Decommit per-interface dynamic blacklisting; warnings on 'unclean' dependencies

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@726 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-02-18 10:40:54 +01:00 · 2003-08-24 01:24:23 +00:00 · 2003-08-24 01:24:23 +00:00 · 41de5afd06
commit 41de5afd06
parent 3b0705c223
5 changed files with 50 additions and 198 deletions
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -634,9 +634,11 @@ validate_interfaces_file() {
 	for option in $options; do
 	    case $option in
-		dhcp|norfc1918|tcpflags|newnotsyn|arp_filter)
+		dhcp|norfc1918|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|-)
 		    ;;
-		routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
+		dropunclean|logunclean)
 		    error_message \
 			"Warning: The 'dropunclean' and 'logunclean' options will be removed in a future release"
 		    ;;
 		routeback)
 		    [ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
@ -3854,33 +3856,9 @@ initialize_netfilter () {
    [ -f $usersets_file ] && setup_usersets $usersets_file
-    for interface in $all_interfaces; do
+    if [ -f /var/lib/shorewall/save ]; then
 	chain=`dynamic_chain $interface`
 	createchain $chain no
 	iptables -A $chain -j dynamic
    done
    echo $all_interfaces > $STATEDIR/interfaces
    if [ -f /var/lib/shorewall/save -o -f /var/lib/shorewall/savedyn ]; then
 	echo "Restoring dynamic rules..."
 	if [ -f /var/lib/shorewall/savedyn ]; then
 	    while read target ignore1 ignore2 address rest; do
 		case $target in
 		    DROP|reject)
 			chains=`dynamic_chains_by_address $address`
 			for chain in ${chains:-dynamic}; do
 			    run_iptables2 -I $chain -s $address -j $target
 			done
 			;;
 		    *)
 			;;
 		esac
 	    done < /var/lib/shorewall/savedyn
 	fi
 	if [ -f /var/lib/shorewall/save ]; then
 	    while read target ignore1 ignore2 address rest; do
 		case $target in
@ -3898,9 +3876,7 @@ initialize_netfilter () {
    for interface in $all_interfaces; do
 	createchain `forward_chain $interface` no
 	run_iptables -A `forward_chain $interface` -j `dynamic_chain $interface`
 	createchain `input_chain $interface`   no
 	run_iptables -A `input_chain $interface`   -j `dynamic_chain $interface`
    done
 }
--- a/Shorewall/functions
+++ b/Shorewall/functions
@ -401,14 +401,6 @@ chain_base() #$1 = interface
    done
 }
 #
 # Dynamic Blacklisting Chain to an interface
 #
 dynamic_chain() # $1 = interface
 {
   echo `chain_base $1`_dyn
 }
 #
 # Remove trailing digits from a name
 #
@ -492,20 +484,3 @@ find_interface_by_address() {
    [ -n "$dev" ] && echo $dev
 }
 #
 # Expands to a list of dynamic chains for the passed address 
 #
 dynamic_chains_by_address()
 {
    local interface iface
    interface=`find_interface_by_address $1`
    [ -z "$interface" ] && echo dynamic && return
    for iface in $all_interfaces; do
 	if_match $iface $interface && echo `dynamic_chain $iface`
    done
 }
--- a/Shorewall/help
+++ b/Shorewall/help
@ -52,10 +52,9 @@ address|host)
 allow)
 	echo "allow: allow <address> ...
    Re-enables receipt of packets from hosts previously blacklisted
-    by a drop, dropall, reject or rejectall command.
+    by a drop or reject command.
-    Shorewall allow, drop, dropall, reject, rejectall, and save implement
+    Shorewall allow, drop, rejct and save implement dynamic blacklisting.
    dynamic blacklisting.
    See also \"help address\""
 	;;
@ -106,16 +105,11 @@ delete)
    See also \"help host\""
 	;;
-drop|dropall)
+drop)
 	echo "$1: $1 <address> ...
    Causes packets from the specified <address> to be ignored
-    Shorewall allow, drop, dropall, reject, rejectall, and save implement
+    Shorewall allow, drop, rejct and save implement dynamic blacklisting.
    dynamic blacklisting.
    'dropall' causes all interfaces to be monitored for packets from the
    given address while 'drop' causes only those interfaces with a route
    to the address to be monitored.
    See also \"help address\""
 	;;
@ -162,16 +156,11 @@ refresh)
    to reflect any changes made.  Existing connections are untouched"
 	;;
-reject|rejectall)
+reject)
 	echo "$1: $1 <address> ...
    Causes packets from the specified <address> to be rejected
-    Shorewall allow, drop, dropall, reject, rejectall, and save implement
+    Shorewall allow, drop, rejct and save implement dynamic blacklisting.
    dynamic blacklisting.
    'rejectall' causes all interfaces to be monitored for packets from the
    given address while 'reject' causes only those interfaces with a route
    to the address to be monitored.
    See also \"help address\""
 	;;
@ -190,8 +179,7 @@ restart)
 save)
 	echo "save: save
    The dynamic data is stored in /var/lib/shorewall/save
-    Shorewall allow, drop, dropall, reject, rejectall, and save implement
+    Shorewall allow, drop, rejct and save implement dynamic blacklisting."
    dynamic blacklisting."
 	;;
 show)
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -30,30 +30,25 @@ Problems Corrected since version 1.4.6:
 Migration Issues:
-1) Once you have installed this version of Shorewall, you must 
+1) IP Traffic Accounting is changed from Snapshot 20030813. 
   restart Shorewall before you may use the 'drop', 'reject', 'allow'
   or 'save' commands.
-2) To maintain strict compatibility with previous versions, current
+2) The Uset Set capability introduced in SnapShot 20030821 has
   uses of "shorewall drop" and "shorewall reject" should be replaced
   with "shorewall dropall" and "shorewall rejectall".
 3) IP Traffic Accounting is changed from Snapshot 20030813. 
 4) The Uset Set capability introduced in SnapShot 20030821 has
   changed -- see the User Set page for details.
 3) The per-interface dynamic blacklisting facility from previous 1.4.6
   Snapshots has been removed. The implications of the facility for 
   users with dial-up internet connections were too complicated to
   document adaquately. My apologies for unleashing this half-baked
   idea on the user base.
 New Features:
-1) Shorewall now creates a dynamic blacklisting chain for each interface
+1) The 2.6 series of Linux kernels will not support the 'unclean'
-   defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
+   match extension except in Patch-O-Matic. In keeping with the
-   commands use the routing table to determine which of these chains is
+   Shorewall policy of not supporting netfilter extensions that are
-   to be used for blacklisting the specified IP address(es).
+   only available in Patch-O-Matic, the 'dropunclean' and
-
+   'logunclean' interface options will be removed in a future
-   Two new commands ('dropall' and 'rejectall') have been introduced
+   release. In the 1.4.7 release, they are flagged with a warning.
   that do what 'drop' and 'reject' used to do; namely, when an address
   is blacklisted using these new commands, it will be blacklisted on
   all of your firewall's interfaces.
 2) Thanks to Steve Herber, the help command can now give
   command-specific help.
@ -273,3 +268,4 @@ New Features:
 11) Output rules (those with $FW as the SOURCE) may now be limited to
    a set of local users and/or groups. See
    http://shorewall.net/UserSets.html for details.
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@ -252,10 +252,9 @@ display_chains()
 	echo "$banner `date`"
 	echo
 	firstchain=Yes
-	echo "Dynamic Chains"
+	echo "Dynamic Chain"
 	echo
 	showchain dynamic
 	showchain '.*_dyn'
 	timed_read
 	qt rm -f /tmp/chains-$$
@ -518,45 +517,6 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
    done
 }
 #
 # Load list of interfaces into the 'all_interfaces' variable 
 #
 load_all_interfaces() {
    if [ ! -f $STATEDIR/interfaces ] ; then
 	echo "ERROR: $STATEDIR/interfaces does not exist" >&2
 	mutex_off
 	exit 2
    fi
    read all_interfaces < $STATEDIR/interfaces
 }
 #
 # Save Dynamic Blacklist
 #
 save_dynamic_blacklist() {
    [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
    load_all_interfaces
    > /var/lib/shorewall/savedyn
    for interface in $all_interfaces; do
 	if ! iptables -L `dynamic_chain $interface` >> /var/lib/shorewall/savedyn; then
 	    echo "Error Saving the Dynamic Rules"
 	    return
 	fi
    done
    if iptables -L dynamic -n >> /var/lib/shorewall/save; then
 	echo "Dynamic Rules Saved"
    else
 	echo "Error Saving the Dynamic Rules"
    fi
 }
 #
 # Help information
 #
@ -578,7 +538,7 @@ usage() # $1 = exit status
    echo "   check"
    echo "   clear"
    echo "   delete <interface>[:<host>] <zone>"
-    echo "   drop|dropall <address> ..."
+    echo "   drop <address> ..."
    echo "   help [ <command > | host | address ]"
    echo "   hits"
    echo "   ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
@ -586,7 +546,7 @@ usage() # $1 = exit status
    echo "   logwatch [<refresh interval>]"
    echo "   monitor [<refresh interval>]"
    echo "   refresh"
-    echo "   reject|rejectall <address> ..."
+    echo "   reject <address> ..."
    echo "   reset"
    echo "   restart"
    echo "   save"
@ -899,18 +859,6 @@ case "$1" in
    drop)
 	[ $# -eq 1 ] && usage 1
 	mutex_on
 	load_all_interfaces
 	while [ $# -gt 1 ]; do
 	    shift
 	    chains=`dynamic_chains_by_address $1`
 	    for chain in $chains; do
 		iptables -A $chain -s $1 -j DROP || break 1
 		echo "$1 Rejected in Chain $chain"
 	    done
 	done
 	while [ $# -gt 1 ]; do
 	    shift
 	    iptables -A dynamic -s $1 -j DROP || break 1
@ -921,74 +869,43 @@ case "$1" in
    reject)
 	[ $# -eq 1 ] && usage 1
 	mutex_on
 	load_all_interfaces
 	while [ $# -gt 1 ]; do
 	    shift
-	    chains=`dynamic_chains_by_address $1`
+	    iptables -A dynamic -s $1 -j reject || break 1
-	    
+	    echo "$1 Rejected"
 	    for chain in $chains; do
 		iptables -A $chain -s $1 -j reject || break 1
 		echo "$1 Rejected in Chain $chain"
 	done
 	done
 	mutex_off
 	;;
    allow)
 	[ $# -eq 1 ] && usage 1
 	mutex_on
 	load_all_interfaces
 	while [ $# -gt 1 ]; do
 	    shift
-
+	    if	qt iptables -D dynamic -s $1 -j reject; then
 	    chains=`dynamic_chains_by_address $1`
 	    for chain in $chains; do
 		if qt iptables -D $chain -s $1 -j reject; then
 		#
 		# Address was rejected -- silently remove any drop as well
 		#
-		    qt iptables -D $chain -s $1 -j DROP
+		qt iptables -D dynamic -s $1 -j DROP
-		    echo "$1 Allowed in Chain $chain"
+		echo "$1 Allowed"
-		elif qt iptables -D $chain -s $1 -j DROP; then
+	    elif qt iptables -D dynamic -s $1 -j DROP; then
-		    echo "$1 Allowed in Chain $chain"
+		echo "$1 Allowed"
 	    else
-		    echo "$1 Not Dropped or Rejected in Chain $chain"
+		echo "$1 Not Dropped or Rejected"
 	    fi
 	done
 	done
 	mutex_off
 	;;
    dropall)
 	[ $# -eq 1 ] && usage 1
 	mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
 	    iptables -A dynamic -s $1 -j DROP || break 1
 	    echo "$1 Dropped in Chain dynamic"
 	done
 	mutex_off
 	;;
    rejectall)
 	[ $# -eq 1 ] && usage 1
 	mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
 	    iptables -A dynamic -s $1 -j reject || break 1
 	    echo "$1 Rejected in Chain dynamic"
 	done
 	mutex_off
 	;;
    save)
 	[ $# -ne 1 ] && usage 1
 	mutex_on
 	if qt iptables -L shorewall -n; then
-	    save_dynamic_blacklist
+	    [ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
 	    if iptables -L dynamic -n > /var/lib/shorewall/save; then
 		echo "Dynamic Rules Saved"
 	    else
 		echo "Error Saving the Dynamic Rules"
 	    fi
 	else
 	    echo "Shorewall isn't started"
 	fi