From d053faaddeb9da47365be1e0544f25151a1257dd Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 8 Nov 2011 12:59:40 -0800 Subject: [PATCH] Allow convertion of a legacy blacklist configuration Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Compiler.pm | 13 +- Shorewall/Perl/Shorewall/Config.pm | 13 +- Shorewall/Perl/Shorewall/Misc.pm | 242 ++++++++++++++++++++++++++- Shorewall/Perl/Shorewall/Zones.pm | 5 +- Shorewall/Perl/compiler.pl | 6 +- Shorewall/configfiles/blrules | 8 +- Shorewall/shorewall | 101 ++++++++++- Shorewall6/shorewall6 | 99 ++++++++++- docs/blacklisting_support.xml | 41 ++--- manpages/shorewall.conf.xml | 8 +- manpages/shorewall.xml | 15 +- manpages6/shorewall6.conf.xml | 15 +- manpages6/shorewall6.xml | 19 ++- 13 files changed, 508 insertions(+), 77 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index a182d8412..1e14b4c0c 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -54,10 +54,10 @@ my $family; # # Initilize the package-globals in the other modules # -sub initialize_package_globals() { +sub initialize_package_globals( $ ) { Shorewall::Config::initialize($family); Shorewall::Chains::initialize ($family, 1, $export ); - Shorewall::Zones::initialize ($family); + Shorewall::Zones::initialize ($family, shift); Shorewall::Nat::initialize; Shorewall::Providers::initialize($family); Shorewall::Tc::initialize($family); @@ -525,8 +525,8 @@ EOF # sub compiler { - my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate ) = - ( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, ); + my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert ) = + ( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, , 0 ); $export = 0; $test = 0; @@ -561,6 +561,7 @@ sub compiler { preview => { store => \$preview, validate=> \&validate_boolean } , confess => { store => \$confess, validate=> \&validate_boolean } , update => { store => \$update, validate=> \&validate_boolean } , + convert => { store => \$convert, validate=> \&validate_boolean } , annotate => { store => \$annotate, validate=> \&validate_boolean } , ); # @@ -579,7 +580,7 @@ sub compiler { # # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals # - initialize_package_globals; + initialize_package_globals( $update ); if ( $directory ne '' ) { fatal_error "$directory is not an existing directory" unless -d $directory; @@ -673,7 +674,7 @@ sub compiler { # # Do all of the zone-independent stuff (mostly /proc) # - add_common_rules; + add_common_rules( $convert ); # # More /proc # diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 4e46d4870..73029af96 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -1268,7 +1268,7 @@ sub set_debug( $$ ) { # sub find_file($) { - my $filename=$_[0]; + my ( $filename, $nosearch ) = @_; return $filename if $filename =~ '/'; @@ -1279,7 +1279,7 @@ sub find_file($) return $file if -f $file; } - "$globals{CONFDIR}/$filename"; + "$config_path[0]$filename"; } sub split_list( $$ ) { @@ -1949,9 +1949,10 @@ sub expand_variables( \$ ) { # - Handle INCLUDE # -sub read_a_line(;$$) { +sub read_a_line(;$$$) { my $embedded_enabled = defined $_[0] ? shift : 1; my $expand_variables = defined $_[0] ? shift : 1; + my $strip_comments = defined $_[0] ? shift : 1; while ( $currentfile ) { @@ -1971,7 +1972,7 @@ sub read_a_line(;$$) { # If this isn't a continued line, remove trailing comments. Note that # the result may now end in '\'. # - s/\s*#.*$// unless /\\$/; + s/\s*#.*$// if $strip_comments && ! /\\$/; # # Continuation # @@ -1979,7 +1980,7 @@ sub read_a_line(;$$) { # # Now remove concatinated comments # - $currentline =~ s/#.*$//; + $currentline =~ s/#.*$// if $strip_comments; # # Ignore ( concatenated ) Blank Lines # @@ -3126,7 +3127,7 @@ EOF progress_message3 "No update required to configuration file $configfile; $configfile.b"; } - exit 0; + exit 0 unless -f find_file 'blacklist'; } } else { fatal_error "$fn does not exist"; diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index ee8036d21..77b35e4c3 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -348,6 +348,239 @@ sub setup_blacklist() { } } +# +# Remove instances of 'blacklist' from the passed file. +# +sub remove_blacklist( $ ) { + my $file = shift; + + my $fn = find_file $file; + + assert( -f $fn ); + + my $oldfile = open_file $fn; + my $newfile; + my $changed; + + open $newfile, '>', "$fn.new" or fatal_error "Unable to open $fn.new for output: $!"; + + while ( read_a_line(1,1,0) ) { + my ( $rule, $comment ) = split '#', $currentline, 2; + + if ( $rule =~ /blacklist/ ) { + $changed = 1; + + if ( $comment ) { + $comment =~ s/^/ / while $rule =~ s/blacklist,//; + $rule =~ s/blacklist/ /g; + $currentline = join( '#', $rule, $comment ); + } else { + $currentline =~ s/blacklist/ /g; + } + } + + print $newfile "$currentline\n"; + } + + close $newfile; + + if ( $changed ) { + rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!"; + rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!"; + progress_message2 "\u$file file $fn saved in $fn.bak" + } +} + +# +# Convert a pre-4.4.25 blacklist to a 4.4.25 blacklist +# +sub convert_blacklist() { + my $zones = find_zones_by_option 'blacklist', 'in'; + my $zones1 = find_zones_by_option 'blacklist', 'out'; + my $chainref; + my $chainref1; + my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' }; + my $audit = $disposition =~ /^A_/; + my $target = $disposition eq 'REJECT' ? 'reject' : $disposition; + my $orig_target = $target; + my @rules; + + if ( @$zones || @$zones1 ) { + if ( supplied $level ) { + my $logchainref = new_standard_chain 'blacklog'; + + $target =~ s/A_//; + $target = 'reject' if $target eq 'REJECT'; + + log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' ); + + add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit; + add_ijump( $logchainref, g => $target ); + + $target = 'blacklog'; + } elsif ( $audit ) { + require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's'; + $target = verify_audit( $disposition ); + } + + my $fn = open_file 'blacklist'; + + assert $fn; + + first_entry "Converting $fn..."; + + while ( read_a_line ) { + my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 }; + + if ( $options eq '-' ) { + $options = 'src'; + } elsif ( $options eq 'audit' ) { + $options = 'audit,src'; + } + + my ( $to, $from, $whitelist, $auditone ) = ( 0, 0, 0, 0 ); + + my @options = split_list $options, 'option'; + + for ( @options ) { + $whitelist++ if $_ eq 'whitelist'; + $auditone++ if $_ eq 'audit'; + } + + warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1; + + my $tgt = $whitelist ? 'RETURN' : $target; + + if ( $auditone ) { + fatal_error "'audit' not allowed in whitelist entries" if $whitelist; + + if ( $audit ) { + warning_message "Superfluous 'audit' option ignored"; + } else { + warning_message "Duplicate 'audit' option ignored" if $auditone > 1; + } + + $tgt = verify_audit( 'A_' . $target, $orig_target, $target ); + } + + for ( @options ) { + if ( $_ =~ /^(?:src|from)$/ ) { + if ( $from++ ) { + warning_message "Duplicate 'src' ignored"; + } else { + if ( @$zones ) { + push @rules, [ 'src', $tgt, $networks, $protocol, $ports ]; + } else { + warning_message '"src" entry ignored because there are no "blacklist in" zones'; + } + } + } elsif ( $_ =~ /^(?:dst|to)$/ ) { + if ( $to++ ) { + warning_message "Duplicate 'dst' ignored"; + } else { + if ( @$zones1 ) { + push @rules, [ 'dst', $tgt, $networks, $protocol, $ports ]; + } else { + warning_message '"dst" entry ignored because there are no "blacklist out" zones'; + } + } + } else { + fatal_error "Invalid blacklist option($_)" unless $_ eq 'whitelist' || $_ eq 'audit'; + } + } + } + + if ( @rules ) { + my $fn1 = find_file( 'blrules' ); + my $blrules; + my $date = localtime; + + if ( -f $fn1 ) { + open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!"; + } else { + open $blrules, '>', $fn1 or fatal_error "Unable to open $fn1: $!"; + print $blrules <<'EOF'; +# +# Shorewall version 5 - Blacklist Rules File +# +# For information about entries in this file, type "man shorewall-blrules" +# +# Please see http://shorewall.net/blacklisting_support.htm for additional +# information. +# +################################################################################################################################################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH +# PORT PORT(S) DEST LIMIT GROUP +EOF + } + + print( $blrules + "#\n" , + "# Rules generated from blacklist file $fn by Shorewall $globals{VERSION} - $date\n" , + "#\n" ); + + for ( @rules ) { + my ( $srcdst, $tgt, $networks, $protocols, $ports ) = @$_; + + if ( $level ) { + $tgt .= ":$level\t"; + } else { + $tgt .= "\t\t"; + } + + my $list = $srcdst eq 'src' ? $zones : $zones1; + + for my $zone ( @$list ) { + my $rule = $tgt; + + if ( $srcdst eq 'src' ) { + if ( $networks ne '-' ) { + $rule .= "$zone:$networks\tall\t\t"; + } else { + $rule .= "$zone\t\t\tall\t\t"; + } + } else { + if ( $networks ne '-' ) { + $rule .= "all\t\t\t$zone:$networks\t"; + } else { + $rule .= "all\t\t\t$zone\t\t\t"; + } + } + + $rule .= "\t$protocols" if $protocols ne '-'; + $rule .= "\t$ports" if $ports ne '-'; + + print $blrules "$rule\n"; + } + } + + close $blrules; + } else { + warning_message q(There are interfaces or zones with the 'blacklist' option but the 'blacklist' file is empty) unless @rules; + } + + rename $fn, "$fn.bak"; + + progress_message2 "Blacklist file $fn saved in $fn.bak"; + + for my $file ( qw(zones interfaces hosts) ) { + remove_blacklist $file; + } + + progress_message2 "Blacklist successfully converted"; + + return 1; + } else { + my $fn = find_file 'blacklist'; + if ( -f $fn ) { + rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!"; + warning_message "No zones have the blacklist option - the blacklist file was saved in $fn.bak"; + } + + return 0; + } +} + sub process_routestopped() { if ( my $fn = open_file 'routestopped' ) { @@ -473,7 +706,8 @@ sub process_routestopped() { sub setup_mss(); -sub add_common_rules() { +sub add_common_rules ( $ ) { + my $upgrade = shift; my $interface; my $chainref; my $target; @@ -594,7 +828,11 @@ sub add_common_rules() { run_user_exit1 'initdone'; - setup_blacklist; + if ( $upgrade ) { + exit 0 unless convert_blacklist; + } else { + setup_blacklist; + } $list = find_hosts_by_option 'nosmurfs'; diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index b7be6e4d7..83aa93ec7 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -177,6 +177,7 @@ my %physical; my %basemap; my %mapbase; my $family; +my $upgrade; my $have_ipsec; my $baseseq; my $minroot; @@ -221,8 +222,8 @@ my %validhostoptions; # 2. The compiler can run multiple times in the same process so it has to be # able to re-initialize its dependent modules' state. # -sub initialize( $ ) { - $family = shift; +sub initialize( $$ ) { + ( $family , $upgrade ) = @_; @zones = (); %zones = (); $firewall_zone = ''; diff --git a/Shorewall/Perl/compiler.pl b/Shorewall/Perl/compiler.pl index 0e599eb92..3c0ac4e2b 100755 --- a/Shorewall/Perl/compiler.pl +++ b/Shorewall/Perl/compiler.pl @@ -62,7 +62,8 @@ sub usage( $ ) { [ --preview ] [ --family={4|6} ] [ --annotate ] - [ --updatee ] + [ --update ] + [ --convert ] '; exit shift @_; @@ -86,6 +87,7 @@ my $family = 4; # F_IPV4 my $preview = 0; my $annotate = 0; my $update = 0; +my $convert = 0; Getopt::Long::Configure ('bundling'); @@ -115,6 +117,7 @@ my $result = GetOptions('h' => \$help, 'annotate' => \$annotate, 'u' => \$update, 'update' => \$update, + 'convert' => \$convert, ); usage(1) unless $result && @ARGV < 2; @@ -134,5 +137,6 @@ compiler( script => $ARGV[0] || '', family => $family, confess => $confess, update => $update, + convert => $convert, annotate => $annotate, ); diff --git a/Shorewall/configfiles/blrules b/Shorewall/configfiles/blrules index da2576927..53c0ac8f3 100644 --- a/Shorewall/configfiles/blrules +++ b/Shorewall/configfiles/blrules @@ -1,12 +1,12 @@ # -# Shorewall version 5 - Blacklist Rules File +# Shorewall version 4 - Blacklist Rules File # # For information about entries in this file, type "man shorewall-blrules" # # Please see http://shorewall.net/blacklisting_support.htm for additional # information. # -###################################################################################################################################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH -# PORT PORT(S) DEST LIMIT GROUP +################################################################################################################################################################################################### +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH +# PORT PORT(S) DEST LIMIT GROUP diff --git a/Shorewall/shorewall b/Shorewall/shorewall index c2fa9b017..03998778e 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -398,6 +398,7 @@ compiler() { [ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains" [ -n "$g_confess" ] && options="$options --confess" [ -n "$g_update" ] && options="$options --update" + [ -n "$g_convert" ] && options="$options --convert" [ -n "$g_annotate" ] && options="$options --annotate" if [ -n "$PERL" ]; then @@ -728,6 +729,94 @@ check_command() { compiler $g_debugging $nolock check } +# +# Update Command Executor +# +update_command() { + local finished + finished=0 + + g_update=Yes + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + e*) + g_export=Yes + option=${option#e} + ;; + p*) + g_profile=Yes + option=${option#p} + ;; + d*) + g_debug=Yes; + option=${option#d} + ;; + r*) + g_preview=Yes + option=${option#r} + ;; + T*) + g_confess=Yes + option=${option#T} + ;; + a*) + g_annotate=Yes + option=${option#a} + ;; + b*) + g_convert=Yes + option=${option#b} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + case $# in + 0) + ;; + 1) + [ -n "$SHOREWALL_DIR" ] && usage 2 + + if [ ! -d $1 ]; then + if [ -e $1 ]; then + echo "$1 is not a directory" >&2 && exit 2 + else + echo "Directory $1 does not exist" >&2 && exit 2 + fi + fi + + SHOREWALL_DIR=$(resolve_file $1) + ;; + *) + usage 1 + ;; + esac + + progress_message3 "Updating..." + + compiler $g_debugging $nolock check +} + # # Restart Command Executor # @@ -1431,6 +1520,8 @@ usage() # $1 = exit status echo " reset [ ... ]" echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ ]" echo " restore [ -n ] [ ]" + echo " safe-restart [ ]" + echo " safe-start [ ]" echo " save [ ]" echo " show [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [ [ ... ]" echo " show actions" @@ -1451,13 +1542,11 @@ usage() # $1 = exit status echo " show vardir" echo " show zones" echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ ]" - echo " stop" echo " status" + echo " stop" echo " try [ ]" + echo " update [ -b ] [ -r ] [ -T ] [ ]" echo " version [ -a ]" - echo " safe-start [ ]" - echo " safe-restart [ ]" - echo " update [ -e ] [ -d ] [ -p ] [ -r ] [ -T ] [ -a ] [ ]" echo exit $1 } @@ -1541,6 +1630,7 @@ g_export= g_refreshchains=:none: g_confess= g_update= +g_convert= g_annotate= # @@ -1751,8 +1841,7 @@ case "$COMMAND" in update) get_config Yes shift - g_update=Yes - check_command $@ + update_command $@ ;; show|list) get_config Yes No Yes diff --git a/Shorewall6/shorewall6 b/Shorewall6/shorewall6 index f7bcbd45f..1cba63cfa 100755 --- a/Shorewall6/shorewall6 +++ b/Shorewall6/shorewall6 @@ -398,6 +398,7 @@ compiler() { [ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains" [ -n "$g_confess" ] && options="$options --confess" [ -n "$g_update" ] && options="$options --update" + [ -n "$g_convert" ] && options="$options --convert" [ -n "$g_annotate" ] && options="$options --annotate" [ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed" @@ -729,6 +730,92 @@ check_command() { compiler $g_debugging $nolock check } +# +# Update Command Executor +# +update_command() { + local finished + finished=0 + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + e*) + g_export=Yes + option=${option#e} + ;; + p*) + g_profile=Yes + option=${option#p} + ;; + d*) + g_debug=Yes; + option=${option#d} + ;; + r*) + g_preview=Yes + option=${option#r} + ;; + T*) + g_confess=Yes + option=${option#T} + ;; + a*) + g_annotate=Yes + option=${option#a} + ;; + b*) + g_convert=Yes + option=${option#b} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + + case $# in + 0) + ;; + 1) + [ -n "$SHOREWALL_DIR" ] && usage 2 + + if [ ! -d $1 ]; then + if [ -e $1 ]; then + echo "$1 is not a directory" >&2 && exit 2 + else + echo "Directory $1 does not exist" >&2 && exit 2 + fi + fi + + SHOREWALL_DIR=$(resolve_file $1) + ;; + *) + usage 1 + ;; + esac + + progress_message3 "Updating..." + + compiler $g_debugging $nolock check +} + # # Restart Command Executor # @@ -1428,6 +1515,8 @@ usage() # $1 = exit status echo " reset [ ... ]" echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ ]" echo " restore [ -n ] [ ]" + echo " safe-restart [ ]" + echo " safe-start [ ]" echo " save [ ]" echo " show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]" echo " show actions" @@ -1447,13 +1536,11 @@ usage() # $1 = exit status echo " show vardir" echo " show zones" echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ ]" - echo " stop" echo " status" + echo " stop" echo " try [ ]" + echo " update [ -b ] [ -r ] [ -T ] [ ]" echo " version [ -a ]" - echo " safe-start [ ]" - echo " safe-restart [ ]" - echo " update [ -e ] [ -d ] [ -p ] [ -r ] [ -T ] [ -a ] [ ]" echo exit $1 } @@ -1537,6 +1624,7 @@ g_export= g_refreshchains=:none: g_confess= g_update= +g_convert= g_annotate= # @@ -1747,8 +1835,7 @@ case "$COMMAND" in update) get_config Yes shift - g_update=Yes - check_command $@ + update_command $@ ;; show|list) get_config Yes No Yes diff --git a/docs/blacklisting_support.xml b/docs/blacklisting_support.xml index 2d3361a58..f627a2058 100644 --- a/docs/blacklisting_support.xml +++ b/docs/blacklisting_support.xml @@ -72,11 +72,11 @@ Rule-based Blacklisting Beginning with Shorewall 4.4.25, the preferred method of - blacklisting and whitelisting is to use the BLACKLIST section of the rules - file. There you have access to the DROP, ACCEPT, REJECT and WHITELIST - actions, standard and custom macros as well as standard and custom - actions. See shorewall-rules (5) for + blacklisting and whitelisting is to use the blrules file (shorewall-blrules (5)). + There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions, + standard and custom macros as well as standard and custom actions. See + shorewall-rules (5) for details. Example: @@ -95,29 +95,16 @@ DROP net:84.108.168.139 all DROP net:200.55.14.18 all - If you prefer to keep your blacklist rules in a separate file, - then: + Beginning with Shorewall 4.4.26, the update + command supports a option that causes your legacy + blacklisting configuration to use the blrules file. - - - create the separate file. - - - - copy the column headings from your rules file to the new - file. - - - - enter your blacklist rules into the new file. - - - - in the BLACKLIST section of your rules file, enter: - - INCLUDE name-of-new-file - - + + If you prefer to keep your blacklisting rules in your rules file + (shorewall-rules + (5)), you can place them in the BLACKLIST section of that file rather + than in blrules. +
diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml index b1944954f..626f205fd 100644 --- a/manpages/shorewall.conf.xml +++ b/manpages/shorewall.conf.xml @@ -348,7 +348,8 @@ BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you assign an empty value then packets from blacklisted hosts are not logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in - the BLACKLIST section of shorewall-blrules (5) file or in the + BLACKLIST section of shorewall-rules (5). @@ -360,8 +361,9 @@ When set to Yes or yes, blacklists are only consulted for new - connections. That includes entries in the BLACKLIST section of - shorewall-rules + connections. That includes entries in the shorewall-blrules (5) file and in the BLACKLIST + section of shorewall-rules (5). When set to No or - + - - @@ -1564,6 +1562,17 @@ shorewall.conf file to be annotated with documentation. + The option was added in Shorewall 4.4.26 + and causes legacy blacklisting rules (shorewall-blacklist (5) ) to + be converted to entries in the blrules file (shorewall-blrules (5) ). The + blacklist keyword is removed from shorewall-zones (5), shorewall-interfaces (5) and + shorewall-hosts (5). The + unmodified files are saved with a .bak suffix. + For a description of the other options, see the check command above. diff --git a/manpages6/shorewall6.conf.xml b/manpages6/shorewall6.conf.xml index df6cbae97..7e6931d86 100644 --- a/manpages6/shorewall6.conf.xml +++ b/manpages6/shorewall6.conf.xml @@ -262,8 +262,9 @@ be dropped or REJECT if the packets are to be replied with an ICMP port unreachable reply or a TCP RST (tcp only). If you do not assign a value or if you assign an empty value then DROP is assumed. The - BLACKLIST_DISPOSITION setting has no effect on entries in the - BLACKLIST section of shorewall-blrules (5) file or in the BLACKLIST + section of shorewall6-rules (5). @@ -279,7 +280,8 @@ BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you assign an empty value then packets from blacklisted hosts are not logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in - the BLACKLIST section of shorewall-blrules (5) file and in the + BLACKLIST section of shorewall6-rules (5). @@ -291,9 +293,10 @@ When set to Yes or yes, blacklists are only consulted for new - connections. This includes entries in the BLACKLIST section of - shorewall6-rules - (5). + connections. This includes entries in the shorewall-blrules (5) file and in the BLACKLIST + section of shorewall6-rules (5). When set to No or no, blacklists are consulted for every packet diff --git a/manpages6/shorewall6.xml b/manpages6/shorewall6.xml index 78cff55e9..9911d2b34 100644 --- a/manpages6/shorewall6.xml +++ b/manpages6/shorewall6.xml @@ -529,12 +529,10 @@ - + - - @@ -1373,6 +1371,17 @@ shorewall6.conf file to be annotated with documentation. + The option was added in Shorewall 4.4.26 + and causes legacy blacklisting rules (shorewall6-blacklist (5) ) + to be converted to entries in the blrules file (shorewall6-blrules (5) ). The + blacklist keyword is removed from shorewall6-zones (5), shorewall-interfaces (5) + and shorewall6-hosts (5). + The unmodified files are saved with a .bak suffix. + For a description of the other options, see the check command above. @@ -1404,8 +1413,8 @@ shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), - shorewall6-providers(5), shorewall6-route_rules(5), + shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), + shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),