extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-23 05:01:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

Delete BLACKLISTSECTION

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-11-06 14:46:14 -08:00
parent da7516d401
commit 6108a9cad8
18 changed files with 32 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Samples/Universal/shorewall.conf
View File

@ -110,8 +110,6 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
BLACKLISTSECTION=No
CLAMPMSS=No CLAMPMSS=No
CLEAR_TC=Yes CLEAR_TC=Yes

2
Samples/one-interface/shorewall.conf
View File

@ -121,8 +121,6 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
BLACKLISTSECTION=No
CLAMPMSS=No CLAMPMSS=No
CLEAR_TC=Yes CLEAR_TC=Yes

2
Samples/three-interfaces/shorewall.conf
View File

@ -119,8 +119,6 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
BLACKLISTSECTION=No
CLAMPMSS=Yes CLAMPMSS=Yes
CLEAR_TC=Yes CLEAR_TC=Yes

2
Samples/two-interfaces/shorewall.conf
View File

@ -122,8 +122,6 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
BLACKLISTSECTION=No
CLAMPMSS=Yes CLAMPMSS=Yes
CLEAR_TC=Yes CLEAR_TC=Yes

2
Samples6/Universal/shorewall6.conf
View File

@ -105,8 +105,6 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
BLACKLISTSECTION=No
CLAMPMSS=No CLAMPMSS=No
CLEAR_TC=Yes CLEAR_TC=Yes

2
Samples6/one-interface/shorewall6.conf
View File

@ -105,8 +105,6 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
BLACKLISTSECTION=No
CLAMPMSS=No CLAMPMSS=No
CLEAR_TC=Yes CLEAR_TC=Yes

2
Samples6/three-interfaces/shorewall6.conf
View File

@ -105,8 +105,6 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
BLACKLISTSECTION=No
CLAMPMSS=No CLAMPMSS=No
CLEAR_TC=Yes CLEAR_TC=Yes

2
Samples6/two-interfaces/shorewall6.conf
View File

@ -105,8 +105,6 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
BLACKLISTSECTION=No
CLAMPMSS=No CLAMPMSS=No
CLEAR_TC=Yes CLEAR_TC=Yes

4
Shorewall/Perl/Shorewall/Config.pm
View File

@ -569,7 +569,6 @@ sub initialize( $ ) {
COMPLETE => undef, COMPLETE => undef,
EXPORTMODULES => undef, EXPORTMODULES => undef,
LEGACY_FASTSTART => undef, LEGACY_FASTSTART => undef,
BLACKLISTSECTION => undef,
# #
# Packet Disposition # Packet Disposition
# #
@ -1571,6 +1570,8 @@ sub copy1( $ ) {
my $filename = find_file $line[1]; my $filename = find_file $line[1];
warning_message "Reserved filename ($1) in INCLUDE directive" if $filename =~ '/(.*)' && $config_files{$1};
fatal_error "INCLUDE file $filename not found" unless -f $filename; fatal_error "INCLUDE file $filename not found" unless -f $filename;
fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _; fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
@ -3694,7 +3695,6 @@ sub get_configuration( $$$ ) {
default_yes_no 'COMPLETE' , ''; default_yes_no 'COMPLETE' , '';
default_yes_no 'EXPORTMODULES' , ''; default_yes_no 'EXPORTMODULES' , '';
default_yes_no 'LEGACY_FASTSTART' , 'Yes'; default_yes_no 'LEGACY_FASTSTART' , 'Yes';
default_yes_no 'BLACKLISTSECTION' , 'Yes';
require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK}; require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};

37
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1741,13 +1741,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
# #
# We can now dispense with the postfix character # We can now dispense with the postfix character
# #
if ( $action =~ s/[\+\-!]$// && $blacklist ) { fatal_error "The +, - and ! modifiers are not allowed in the bllist file or in the BLACKLIST section" if $action =~ s/[\+\-!]$// && $blacklist;
if ( $config{BLACKLISTSECTION} ) {
fatal_error "The +, - and ! modifiers are not allowed in the BLACKLIST section";
} else {
fatal_error "The +, - and ! modifiers are not allowed in the blrules file";
}
}
# #
# Handle actions # Handle actions
# #
@ -1813,14 +1807,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
CONTINUE => sub { $action = 'RETURN'; } , CONTINUE => sub { $action = 'RETURN'; } ,
WHITELIST => sub { WHITELIST => sub {
unless ( $blacklist ) { fatal_error "'WHITELIST' may only be used in the blrules file and in the 'BLACKLIST' section" unless $blacklist;
if ( $config{BLACKLISTSECTION} ) {
fatal_error "'WHITELIST' may only be used in the 'BLACKLIST' section";
} else {
fatal_error "'WHITELIST' may only be used in the blrules file";
}
}
$action = 'RETURN'; $action = 'RETURN';
} , } ,
@ -2298,9 +2285,7 @@ sub process_section ($) {
fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect}; fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
$sections{$sect} = 1; $sections{$sect} = 1;
if ( $sect eq 'BLACKLIST' ) { if ( $sect eq 'ALL' ) {
fatal_error "A BLACKLIST section is not allowed when BLACKLISTSECTION=No" unless $config{BLACKLISTSECTION};
} elsif ( $sect eq 'ALL' ) {
$sections{BLACKLIST} = 1; $sections{BLACKLIST} = 1;
} elsif ( $sect eq 'ESTABLISHED' ) { } elsif ( $sect eq 'ESTABLISHED' ) {
$sections{'BLACKLIST','ALL'} = ( 1, 1); $sections{'BLACKLIST','ALL'} = ( 1, 1);
@ -2457,21 +2442,19 @@ sub process_rule ( ) {
# #
sub process_rules() { sub process_rules() {
unless ( $config{BLACKLISTSECTION} ) { my $fn = open_file 'blrules';
my $fn = open_file 'blrules';
if ( $fn ) { if ( $fn ) {
first_entry "$doing $fn..."; first_entry "$doing $fn...";
$section = 'BLACKLIST'; $section = 'BLACKLIST';
process_rule while read_a_line; process_rule while read_a_line;
$section = ''; $section = '';
}
} }
my $fn = open_file 'rules'; $fn = open_file 'rules';
if ( $fn ) { if ( $fn ) {

2
Shorewall/configfiles/shorewall.conf
View File

@ -110,8 +110,6 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
BLACKLISTSECTION=No
CLAMPMSS=No CLAMPMSS=No
CLEAR_TC=Yes CLEAR_TC=Yes

2
Shorewall6/configfiles/shorewall6.conf
View File

@ -105,8 +105,6 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
BLACKLISTSECTION=No
CLAMPMSS=No CLAMPMSS=No
CLEAR_TC=No CLEAR_TC=No

10
manpages/shorewall-blrules.xml
View File

@ -23,9 +23,7 @@
<refsect1> <refsect1>
<title>Description</title> <title>Description</title>
<para>This file is used to perform blacklisting and whitelisting when <para>This file is used to perform blacklisting and whitelisting.</para>
BLACKLISTSECTION=No in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)l.</para>
<para>Rules in this file are applied depending on the setting of <para>Rules in this file are applied depending on the setting of
BLACKLISTNEWONLY in <ulink BLACKLISTNEWONLY in <ulink
@ -154,9 +152,9 @@
<para>the rest of the line will be attached as a comment to <para>the rest of the line will be attached as a comment to
the Netfilter rule(s) generated by the following entries. The the Netfilter rule(s) generated by the following entries. The
comment will appear delimited by "/* ... */" in the output of comment will appear delimited by "/* ... */" in the output of
"shorewall show &lt;chain&gt;". To stop the comment from "shorewall show &lt;chain&gt;". To stop the comment from being
being attached to further rules, simply include COMMENT on a attached to further rules, simply include COMMENT on a line by
line by itself.</para> itself.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

12
manpages/shorewall-rules.xml
View File

@ -50,13 +50,19 @@
<term><emphasis role="bold">BLACKLIST</emphasis></term> <term><emphasis role="bold">BLACKLIST</emphasis></term>
<listitem> <listitem>
<para>This section was added in Shorewall 4.4.25. Rules in this <para>This section was added in Shorewall 4.4.25.</para>
section are applied depending on the setting of BLACKLISTNEWONLY in
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5). If <para>Rules in this section are applied depending on the setting of
BLACKLISTNEWONLY in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). If
BLACKLISTNEWONLY=No, then they are applied regardless of the BLACKLISTNEWONLY=No, then they are applied regardless of the
connection tracking state of the packet. If BLACKLISTNEWONLY=Yes, connection tracking state of the packet. If BLACKLISTNEWONLY=Yes,
they are applied to connections in the NEW and INVALID they are applied to connections in the NEW and INVALID
states.</para> states.</para>
<para>When there are rules in this sectionas well as in
shorewall-blrules (5), those in this section are processed
last.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

13
manpages/shorewall.conf.xml
View File

@ -377,19 +377,6 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">BLACKLISTSECTION=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Added in Shorewall 4.4.26. When omitted or set to Yes,
zone-specific blacklisting rules are placed in the BLACKLIST section
of <ulink url="shorewall-rules.html">shorewall-rules</ulink> (5).
When set to No, zone-specific blacklisting rules are place in <ulink
url="shorewall-blrules.html">shorewall-blrules</ulink> (5).</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis <term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">Yes</emphasis>|<emphasis

5
manpages6/shorewall6-blrules.xml
View File

@ -23,9 +23,8 @@
<refsect1> <refsect1>
<title>Description</title> <title>Description</title>
<para>This file is used to perform blacklisting and whitelisting when <para>This file is used to perform zone-specific blacklisting and
BLACKLISTSECTION=No in <ulink whitelisting.</para>
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)l.</para>
<para>Rules in this file are applied depending on the setting of <para>Rules in this file are applied depending on the setting of
BLACKLISTNEWONLY in <ulink BLACKLISTNEWONLY in <ulink

8
manpages6/shorewall6-rules.xml
View File

@ -43,9 +43,7 @@
<term><emphasis role="bold">BLACKLIST</emphasis></term> <term><emphasis role="bold">BLACKLIST</emphasis></term>
<listitem> <listitem>
<para>This section was added in Shorewall 4.4.25 and is only <para>This section was added in Shorewall 4.4.25.</para>
permitted when BLACKLISTSECTION=Yes in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>Rules in this section are applied depending on the setting of <para>Rules in this section are applied depending on the setting of
BLACKLISTNEWONLY in <ulink BLACKLISTNEWONLY in <ulink
@ -54,6 +52,10 @@
connection tracking state of the packet. If BLACKLISTNEWONLY=Yes, connection tracking state of the packet. If BLACKLISTNEWONLY=Yes,
they are applied to connections in the NEW and INVALID they are applied to connections in the NEW and INVALID
states.</para> states.</para>
<para>When there are rules in this sectionas well as in
shorewall-blrules (5), those in this section are processed
last.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

13
manpages6/shorewall6.conf.xml
View File

@ -308,19 +308,6 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">BLACKLISTSECTION=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Added in Shorewall 4.4.26. When omitted or set to Yes,
zone-specific blacklisting rules are placed in the BLACKLIST section
of <ulink url="shorewall6-rules.html">shorewall6-rules</ulink> (5).
When set to No, zone-specific blacklisting rules are place in <ulink
url="shorewall6-blrules.html">shorewall6-blrules</ulink> (5).</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis <term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">Yes</emphasis>|<emphasis