mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-19 17:28:35 +02:00
More blacklisting wrapup
- Deprecate 'blacklist' in the hosts file - Base blacklisting on interfaces alone Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
4d0e8d129b
commit
373fc87165
@ -894,6 +894,10 @@ sub use_output_chain($$) {
|
||||
#
|
||||
return 1 if $nets > 1;
|
||||
#
|
||||
# Must also use the interface's chain if there is type-1 blacklisting on the interface
|
||||
#
|
||||
return 1 if $interfaceref->{options}{blacklist} & BL_IN;
|
||||
#
|
||||
# Don't need it if it isn't associated with any zone
|
||||
#
|
||||
return 0 unless $nets;
|
||||
|
@ -2034,7 +2034,7 @@ sub generate_matrix() {
|
||||
my $interfacematch = '';
|
||||
my $use_output = 0;
|
||||
|
||||
if ( @vservers || use_output_chain( $interface, $interfacechainref ) || $blacklist || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
|
||||
if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
|
||||
$outputref = $interfacechainref;
|
||||
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
|
||||
$use_output = 1;
|
||||
|
@ -979,7 +979,6 @@ sub process_interface( $$ ) {
|
||||
$value = BL_IN unless ( defined $value && $value ne '' );
|
||||
fatal_error "Invalid 'blacklist' value ( $value )" unless $value =~ /^[12]$/;
|
||||
$options{blacklist} = $value;
|
||||
$hostoptions{blacklist} = $options{blacklist} & BL_IN;
|
||||
} else {
|
||||
assert( 0 );
|
||||
}
|
||||
@ -1697,7 +1696,13 @@ sub process_host( ) {
|
||||
warning_message "The 'norfc1918' option is no longer supported"
|
||||
} elsif ( $validhostoptions{$option}) {
|
||||
fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
|
||||
$options{$option} = 1;
|
||||
|
||||
if ( $option eq 'blacklist' ) {
|
||||
warning_message qq(The "blacklist" host option is deprecated and will be removed);
|
||||
$interfaces{$interface}{options}{blacklist} |= BL_IN;
|
||||
} else {
|
||||
$options{$option} = 1;
|
||||
}
|
||||
} else {
|
||||
fatal_error "Invalid option ($option)";
|
||||
}
|
||||
|
@ -205,6 +205,10 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
||||
As part of this change, the OPTIONS may now be a comma-separated
|
||||
list of 'to' and 'from'.
|
||||
|
||||
Additionally, the 'blacklist' option in /etc/shorewall/hosts is now
|
||||
deprecated and is treated as if 'blacklist=1' had been specified in
|
||||
the corresponding entry in /etc/shorewall/interfaces.
|
||||
|
||||
5) There is now an OUT-BANDWIDTH column in
|
||||
/etc/shorewall/tcinterfaces.
|
||||
|
||||
@ -440,6 +444,14 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
||||
where 'iface' is a capitalized interface name (e.g., ETH0) and
|
||||
'provider' is the capitalized name of a provider.
|
||||
|
||||
15) The 'blacklist' option in /etc/shorewall/hosts
|
||||
(/etc/shorewall6/hosts) is now deprecated. It was originally
|
||||
implemented to handle post kernel-2.6.21 bridges which are now
|
||||
handled completely in the interfaces file.
|
||||
|
||||
Setting 'blacklist' in the hosts file is now equivalent to setting
|
||||
blacklist=1 in the associated entry in the interfaces file.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||
I N P R I O R R E L E A S E S
|
||||
|
@ -139,8 +139,11 @@
|
||||
<term><emphasis role="bold">blacklist</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>This option only makes sense for ports on a
|
||||
bridge.</para>
|
||||
<para>This option only makes sense for ports on a bridge. As
|
||||
of Shoreawall 4.4.13, its use is deprecated and the effect of
|
||||
the option is the same as specifying
|
||||
<option>blacklist=1</option> on the associated entry in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
||||
|
||||
<para>Check packets arriving on this port against the <ulink
|
||||
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
|
||||
@ -260,8 +263,9 @@ vpn ppp+:192.168.3.0/24</programlisting></para>
|
||||
shorewall-masq(5), shorewall-nat(5), shorewall-nesting(5),
|
||||
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
|
||||
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
|
||||
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
|
||||
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
|
||||
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
|
||||
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
|
||||
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
|
||||
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
|
||||
shorewall-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
@ -83,7 +83,8 @@
|
||||
<listitem>
|
||||
<para>An IP address range of the form
|
||||
<emphasis>low.address</emphasis>-<emphasis>high.address</emphasis>.
|
||||
Your kernel and ip6tables must have iprange match support.</para>
|
||||
Your kernel and ip6tables must have iprange match
|
||||
support.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -126,8 +127,12 @@
|
||||
<term><emphasis role="bold">blacklist</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>This option only makes sense for ports on a
|
||||
bridge.</para>
|
||||
<para>This option only makes sense for ports on a bridge. As
|
||||
of Shorewall 4.4.13, its use is deprecated and is equivalent
|
||||
to specifying <option>blacklist=1</option> on the associated
|
||||
entry in <ulink
|
||||
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
|
||||
</para>
|
||||
|
||||
<para>Check packets arriving on this port against the <ulink
|
||||
url="shorewall-blacklist.html">shorewall6-blacklist</ulink>(5)
|
||||
@ -178,8 +183,8 @@
|
||||
shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
|
||||
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
|
||||
shorewall6-tunnels(5), shorewall-zones(5)</para>
|
||||
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
||||
shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
Loading…
x
Reference in New Issue
Block a user