More blacklisting wrapup

- Deprecate 'blacklist' in the hosts file
- Base blacklisting on interfaces alone

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-09-15 07:38:20 -07:00
parent 4d0e8d129b
commit 373fc87165
6 changed files with 44 additions and 14 deletions

View File

@ -894,6 +894,10 @@ sub use_output_chain($$) {
#
return 1 if $nets > 1;
#
# Must also use the interface's chain if there is type-1 blacklisting on the interface
#
return 1 if $interfaceref->{options}{blacklist} & BL_IN;
#
# Don't need it if it isn't associated with any zone
#
return 0 unless $nets;

View File

@ -2034,7 +2034,7 @@ sub generate_matrix() {
my $interfacematch = '';
my $use_output = 0;
if ( @vservers || use_output_chain( $interface, $interfacechainref ) || $blacklist || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
$outputref = $interfacechainref;
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
$use_output = 1;

View File

@ -979,7 +979,6 @@ sub process_interface( $$ ) {
$value = BL_IN unless ( defined $value && $value ne '' );
fatal_error "Invalid 'blacklist' value ( $value )" unless $value =~ /^[12]$/;
$options{blacklist} = $value;
$hostoptions{blacklist} = $options{blacklist} & BL_IN;
} else {
assert( 0 );
}
@ -1697,7 +1696,13 @@ sub process_host( ) {
warning_message "The 'norfc1918' option is no longer supported"
} elsif ( $validhostoptions{$option}) {
fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
$options{$option} = 1;
if ( $option eq 'blacklist' ) {
warning_message qq(The "blacklist" host option is deprecated and will be removed);
$interfaces{$interface}{options}{blacklist} |= BL_IN;
} else {
$options{$option} = 1;
}
} else {
fatal_error "Invalid option ($option)";
}

View File

@ -205,6 +205,10 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
As part of this change, the OPTIONS may now be a comma-separated
list of 'to' and 'from'.
Additionally, the 'blacklist' option in /etc/shorewall/hosts is now
deprecated and is treated as if 'blacklist=1' had been specified in
the corresponding entry in /etc/shorewall/interfaces.
5) There is now an OUT-BANDWIDTH column in
/etc/shorewall/tcinterfaces.
@ -440,6 +444,14 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
where 'iface' is a capitalized interface name (e.g., ETH0) and
'provider' is the capitalized name of a provider.
15) The 'blacklist' option in /etc/shorewall/hosts
(/etc/shorewall6/hosts) is now deprecated. It was originally
implemented to handle post kernel-2.6.21 bridges which are now
handled completely in the interfaces file.
Setting 'blacklist' in the hosts file is now equivalent to setting
blacklist=1 in the associated entry in the interfaces file.
----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
I N P R I O R R E L E A S E S

View File

@ -139,8 +139,11 @@
<term><emphasis role="bold">blacklist</emphasis></term>
<listitem>
<para>This option only makes sense for ports on a
bridge.</para>
<para>This option only makes sense for ports on a bridge. As
of Shoreawall 4.4.13, its use is deprecated and the effect of
the option is the same as specifying
<option>blacklist=1</option> on the associated entry in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
<para>Check packets arriving on this port against the <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
@ -260,8 +263,9 @@ vpn ppp+:192.168.3.0/24</programlisting></para>
shorewall-masq(5), shorewall-nat(5), shorewall-nesting(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
</refsect1>
</refentry>

View File

@ -83,7 +83,8 @@
<listitem>
<para>An IP address range of the form
<emphasis>low.address</emphasis>-<emphasis>high.address</emphasis>.
Your kernel and ip6tables must have iprange match support.</para>
Your kernel and ip6tables must have iprange match
support.</para>
</listitem>
<listitem>
@ -126,8 +127,12 @@
<term><emphasis role="bold">blacklist</emphasis></term>
<listitem>
<para>This option only makes sense for ports on a
bridge.</para>
<para>This option only makes sense for ports on a bridge. As
of Shorewall 4.4.13, its use is deprecated and is equivalent
to specifying <option>blacklist=1</option> on the associated
entry in <ulink
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
</para>
<para>Check packets arriving on this port against the <ulink
url="shorewall-blacklist.html">shorewall6-blacklist</ulink>(5)
@ -178,8 +183,8 @@
shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall-zones(5)</para>
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>