From 373fc87165e0ef0f176799c0def98d1ae74d0d69 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 15 Sep 2010 07:38:20 -0700 Subject: [PATCH] More blacklisting wrapup - Deprecate 'blacklist' in the hosts file - Base blacklisting on interfaces alone Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 4 ++++ Shorewall/Perl/Shorewall/Rules.pm | 2 +- Shorewall/Perl/Shorewall/Zones.pm | 9 +++++++-- Shorewall/releasenotes.txt | 12 ++++++++++++ manpages/shorewall-hosts.xml | 14 +++++++++----- manpages6/shorewall6-hosts.xml | 17 +++++++++++------ 6 files changed, 44 insertions(+), 14 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index baa10ee9e..2c3426bbd 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -894,6 +894,10 @@ sub use_output_chain($$) { # return 1 if $nets > 1; # + # Must also use the interface's chain if there is type-1 blacklisting on the interface + # + return 1 if $interfaceref->{options}{blacklist} & BL_IN; + # # Don't need it if it isn't associated with any zone # return 0 unless $nets; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 0b6259bb3..d7a8e42ad 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -2034,7 +2034,7 @@ sub generate_matrix() { my $interfacematch = ''; my $use_output = 0; - if ( @vservers || use_output_chain( $interface, $interfacechainref ) || $blacklist || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) { + if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) { $outputref = $interfacechainref; add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++; $use_output = 1; diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index c9a18a3d9..87abfaf63 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -979,7 +979,6 @@ sub process_interface( $$ ) { $value = BL_IN unless ( defined $value && $value ne '' ); fatal_error "Invalid 'blacklist' value ( $value )" unless $value =~ /^[12]$/; $options{blacklist} = $value; - $hostoptions{blacklist} = $options{blacklist} & BL_IN; } else { assert( 0 ); } @@ -1697,7 +1696,13 @@ sub process_host( ) { warning_message "The 'norfc1918' option is no longer supported" } elsif ( $validhostoptions{$option}) { fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER ); - $options{$option} = 1; + + if ( $option eq 'blacklist' ) { + warning_message qq(The "blacklist" host option is deprecated and will be removed); + $interfaces{$interface}{options}{blacklist} |= BL_IN; + } else { + $options{$option} = 1; + } } else { fatal_error "Invalid option ($option)"; } diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 3aa4df27c..501184518 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -205,6 +205,10 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES As part of this change, the OPTIONS may now be a comma-separated list of 'to' and 'from'. + Additionally, the 'blacklist' option in /etc/shorewall/hosts is now + deprecated and is treated as if 'blacklist=1' had been specified in + the corresponding entry in /etc/shorewall/interfaces. + 5) There is now an OUT-BANDWIDTH column in /etc/shorewall/tcinterfaces. @@ -440,6 +444,14 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES where 'iface' is a capitalized interface name (e.g., ETH0) and 'provider' is the capitalized name of a provider. +15) The 'blacklist' option in /etc/shorewall/hosts + (/etc/shorewall6/hosts) is now deprecated. It was originally + implemented to handle post kernel-2.6.21 bridges which are now + handled completely in the interfaces file. + + Setting 'blacklist' in the hosts file is now equivalent to setting + blacklist=1 in the associated entry in the interfaces file. + ---------------------------------------------------------------------------- V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S I N P R I O R R E L E A S E S diff --git a/manpages/shorewall-hosts.xml b/manpages/shorewall-hosts.xml index ff9733a50..ab0d0d80f 100644 --- a/manpages/shorewall-hosts.xml +++ b/manpages/shorewall-hosts.xml @@ -139,8 +139,11 @@ blacklist - This option only makes sense for ports on a - bridge. + This option only makes sense for ports on a bridge. As + of Shoreawall 4.4.13, its use is deprecated and the effect of + the option is the same as specifying + on the associated entry in shorewall-interfaces(5). Check packets arriving on this port against the shorewall-blacklist(5) @@ -260,8 +263,9 @@ vpn ppp+:192.168.3.0/24 shorewall-masq(5), shorewall-nat(5), shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), - shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), - shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), - shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) + shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), + shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), + shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), + shorewall-zones(5) diff --git a/manpages6/shorewall6-hosts.xml b/manpages6/shorewall6-hosts.xml index 234d21cf7..e1cd314e6 100644 --- a/manpages6/shorewall6-hosts.xml +++ b/manpages6/shorewall6-hosts.xml @@ -83,7 +83,8 @@ An IP address range of the form low.address-high.address. - Your kernel and ip6tables must have iprange match support. + Your kernel and ip6tables must have iprange match + support. @@ -126,8 +127,12 @@ blacklist - This option only makes sense for ports on a - bridge. + This option only makes sense for ports on a bridge. As + of Shorewall 4.4.13, its use is deprecated and is equivalent + to specifying on the associated + entry in shorewall6-interfaces(5). + Check packets arriving on this port against the shorewall6-blacklist(5) @@ -178,8 +183,8 @@ shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), - shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), - shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), - shorewall6-tunnels(5), shorewall-zones(5) + shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), + shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), + shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)