extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-22 06:10:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow convertion of a legacy blacklist configuration

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-11-08 12:59:40 -08:00
parent 6108a9cad8
commit d053faadde
13 changed files with 508 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -54,10 +54,10 @@ my $family;
#
# Initilize the package-globals in the other modules
#
sub initialize_package_globals() {
sub initialize_package_globals( $ ) {
Shorewall::Config::initialize($family);
Shorewall::Chains::initialize ($family, 1, $export );
Shorewall::Zones::initialize ($family);
Shorewall::Zones::initialize ($family, shift);
Shorewall::Nat::initialize;
Shorewall::Providers::initialize($family);
Shorewall::Tc::initialize($family);
@ -525,8 +525,8 @@ EOF
#
sub compiler {
my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate ) =
( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, );
my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert ) =
( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, , 0 );
$export = 0;
$test = 0;
@ -561,6 +561,7 @@ sub compiler {
preview => { store => \$preview, validate=> \&validate_boolean } ,
confess => { store => \$confess, validate=> \&validate_boolean } ,
update => { store => \$update, validate=> \&validate_boolean } ,
convert => { store => \$convert, validate=> \&validate_boolean } ,
annotate => { store => \$annotate, validate=> \&validate_boolean } ,
);
#
@ -579,7 +580,7 @@ sub compiler {
#
# Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
#
initialize_package_globals;
initialize_package_globals( $update );
if ( $directory ne '' ) {
fatal_error "$directory is not an existing directory" unless -d $directory;
@ -673,7 +674,7 @@ sub compiler {
#
# Do all of the zone-independent stuff (mostly /proc)
#
add_common_rules;
add_common_rules( $convert );
#
# More /proc
#

13
Shorewall/Perl/Shorewall/Config.pm
View File

@ -1268,7 +1268,7 @@ sub set_debug( $$ ) {
#
sub find_file($)
{
my $filename=$_[0];
my ( $filename, $nosearch ) = @_;
return $filename if $filename =~ '/';
@ -1279,7 +1279,7 @@ sub find_file($)
return $file if -f $file;
}
"$globals{CONFDIR}/$filename";
"$config_path[0]$filename";
}
sub split_list( $$ ) {
@ -1949,9 +1949,10 @@ sub expand_variables( \$ ) {
# - Handle INCLUDE <filename>
#
sub read_a_line(;$$) {
sub read_a_line(;$$$) {
my $embedded_enabled = defined $_[0] ? shift : 1;
my $expand_variables = defined $_[0] ? shift : 1;
my $strip_comments = defined $_[0] ? shift : 1;
while ( $currentfile ) {
@ -1971,7 +1972,7 @@ sub read_a_line(;$$) {
# If this isn't a continued line, remove trailing comments. Note that
# the result may now end in '\'.
#
s/\s*#.*$// unless /\\$/;
s/\s*#.*$// if $strip_comments && ! /\\$/;
#
# Continuation
#
@ -1979,7 +1980,7 @@ sub read_a_line(;$$) {
#
# Now remove concatinated comments
#
$currentline =~ s/#.*$//;
$currentline =~ s/#.*$// if $strip_comments;
#
# Ignore ( concatenated ) Blank Lines
#
@ -3126,7 +3127,7 @@ EOF
progress_message3 "No update required to configuration file $configfile; $configfile.b";
}
exit 0;
exit 0 unless -f find_file 'blacklist';
}
} else {
fatal_error "$fn does not exist";

242
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -348,6 +348,239 @@ sub setup_blacklist() {
}
}
#
# Remove instances of 'blacklist' from the passed file.
#
sub remove_blacklist( $ ) {
my $file = shift;
my $fn = find_file $file;
assert( -f $fn );
my $oldfile = open_file $fn;
my $newfile;
my $changed;
open $newfile, '>', "$fn.new" or fatal_error "Unable to open $fn.new for output: $!";
while ( read_a_line(1,1,0) ) {
my ( $rule, $comment ) = split '#', $currentline, 2;
if ( $rule =~ /blacklist/ ) {
$changed = 1;
if ( $comment ) {
$comment =~ s/^/ / while $rule =~ s/blacklist,//;
$rule =~ s/blacklist/ /g;
$currentline = join( '#', $rule, $comment );
} else {
$currentline =~ s/blacklist/ /g;
}
}
print $newfile "$currentline\n";
}
close $newfile;
if ( $changed ) {
rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
progress_message2 "\u$file file $fn saved in $fn.bak"
}
}
#
# Convert a pre-4.4.25 blacklist to a 4.4.25 blacklist
#
sub convert_blacklist() {
my $zones = find_zones_by_option 'blacklist', 'in';
my $zones1 = find_zones_by_option 'blacklist', 'out';
my $chainref;
my $chainref1;
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
my $audit = $disposition =~ /^A_/;
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
my $orig_target = $target;
my @rules;
if ( @$zones || @$zones1 ) {
if ( supplied $level ) {
my $logchainref = new_standard_chain 'blacklog';
$target =~ s/A_//;
$target = 'reject' if $target eq 'REJECT';
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
add_ijump( $logchainref, g => $target );
$target = 'blacklog';
} elsif ( $audit ) {
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
$target = verify_audit( $disposition );
}
my $fn = open_file 'blacklist';
assert $fn;
first_entry "Converting $fn...";
while ( read_a_line ) {
my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };
if ( $options eq '-' ) {
$options = 'src';
} elsif ( $options eq 'audit' ) {
$options = 'audit,src';
}
my ( $to, $from, $whitelist, $auditone ) = ( 0, 0, 0, 0 );
my @options = split_list $options, 'option';
for ( @options ) {
$whitelist++ if $_ eq 'whitelist';
$auditone++ if $_ eq 'audit';
}
warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
my $tgt = $whitelist ? 'RETURN' : $target;
if ( $auditone ) {
fatal_error "'audit' not allowed in whitelist entries" if $whitelist;
if ( $audit ) {
warning_message "Superfluous 'audit' option ignored";
} else {
warning_message "Duplicate 'audit' option ignored" if $auditone > 1;
}
$tgt = verify_audit( 'A_' . $target, $orig_target, $target );
}
for ( @options ) {
if ( $_ =~ /^(?:src|from)$/ ) {
if ( $from++ ) {
warning_message "Duplicate 'src' ignored";
} else {
if ( @$zones ) {
push @rules, [ 'src', $tgt, $networks, $protocol, $ports ];
} else {
warning_message '"src" entry ignored because there are no "blacklist in" zones';
}
}
} elsif ( $_ =~ /^(?:dst|to)$/ ) {
if ( $to++ ) {
warning_message "Duplicate 'dst' ignored";
} else {
if ( @$zones1 ) {
push @rules, [ 'dst', $tgt, $networks, $protocol, $ports ];
} else {
warning_message '"dst" entry ignored because there are no "blacklist out" zones';
}
}
} else {
fatal_error "Invalid blacklist option($_)" unless $_ eq 'whitelist' || $_ eq 'audit';
}
}
}
if ( @rules ) {
my $fn1 = find_file( 'blrules' );
my $blrules;
my $date = localtime;
if ( -f $fn1 ) {
open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
} else {
open $blrules, '>', $fn1 or fatal_error "Unable to open $fn1: $!";
print $blrules <<'EOF';
#
# Shorewall version 5 - Blacklist Rules File
#
# For information about entries in this file, type "man shorewall-blrules"
#
# Please see http://shorewall.net/blacklisting_support.htm for additional
# information.
#
###################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
EOF
}
print( $blrules
"#\n" ,
"# Rules generated from blacklist file $fn by Shorewall $globals{VERSION} - $date\n" ,
"#\n" );
for ( @rules ) {
my ( $srcdst, $tgt, $networks, $protocols, $ports ) = @$_;
if ( $level ) {
$tgt .= ":$level\t";
} else {
$tgt .= "\t\t";
}
my $list = $srcdst eq 'src' ? $zones : $zones1;
for my $zone ( @$list ) {
my $rule = $tgt;
if ( $srcdst eq 'src' ) {
if ( $networks ne '-' ) {
$rule .= "$zone:$networks\tall\t\t";
} else {
$rule .= "$zone\t\t\tall\t\t";
}
} else {
if ( $networks ne '-' ) {
$rule .= "all\t\t\t$zone:$networks\t";
} else {
$rule .= "all\t\t\t$zone\t\t\t";
}
}
$rule .= "\t$protocols" if $protocols ne '-';
$rule .= "\t$ports" if $ports ne '-';
print $blrules "$rule\n";
}
}
close $blrules;
} else {
warning_message q(There are interfaces or zones with the 'blacklist' option but the 'blacklist' file is empty) unless @rules;
}
rename $fn, "$fn.bak";
progress_message2 "Blacklist file $fn saved in $fn.bak";
for my $file ( qw(zones interfaces hosts) ) {
remove_blacklist $file;
}
progress_message2 "Blacklist successfully converted";
return 1;
} else {
my $fn = find_file 'blacklist';
if ( -f $fn ) {
rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
warning_message "No zones have the blacklist option - the blacklist file was saved in $fn.bak";
}
return 0;
}
}
sub process_routestopped() {
if ( my $fn = open_file 'routestopped' ) {
@ -473,7 +706,8 @@ sub process_routestopped() {
sub setup_mss();
sub add_common_rules() {
sub add_common_rules ( $ ) {
my $upgrade = shift;
my $interface;
my $chainref;
my $target;
@ -594,7 +828,11 @@ sub add_common_rules() {
run_user_exit1 'initdone';
setup_blacklist;
if ( $upgrade ) {
exit 0 unless convert_blacklist;
} else {
setup_blacklist;
}
$list = find_hosts_by_option 'nosmurfs';

5
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -177,6 +177,7 @@ my %physical;
my %basemap;
my %mapbase;
my $family;
my $upgrade;
my $have_ipsec;
my $baseseq;
my $minroot;
@ -221,8 +222,8 @@ my %validhostoptions;
# 2. The compiler can run multiple times in the same process so it has to be
# able to re-initialize its dependent modules' state.
#
sub initialize( $ ) {
$family = shift;
sub initialize( $$ ) {
( $family , $upgrade ) = @_;
@zones = ();
%zones = ();
$firewall_zone = '';

6
Shorewall/Perl/compiler.pl
View File

@ -62,7 +62,8 @@ sub usage( $ ) {
[ --preview ]
[ --family={4|6} ]
[ --annotate ]
[ --updatee ]
[ --update ]
[ --convert ]
';
exit shift @_;
@ -86,6 +87,7 @@ my $family = 4; # F_IPV4
my $preview = 0;
my $annotate = 0;
my $update = 0;
my $convert = 0;
Getopt::Long::Configure ('bundling');
@ -115,6 +117,7 @@ my $result = GetOptions('h' => \$help,
'annotate' => \$annotate,
'u' => \$update,
'update' => \$update,
'convert' => \$convert,
);
usage(1) unless $result && @ARGV < 2;
@ -134,5 +137,6 @@ compiler( script => $ARGV[0] || '',
family => $family,
confess => $confess,
update => $update,
convert => $convert,
annotate => $annotate,
);

8
Shorewall/configfiles/blrules
View File

@ -1,12 +1,12 @@
#
# Shorewall version 5 - Blacklist Rules File
# Shorewall version 4 - Blacklist Rules File
#
# For information about entries in this file, type "man shorewall-blrules"
#
# Please see http://shorewall.net/blacklisting_support.htm for additional
# information.
#
######################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
###################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP

101
Shorewall/shorewall
View File

@ -398,6 +398,7 @@ compiler() {
[ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
[ -n "$g_confess" ] && options="$options --confess"
[ -n "$g_update" ] && options="$options --update"
[ -n "$g_convert" ] && options="$options --convert"
[ -n "$g_annotate" ] && options="$options --annotate"
if [ -n "$PERL" ]; then
@ -728,6 +729,94 @@ check_command() {
compiler $g_debugging $nolock check
}
#
# Update Command Executor
#
update_command() {
local finished
finished=0
g_update=Yes
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
e*)
g_export=Yes
option=${option#e}
;;
p*)
g_profile=Yes
option=${option#p}
;;
d*)
g_debug=Yes;
option=${option#d}
;;
r*)
g_preview=Yes
option=${option#r}
;;
T*)
g_confess=Yes
option=${option#T}
;;
a*)
g_annotate=Yes
option=${option#a}
;;
b*)
g_convert=Yes
option=${option#b}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
case $# in
0)
;;
1)
[ -n "$SHOREWALL_DIR" ] && usage 2
if [ ! -d $1 ]; then
if [ -e $1 ]; then
echo "$1 is not a directory" >&2 && exit 2
else
echo "Directory $1 does not exist" >&2 && exit 2
fi
fi
SHOREWALL_DIR=$(resolve_file $1)
;;
*)
usage 1
;;
esac
progress_message3 "Updating..."
compiler $g_debugging $nolock check
}
#
# Restart Command Executor
#
@ -1431,6 +1520,8 @@ usage() # $1 = exit status
echo " reset [ <chain> ... ]"
echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
echo " restore [ -n ] [ <file name> ]"
echo " safe-restart [ <directory> ]"
echo " safe-start [ <directory> ]"
echo " save [ <file name> ]"
echo " show [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
echo " show actions"
@ -1451,13 +1542,11 @@ usage() # $1 = exit status
echo " show vardir"
echo " show zones"
echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ <directory> ]"
echo " stop"
echo " status"
echo " stop"
echo " try <directory> [ <timeout> ]"
echo " update [ -b ] [ -r ] [ -T ] [ <directory> ]"
echo " version [ -a ]"
echo " safe-start [ <directory> ]"
echo " safe-restart [ <directory> ]"
echo " update [ -e ] [ -d ] [ -p ] [ -r ] [ -T ] [ -a ] [ <directory> ]"
echo
exit $1
}
@ -1541,6 +1630,7 @@ g_export=
g_refreshchains=:none:
g_confess=
g_update=
g_convert=
g_annotate=
#
@ -1751,8 +1841,7 @@ case "$COMMAND" in
update)
get_config Yes
shift
g_update=Yes
check_command $@
update_command $@
;;
show|list)
get_config Yes No Yes

99
Shorewall6/shorewall6
View File

@ -398,6 +398,7 @@ compiler() {
[ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
[ -n "$g_confess" ] && options="$options --confess"
[ -n "$g_update" ] && options="$options --update"
[ -n "$g_convert" ] && options="$options --convert"
[ -n "$g_annotate" ] && options="$options --annotate"
[ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed"
@ -729,6 +730,92 @@ check_command() {
compiler $g_debugging $nolock check
}
#
# Update Command Executor
#
update_command() {
local finished
finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
e*)
g_export=Yes
option=${option#e}
;;
p*)
g_profile=Yes
option=${option#p}
;;
d*)
g_debug=Yes;
option=${option#d}
;;
r*)
g_preview=Yes
option=${option#r}
;;
T*)
g_confess=Yes
option=${option#T}
;;
a*)
g_annotate=Yes
option=${option#a}
;;
b*)
g_convert=Yes
option=${option#b}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
case $# in
0)
;;
1)
[ -n "$SHOREWALL_DIR" ] && usage 2
if [ ! -d $1 ]; then
if [ -e $1 ]; then
echo "$1 is not a directory" >&2 && exit 2
else
echo "Directory $1 does not exist" >&2 && exit 2
fi
fi
SHOREWALL_DIR=$(resolve_file $1)
;;
*)
usage 1
;;
esac
progress_message3 "Updating..."
compiler $g_debugging $nolock check
}
#
# Restart Command Executor
#
@ -1428,6 +1515,8 @@ usage() # $1 = exit status
echo " reset [ <chain> ... ]"
echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
echo " restore [ -n ] [ <file name> ]"
echo " safe-restart [ <directory> ]"
echo " safe-start [ <directory> ]"
echo " save [ <file name> ]"
echo " show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
echo " show actions"
@ -1447,13 +1536,11 @@ usage() # $1 = exit status
echo " show vardir"
echo " show zones"
echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ <directory> ]"
echo " stop"
echo " status"
echo " stop"
echo " try <directory> [ <timeout> ]"
echo " update [ -b ] [ -r ] [ -T ] [ <directory> ]"
echo " version [ -a ]"
echo " safe-start [ <directory> ]"
echo " safe-restart [ <directory> ]"
echo " update [ -e ] [ -d ] [ -p ] [ -r ] [ -T ] [ -a ] [ <directory> ]"
echo
exit $1
}
@ -1537,6 +1624,7 @@ g_export=
g_refreshchains=:none:
g_confess=
g_update=
g_convert=
g_annotate=
#
@ -1747,8 +1835,7 @@ case "$COMMAND" in
update)
get_config Yes
shift
g_update=Yes
check_command $@
update_command $@
;;
show|list)
get_config Yes No Yes

41
docs/blacklisting_support.xml
View File

@ -72,11 +72,11 @@
<title>Rule-based Blacklisting</title>
<para>Beginning with Shorewall 4.4.25, the preferred method of
blacklisting and whitelisting is to use the BLACKLIST section of the rules
file. There you have access to the DROP, ACCEPT, REJECT and WHITELIST
actions, standard and custom macros as well as standard and custom
actions. See <ulink
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) for
blacklisting and whitelisting is to use the blrules file (<ulink
url="manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)).
There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions,
standard and custom macros as well as standard and custom actions. See
<ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) for
details.</para>
<para>Example:</para>
@ -95,29 +95,16 @@ DROP net:84.108.168.139 all
DROP net:200.55.14.18 all
</programlisting>
<para>If you prefer to keep your blacklist rules in a separate file,
then:</para>
<para>Beginning with Shorewall 4.4.26, the <command>update</command>
command supports a <option>-b</option> option that causes your legacy
blacklisting configuration to use the blrules file.</para>
<itemizedlist>
<listitem>
<para>create the separate file.</para>
</listitem>
<listitem>
<para>copy the column headings from your rules file to the new
file.</para>
</listitem>
<listitem>
<para>enter your blacklist rules into the new file.</para>
</listitem>
<listitem>
<para>in the BLACKLIST section of your rules file, enter:</para>
<programlisting>INCLUDE <replaceable>name-of-new-file</replaceable></programlisting>
</listitem>
</itemizedlist>
<note>
<para>If you prefer to keep your blacklisting rules in your rules file
(<ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink>
(5)), you can place them in the BLACKLIST section of that file rather
than in blrules.</para>
</note>
</section>
<section>

8
manpages/shorewall.conf.xml
View File

@ -348,7 +348,8 @@
BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you
assign an empty value then packets from blacklisted hosts are not
logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in
the BLACKLIST section of <ulink
the <ulink url="???">shorewall-blrules</ulink> (5) file or in the
BLACKLIST section of <ulink
url="shorewall-rules.html">shorewall-rules</ulink> (5).</para>
</listitem>
</varlistentry>
@ -360,8 +361,9 @@
<listitem>
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, blacklists are only consulted for new
connections. That includes entries in the BLACKLIST section of
<ulink url="shorewall-rules.html">shorewall-rules</ulink>
connections. That includes entries in the <ulink
url="???">shorewall-blrules</ulink> (5) file and in the BLACKLIST
section of <ulink url="shorewall-rules.html">shorewall-rules</ulink>
(5).</para>
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis

15
manpages/shorewall.xml
View File

@ -628,12 +628,10 @@
<arg choice="plain"><option>update</option></arg>
<arg><option>-e</option></arg>
<arg><option>-b</option></arg>
<arg><option>-d</option></arg>
<arg><option>-p</option></arg>
<arg><option>-r</option></arg>
<arg><option>-T</option></arg>
@ -1564,6 +1562,17 @@
<filename>shorewall.conf</filename> file to be annotated with
documentation.</para>
<para>The <option>-b</option> option was added in Shorewall 4.4.26
and causes legacy blacklisting rules (<ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink> (5) ) to
be converted to entries in the blrules file (<ulink
url="shorewall-blrules.html">shorewall-blrules</ulink> (5) ). The
blacklist keyword is removed from <ulink
url="shorewall-zones.html">shorewall-zones</ulink> (5), <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink> (5) and
<ulink url="shorewall-hosts.html">shorewall-hosts</ulink> (5). The
unmodified files are saved with a .bak suffix.</para>
<para>For a description of the other options, see the <emphasis
role="bold">check</emphasis> command above.</para>
</listitem>

15
manpages6/shorewall6.conf.xml
View File

@ -262,8 +262,9 @@
be dropped or REJECT if the packets are to be replied with an ICMP
port unreachable reply or a TCP RST (tcp only). If you do not assign
a value or if you assign an empty value then DROP is assumed. The
BLACKLIST_DISPOSITION setting has no effect on entries in the
BLACKLIST section of <ulink
BLACKLIST_DISPOSITION setting has no effect on entries in the <ulink
url="???">shorewall-blrules</ulink> (5) file or in the BLACKLIST
section of <ulink
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
</listitem>
</varlistentry>
@ -279,7 +280,8 @@
BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you
assign an empty value then packets from blacklisted hosts are not
logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in
the BLACKLIST section of <ulink
the <ulink url="???">shorewall-blrules</ulink> (5) file and in the
BLACKLIST section of <ulink
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
</listitem>
</varlistentry>
@ -291,9 +293,10 @@
<listitem>
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, blacklists are only consulted for new
connections. This includes entries in the BLACKLIST section of
<ulink url="shorewall6-rules.html">shorewall6-rules</ulink>
(5).</para>
connections. This includes entries in the <ulink
url="???">shorewall-blrules</ulink> (5) file and in the BLACKLIST
section of <ulink
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
role="bold">no</emphasis>, blacklists are consulted for every packet

19
manpages6/shorewall6.xml
View File

@ -529,12 +529,10 @@
<arg choice="plain"><option>update</option></arg>
<arg><option>-e</option></arg>
<arg><option>-b</option></arg>
<arg><option>-d</option></arg>
<arg><option>-p</option></arg>
<arg><option>-r</option></arg>
<arg><option>-T</option></arg>
@ -1373,6 +1371,17 @@
<filename>shorewall6.conf</filename> file to be annotated with
documentation.</para>
<para>The <option>-b</option> option was added in Shorewall 4.4.26
and causes legacy blacklisting rules (<ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink> (5) )
to be converted to entries in the blrules file (<ulink
url="shorewall6-blrules.html">shorewall6-blrules</ulink> (5) ). The
blacklist keyword is removed from <ulink
url="shorewall6-zones.html">shorewall6-zones</ulink> (5), <ulink
url="shorewall6-interfaces.html">shorewall-interfaces</ulink> (5)
and <ulink url="shorewall6-hosts.html">shorewall6-hosts</ulink> (5).
The unmodified files are saved with a .bak suffix.</para>
<para>For a description of the other options, see the <emphasis
role="bold">check</emphasis> command above.</para>
</listitem>
@ -1404,8 +1413,8 @@
<para>shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),