More blacklisting wrapup

- Deprecate 'blacklist' in the hosts file - Base blacklisting on interfaces alone Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-06-24 11:41:26 +02:00 · 2010-09-15 07:38:20 -07:00 · 2010-09-15 07:38:20 -07:00 · 373fc87165
commit 373fc87165
parent 4d0e8d129b
6 changed files with 44 additions and 14 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -894,6 +894,10 @@ sub use_output_chain($$) {
    #
    return 1 if $nets > 1;
    #
+    # Must also use the interface's chain if there is type-1 blacklisting on the interface
+    #
+    return 1 if $interfaceref->{options}{blacklist} & BL_IN;
+    #
    # Don't need it if it isn't associated with any zone
    #
    return 0 unless $nets;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -2034,7 +2034,7 @@ sub generate_matrix() {
 			    my $interfacematch = '';
 			    my $use_output = 0;

-			    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || $blacklist || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
+			    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
 				$outputref = $interfacechainref;
 				add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
 				$use_output = 1;
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@ -979,7 +979,6 @@ sub process_interface( $$ ) {
 		    $value = BL_IN unless ( defined $value && $value ne '' );
 		    fatal_error "Invalid 'blacklist' value ( $value )" unless $value =~ /^[12]$/;
 		    $options{blacklist} = $value;
-		    $hostoptions{blacklist} = $options{blacklist} & BL_IN;
 		} else {
 		    assert( 0 );
 		}
@ -1697,7 +1696,13 @@ sub process_host( ) {
 		warning_message "The 'norfc1918' option is no longer supported"
 	    } elsif ( $validhostoptions{$option}) {
 		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
-		$options{$option} = 1;
+
+		if ( $option eq 'blacklist' ) {
+		    warning_message qq(The "blacklist" host option is deprecated and will be removed);
+		    $interfaces{$interface}{options}{blacklist} |= BL_IN;
+		} else {
+		    $options{$option} = 1;
+		}
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -205,6 +205,10 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
    As part of this change, the OPTIONS may now be a comma-separated
    list of 'to' and 'from'.

+    Additionally, the 'blacklist' option in /etc/shorewall/hosts is now
+    deprecated and is treated as if 'blacklist=1' had been specified in
+    the corresponding entry in /etc/shorewall/interfaces.
+
 5)  There is now an OUT-BANDWIDTH column in
    /etc/shorewall/tcinterfaces.

@ -440,6 +444,14 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
    where 'iface' is a capitalized interface name (e.g., ETH0) and
    'provider' is the capitalized name of a provider.

+15) The 'blacklist' option in /etc/shorewall/hosts
+    (/etc/shorewall6/hosts) is now deprecated. It was originally
+    implemented to handle post kernel-2.6.21 bridges which are now
+    handled completely in the interfaces file.
+
+    Setting 'blacklist' in the hosts file is now equivalent to setting
+    blacklist=1 in the associated entry in the interfaces file.
+
 ----------------------------------------------------------------------------
 V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
      I N   P R I O R  R E L E A S E S
--- a/manpages/shorewall-hosts.xml
+++ b/manpages/shorewall-hosts.xml
@ -139,8 +139,11 @@
              <term><emphasis role="bold">blacklist</emphasis></term>

              <listitem>
-                <para>This option only makes sense for ports on a
-                bridge.</para>
+                <para>This option only makes sense for ports on a bridge. As
+                of Shoreawall 4.4.13, its use is deprecated and the effect of
+                the option is the same as specifying
+                <option>blacklist=1</option> on the associated entry in <ulink
+                url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>

                <para>Check packets arriving on this port against the <ulink
                url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
@ -260,8 +263,9 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
    shorewall-masq(5), shorewall-nat(5), shorewall-nesting(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages6/shorewall6-hosts.xml
+++ b/manpages6/shorewall6-hosts.xml
@ -83,7 +83,8 @@
            <listitem>
              <para>An IP address range of the form
              <emphasis>low.address</emphasis>-<emphasis>high.address</emphasis>.
-              Your kernel and ip6tables must have iprange match support.</para>
+              Your kernel and ip6tables must have iprange match
+              support.</para>
            </listitem>

            <listitem>
@ -126,8 +127,12 @@
              <term><emphasis role="bold">blacklist</emphasis></term>

              <listitem>
-                <para>This option only makes sense for ports on a
-                bridge.</para>
+                <para>This option only makes sense for ports on a bridge. As
+                of Shorewall 4.4.13, its use is deprecated and is equivalent
+                to specifying <option>blacklist=1</option> on the associated
+                entry in <ulink
+                url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
+                </para>

                <para>Check packets arriving on this port against the <ulink
                url="shorewall-blacklist.html">shorewall6-blacklist</ulink>(5)
@ -178,8 +183,8 @@
    shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5),
    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
-    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
-    shorewall6-tunnels(5), shorewall-zones(5)</para>
+    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
+    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
+    shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>