Don't create classic blacklist chains if no blacklist file.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-09-12 07:30:34 -07:00
parent 89289f95ba
commit a223245c01
2 changed files with 45 additions and 45 deletions

View File

@ -204,25 +204,24 @@ sub setup_blacklist() {
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition; my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
my $orig_target = $target; my $orig_target = $target;
#
# We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
# for 'refresh' to work properly.
#
if ( @$zones || @$zones1 ) {
$chainref = set_optflags( new_standard_chain( 'blacklst' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones;
$chainref1 = set_optflags( new_standard_chain( 'blackout' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones1;
if ( supplied $level ) {
$target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
} elsif ( $audit ) {
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
$target = verify_audit( $disposition );
}
}
BLACKLIST: BLACKLIST:
{ {
if ( my $fn = open_file 'blacklist' ) { if ( my $fn = open_file 'blacklist' ) {
#
# We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
# for 'refresh' to work properly.
#
if ( @$zones || @$zones1 ) {
$chainref = set_optflags( new_standard_chain( 'blacklst' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones;
$chainref1 = set_optflags( new_standard_chain( 'blackout' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones1;
if ( supplied $level ) {
$target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
} elsif ( $audit ) {
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
$target = verify_audit( $disposition );
}
}
my $first_entry = 1; my $first_entry = 1;

View File

@ -2373,41 +2373,42 @@ sub classic_blacklist() {
my $zoneref = find_zone( $zone ); my $zoneref = find_zone( $zone );
my $simple = @zones <= 2 && ! $zoneref->{complex}; my $simple = @zones <= 2 && ! $zoneref->{complex};
if ( $zoneref->{options}{in}{blacklist} ) { if ( my $blackref = $filter_table->{blacklst} ) {
my $blackref = $filter_table->{blacklst}; if ( $zoneref->{options}{in}{blacklist} ) {
add_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , @state for firewall_zone, @vservers; add_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , @state for firewall_zone, @vservers;
if ( $simple ) { if ( $simple ) {
# #
# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains # We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
# #
for my $zone1 ( @zones ) { for my $zone1 ( @zones ) {
my $ruleschain = rules_chain( $zone, $zone1 ); my $ruleschain = rules_chain( $zone, $zone1 );
my $ruleschainref = $filter_table->{$ruleschain};
if ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) {
add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
}
}
}
$result = 1;
}
if ( $zoneref->{options}{out}{blacklist} ) {
$blackref = $filter_table->{blackout};
add_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , @state;
for my $zone1 ( @zones, @vservers ) {
my $ruleschain = rules_chain( $zone1, $zone );
my $ruleschainref = $filter_table->{$ruleschain}; my $ruleschainref = $filter_table->{$ruleschain};
if ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) { if ( ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) ) {
add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state ); add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
} }
} }
$result = 1;
} }
$result = 1;
}
if ( $zoneref->{options}{out}{blacklist} ) {
my $blackref = $filter_table->{blackout};
add_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , @state;
for my $zone1 ( @zones, @vservers ) {
my $ruleschain = rules_chain( $zone1, $zone );
my $ruleschainref = $filter_table->{$ruleschain};
if ( ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) ) {
add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
}
}
$result = 1;
} }
unless ( $simple ) { unless ( $simple ) {
@ -2416,7 +2417,7 @@ sub classic_blacklist() {
# #
my $frwd_ref = new_standard_chain zone_forward_chain( $zone ); my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
add_ijump( $frwd_ref , j => $filter_table->{blacklst}, @state ) if $zoneref->{options}{in}{blacklist}; add_ijump( $frwd_ref , j => $filter_table->{blacklst}, @state ) if $filter_table->{blacklst} && $zoneref->{options}{in}{blacklist};
} }
} }