Decommit per-interface dynamic blacklisting; warnings on 'unclean' dependencies

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@726 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/firewall

@@ -634,9 +634,11 @@ validate_interfaces_file() {
 
 	for option in $options; do
 	    case $option in
-		dhcp|norfc1918|tcpflags|newnotsyn|arp_filter)
+		dhcp|norfc1918|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|-)
 		    ;;
-		routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
+		dropunclean|logunclean)
+		    error_message \
+			"Warning: The 'dropunclean' and 'logunclean' options will be removed in a future release"
 		    ;;
 		routeback)
 		    [ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
@@ -3854,33 +3856,9 @@ initialize_netfilter () {
 
     [ -f $usersets_file ] && setup_usersets $usersets_file
 
-    for interface in $all_interfaces; do
-	chain=`dynamic_chain $interface`
-	createchain $chain no
-	iptables -A $chain -j dynamic
-    done
-
-    echo $all_interfaces > $STATEDIR/interfaces
-
-    if [ -f /var/lib/shorewall/save -o -f /var/lib/shorewall/savedyn ]; then
+    if [ -f /var/lib/shorewall/save ]; then
 	echo "Restoring dynamic rules..."
 	
-	if [ -f /var/lib/shorewall/savedyn ]; then
-	    while read target ignore1 ignore2 address rest; do
-		case $target in
-		    DROP|reject)
-			chains=`dynamic_chains_by_address $address`
-		    
-			for chain in ${chains:-dynamic}; do
-			    run_iptables2 -I $chain -s $address -j $target
-			done
-			;;
-		    *)
-			;;
-		esac
-	    done < /var/lib/shorewall/savedyn
-	fi
-
 	if [ -f /var/lib/shorewall/save ]; then
 	    while read target ignore1 ignore2 address rest; do
 		case $target in
@@ -3898,9 +3876,7 @@ initialize_netfilter () {
 
     for interface in $all_interfaces; do
 	createchain `forward_chain $interface` no
-	run_iptables -A `forward_chain $interface` -j `dynamic_chain $interface`
 	createchain `input_chain $interface`   no
-	run_iptables -A `input_chain $interface`   -j `dynamic_chain $interface`
     done
 }
 

Shorewall/functions

@@ -401,14 +401,6 @@ chain_base() #$1 = interface
     done
 }
 
-#
-# Dynamic Blacklisting Chain to an interface
-#
-dynamic_chain() # $1 = interface
-{
-   echo `chain_base $1`_dyn
-}
-
 #
 # Remove trailing digits from a name
 #
@@ -492,20 +484,3 @@ find_interface_by_address() {
     [ -n "$dev" ] && echo $dev
 }
 
-#
-# Expands to a list of dynamic chains for the passed address 
-#
-
-dynamic_chains_by_address()
-{
-    local interface iface
-
-    interface=`find_interface_by_address $1`
-
-    [ -z "$interface" ] && echo dynamic && return
-
-    for iface in $all_interfaces; do
-	if_match $iface $interface && echo `dynamic_chain $iface`
-    done
-}
-

Shorewall/help

@@ -52,10 +52,9 @@ address|host)
 allow)
 	echo "allow: allow <address> ...
     Re-enables receipt of packets from hosts previously blacklisted
-    by a drop, dropall, reject or rejectall command.
+    by a drop or reject command.
 
-    Shorewall allow, drop, dropall, reject, rejectall, and save implement
-    dynamic blacklisting.
+    Shorewall allow, drop, rejct and save implement dynamic blacklisting.
 
     See also \"help address\""
 	;;
@@ -106,16 +105,11 @@ delete)
     See also \"help host\""
 	;;
 
-drop|dropall)
+drop)
 	echo "$1: $1 <address> ...
     Causes packets from the specified <address> to be ignored
 
-    Shorewall allow, drop, dropall, reject, rejectall, and save implement
-    dynamic blacklisting.
-
-    'dropall' causes all interfaces to be monitored for packets from the
-    given address while 'drop' causes only those interfaces with a route
-    to the address to be monitored.
+    Shorewall allow, drop, rejct and save implement dynamic blacklisting.
 
     See also \"help address\""
 	;;
@@ -162,16 +156,11 @@ refresh)
     to reflect any changes made.  Existing connections are untouched"
 	;;
 
-reject|rejectall)
+reject)
 	echo "$1: $1 <address> ...
     Causes packets from the specified <address> to be rejected
 
-    Shorewall allow, drop, dropall, reject, rejectall, and save implement
-    dynamic blacklisting.
-
-    'rejectall' causes all interfaces to be monitored for packets from the
-    given address while 'reject' causes only those interfaces with a route
-    to the address to be monitored.
+    Shorewall allow, drop, rejct and save implement dynamic blacklisting.
 
     See also \"help address\""
 	;;
@@ -190,8 +179,7 @@ restart)
 save)
 	echo "save: save
     The dynamic data is stored in /var/lib/shorewall/save
-    Shorewall allow, drop, dropall, reject, rejectall, and save implement
-    dynamic blacklisting."
+    Shorewall allow, drop, rejct and save implement dynamic blacklisting."
 	;;
 
 show)

Shorewall/releasenotes.txt

@@ -30,30 +30,25 @@ Problems Corrected since version 1.4.6:
 
 Migration Issues:
 
-1) Once you have installed this version of Shorewall, you must 
-   restart Shorewall before you may use the 'drop', 'reject', 'allow'
-   or 'save' commands.
+1) IP Traffic Accounting is changed from Snapshot 20030813. 
 
-2) To maintain strict compatibility with previous versions, current
-   uses of "shorewall drop" and "shorewall reject" should be replaced
-   with "shorewall dropall" and "shorewall rejectall".
-
-3) IP Traffic Accounting is changed from Snapshot 20030813. 
-
-4) The Uset Set capability introduced in SnapShot 20030821 has
+2) The Uset Set capability introduced in SnapShot 20030821 has
    changed -- see the User Set page for details.
 
+3) The per-interface dynamic blacklisting facility from previous 1.4.6
+   Snapshots has been removed. The implications of the facility for 
+   users with dial-up internet connections were too complicated to
+   document adaquately. My apologies for unleashing this half-baked
+   idea on the user base.
+
 New Features:
 
-1) Shorewall now creates a dynamic blacklisting chain for each interface
-   defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
-   commands use the routing table to determine which of these chains is
-   to be used for blacklisting the specified IP address(es).
-
-   Two new commands ('dropall' and 'rejectall') have been introduced
-   that do what 'drop' and 'reject' used to do; namely, when an address
-   is blacklisted using these new commands, it will be blacklisted on
-   all of your firewall's interfaces.
+1) The 2.6 series of Linux kernels will not support the 'unclean'
+   match extension except in Patch-O-Matic. In keeping with the
+   Shorewall policy of not supporting netfilter extensions that are
+   only available in Patch-O-Matic, the 'dropunclean' and
+   'logunclean' interface options will be removed in a future
+   release. In the 1.4.7 release, they are flagged with a warning.
 
 2) Thanks to Steve Herber, the help command can now give
    command-specific help.
@@ -273,3 +268,4 @@ New Features:
 11) Output rules (those with $FW as the SOURCE) may now be limited to
     a set of local users and/or groups. See
     http://shorewall.net/UserSets.html for details.
+

Shorewall/shorewall

@@ -252,10 +252,9 @@ display_chains()
 	echo "$banner `date`"
 	echo
 	firstchain=Yes
-	echo "Dynamic Chains"
+	echo "Dynamic Chain"
 	echo
 	showchain dynamic
-	showchain '.*_dyn'
 	timed_read
 
 	qt rm -f /tmp/chains-$$
@@ -518,45 +517,6 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
     done
 }
 
-#
-# Load list of interfaces into the 'all_interfaces' variable 
-#
-load_all_interfaces() {
-    if [ ! -f $STATEDIR/interfaces ] ; then
-	echo "ERROR: $STATEDIR/interfaces does not exist" >&2
-	mutex_off
-	exit 2
-    fi
-
-    read all_interfaces < $STATEDIR/interfaces
-}
-
-#
-# Save Dynamic Blacklist
-#
-save_dynamic_blacklist() {
-
-    [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
-
-    load_all_interfaces
-
-    > /var/lib/shorewall/savedyn
-
-    for interface in $all_interfaces; do
-	if ! iptables -L `dynamic_chain $interface` >> /var/lib/shorewall/savedyn; then
-	    echo "Error Saving the Dynamic Rules"
-	    return
-	fi
-    done
-
-    if iptables -L dynamic -n >> /var/lib/shorewall/save; then
-	echo "Dynamic Rules Saved"
-    else
-	echo "Error Saving the Dynamic Rules"
-    fi
-
-}
-
 #
 # Help information
 #
@@ -578,7 +538,7 @@ usage() # $1 = exit status
     echo "   check"
     echo "   clear"
     echo "   delete <interface>[:<host>] <zone>"
-    echo "   drop|dropall <address> ..."
+    echo "   drop <address> ..."
     echo "   help [ <command > | host | address ]"
     echo "   hits"
     echo "   ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
@@ -586,7 +546,7 @@ usage() # $1 = exit status
     echo "   logwatch [<refresh interval>]"
     echo "   monitor [<refresh interval>]"
     echo "   refresh"
-    echo "   reject|rejectall <address> ..."
+    echo "   reject <address> ..."
     echo "   reset"
     echo "   restart"
     echo "   save"
@@ -899,18 +859,6 @@ case "$1" in
     drop)
 	[ $# -eq 1 ] && usage 1
 	mutex_on
-
-	load_all_interfaces
-	
-	while [ $# -gt 1 ]; do
-	    shift
-	    chains=`dynamic_chains_by_address $1`
-	    
-	    for chain in $chains; do
-		iptables -A $chain -s $1 -j DROP || break 1
-		echo "$1 Rejected in Chain $chain"
-	    done
-	done
 	while [ $# -gt 1 ]; do
 	    shift
 	    iptables -A dynamic -s $1 -j DROP || break 1
@@ -921,74 +869,43 @@ case "$1" in
     reject)
 	[ $# -eq 1 ] && usage 1
 	mutex_on
-
-	load_all_interfaces
-
 	while [ $# -gt 1 ]; do
 	    shift
-	    chains=`dynamic_chains_by_address $1`
-	    
-	    for chain in $chains; do
-		iptables -A $chain -s $1 -j reject || break 1
-		echo "$1 Rejected in Chain $chain"
+	    iptables -A dynamic -s $1 -j reject || break 1
+	    echo "$1 Rejected"
 	done
-	done
-
 	mutex_off
 	;;
     allow)
 	[ $# -eq 1 ] && usage 1
 	mutex_on
-
-	load_all_interfaces
-
 	while [ $# -gt 1 ]; do
 	    shift
-
-	    chains=`dynamic_chains_by_address $1`
-
-	    for chain in $chains; do
-		if qt iptables -D $chain -s $1 -j reject; then
+	    if	qt iptables -D dynamic -s $1 -j reject; then
 		#
 		# Address was rejected -- silently remove any drop as well
 		#
-		    qt iptables -D $chain -s $1 -j DROP
-		    echo "$1 Allowed in Chain $chain"
-		elif qt iptables -D $chain -s $1 -j DROP; then
-		    echo "$1 Allowed in Chain $chain"
+		qt iptables -D dynamic -s $1 -j DROP
+		echo "$1 Allowed"
+	    elif qt iptables -D dynamic -s $1 -j DROP; then
+		echo "$1 Allowed"
 	    else
-		    echo "$1 Not Dropped or Rejected in Chain $chain"
+		echo "$1 Not Dropped or Rejected"
 	    fi
 	done
-	done
-
-	mutex_off
-	;;
-    dropall)
-	[ $# -eq 1 ] && usage 1
-	mutex_on
-	while [ $# -gt 1 ]; do
-	    shift
-	    iptables -A dynamic -s $1 -j DROP || break 1
-	    echo "$1 Dropped in Chain dynamic"
-	done
-	mutex_off
-	;;
-    rejectall)
-	[ $# -eq 1 ] && usage 1
-	mutex_on
-	while [ $# -gt 1 ]; do
-	    shift
-	    iptables -A dynamic -s $1 -j reject || break 1
-	    echo "$1 Rejected in Chain dynamic"
-	done
 	mutex_off
 	;;
     save)
 	[ $# -ne 1 ] && usage 1
 	mutex_on
 	if qt iptables -L shorewall -n; then
-	    save_dynamic_blacklist
+	    [ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
+
+	    if iptables -L dynamic -n > /var/lib/shorewall/save; then
+		echo "Dynamic Rules Saved"
+	    else
+		echo "Error Saving the Dynamic Rules"
+	    fi
 	else
 	    echo "Shorewall isn't started"
 	fi