist => NOFW,
|
||||
nomark => NOFW | IN_OUT_ONLY,
|
||||
dynamic_shared => IN_OUT_ONLY );
|
||||
|
||||
@ -336,7 +333,6 @@ sub initialize( $$ ) {
|
||||
if ( $family == F_IPV4 ) {
|
||||
%validinterfaceoptions = (arp_filter => BINARY_IF_OPTION,
|
||||
arp_ignore => ENUM_IF_OPTION,
|
||||
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
bridge => SIMPLE_IF_OPTION,
|
||||
destonly => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
detectnets => OBSOLETE_IF_OPTION,
|
||||
@ -365,7 +361,6 @@ sub initialize( $$ ) {
|
||||
wait => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
|
||||
);
|
||||
%validhostoptions = (
|
||||
blacklist => 1,
|
||||
maclist => 1,
|
||||
nosmurfs => 1,
|
||||
routeback => 1,
|
||||
@ -385,7 +380,6 @@ sub initialize( $$ ) {
|
||||
64 => 'local' );
|
||||
} else {
|
||||
%validinterfaceoptions = ( accept_ra => NUMERIC_IF_OPTION,
|
||||
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
bridge => SIMPLE_IF_OPTION,
|
||||
destonly => SIMPLE_IF_OPTION + IF_OPTION_HOST,
|
||||
dhcp => SIMPLE_IF_OPTION,
|
||||
@ -410,7 +404,6 @@ sub initialize( $$ ) {
|
||||
wait => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
|
||||
);
|
||||
%validhostoptions = (
|
||||
blacklist => 1,
|
||||
maclist => 1,
|
||||
routeback => 1,
|
||||
tcpflags => 1,
|
||||
@ -617,21 +610,6 @@ sub process_zone( \$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
if ( $zoneref->{options}{in_out}{blacklist} ) {
|
||||
warning_message q(The 'blacklist' option is deprecated);
|
||||
for ( qw/in out/ ) {
|
||||
unless ( $zoneref->{options}{$_}{blacklist} ) {
|
||||
$zoneref->{options}{$_}{blacklist} = 1;
|
||||
} else {
|
||||
warning_message( "Redundant 'blacklist' in " . uc( $_ ) . '_OPTIONS' );
|
||||
}
|
||||
}
|
||||
} else {
|
||||
for ( qw/in out/ ) {
|
||||
warning_message q(The 'blacklist' option is deprecated), last if $zoneref->{options}{$_}{blacklist};
|
||||
}
|
||||
}
|
||||
|
||||
return $zone;
|
||||
|
||||
}
|
||||
@ -829,7 +807,7 @@ sub add_group_to_zone($$$$$$)
|
||||
#
|
||||
# Make 'find_hosts_by_option()' work correctly for this zone
|
||||
#
|
||||
for ( qw/blacklist maclist nosmurfs tcpflags/ ) {
|
||||
for ( qw/maclist nosmurfs tcpflags/ ) {
|
||||
$options->{$_} = $interfaceref->{options}{$_} if $interfaceref->{options}{$_} && ! exists $options->{$_};
|
||||
}
|
||||
}
|
||||
@ -1222,16 +1200,8 @@ sub process_interface( $$ ) {
|
||||
|
||||
if ( $type == SIMPLE_IF_OPTION ) {
|
||||
fatal_error "Option $option does not take a value" if defined $value;
|
||||
if ( $option eq 'blacklist' ) {
|
||||
if ( $zone ) {
|
||||
$zoneref->{options}{in}{blacklist} = 1;
|
||||
} else {
|
||||
warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
|
||||
}
|
||||
} else {
|
||||
$options{$option} = 1;
|
||||
$hostoptions{$option} = 1 if $hostopt;
|
||||
}
|
||||
$options{$option} = 1;
|
||||
$hostoptions{$option} = 1 if $hostopt;
|
||||
} elsif ( $type == BINARY_IF_OPTION ) {
|
||||
$value = 1 unless defined $value;
|
||||
fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
|
||||
@ -1402,7 +1372,6 @@ sub process_interface( $$ ) {
|
||||
|
||||
for ( qw/arp_filter
|
||||
arp_ignore
|
||||
blacklist
|
||||
bridge
|
||||
detectnets
|
||||
dhcp
|
||||
@ -2069,9 +2038,6 @@ sub process_host( ) {
|
||||
$ipsec = $interfaceref->{ipsec} = 1;
|
||||
} elsif ( $option eq 'norfc1918' ) {
|
||||
warning_message "The 'norfc1918' host option is no longer supported"
|
||||
} elsif ( $option eq 'blacklist' ) {
|
||||
warning_message "The 'blacklist' option is deprecated";
|
||||
$zoneref->{options}{in}{blacklist} = 1;
|
||||
} elsif ( $option =~ /^mss=(\d+)$/ ) {
|
||||
fatal_error "Invalid mss ($1)" unless $1 >= 500;
|
||||
require_capability 'TCPMSS_TARGET', $option, 's';
|
||||
|
||||
@ -282,30 +282,6 @@ c:a,b ipv4</programlisting>
|
||||
only apply to TYPE <option>ipsec</option> zones.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">blacklist</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.13. May not be specified for
|
||||
<emphasis role="bold">firewall</emphasis> or <emphasis
|
||||
role="bold">vserver</emphasis> zones.</para>
|
||||
|
||||
<para>When specified in the IN_OPTIONS column, causes all
|
||||
traffic from this zone to be passed against the <emphasis
|
||||
role="bold">src</emphasis> entries in <ulink
|
||||
url="/manpages/shorewall-blacklist.html">shorewall-blacklist</ulink>(5).</para>
|
||||
|
||||
<para>When specified in the OUT_OPTIONS column, causes all
|
||||
traffic to this zone to be passed against the <emphasis
|
||||
role="bold">dst</emphasis> entries in s<ulink
|
||||
url="/manpages/shorewall-blacklist.html">horewall-blacklist</ulink>(5).</para>
|
||||
|
||||
<para>Specifying this option in the OPTIONS column is
|
||||
equivalent to entering it in both of the IN_OPTIONS and
|
||||
OUT_OPTIONS column.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">dynamic_shared</emphasis></term>
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user