mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
Allow convertion of a legacy blacklist configuration
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
6108a9cad8
commit
d053faadde
@ -54,10 +54,10 @@ my $family;
|
|||||||
#
|
#
|
||||||
# Initilize the package-globals in the other modules
|
# Initilize the package-globals in the other modules
|
||||||
#
|
#
|
||||||
sub initialize_package_globals() {
|
sub initialize_package_globals( $ ) {
|
||||||
Shorewall::Config::initialize($family);
|
Shorewall::Config::initialize($family);
|
||||||
Shorewall::Chains::initialize ($family, 1, $export );
|
Shorewall::Chains::initialize ($family, 1, $export );
|
||||||
Shorewall::Zones::initialize ($family);
|
Shorewall::Zones::initialize ($family, shift);
|
||||||
Shorewall::Nat::initialize;
|
Shorewall::Nat::initialize;
|
||||||
Shorewall::Providers::initialize($family);
|
Shorewall::Providers::initialize($family);
|
||||||
Shorewall::Tc::initialize($family);
|
Shorewall::Tc::initialize($family);
|
||||||
@ -525,8 +525,8 @@ EOF
|
|||||||
#
|
#
|
||||||
sub compiler {
|
sub compiler {
|
||||||
|
|
||||||
my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate ) =
|
my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert ) =
|
||||||
( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, );
|
( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, , 0 );
|
||||||
|
|
||||||
$export = 0;
|
$export = 0;
|
||||||
$test = 0;
|
$test = 0;
|
||||||
@ -561,6 +561,7 @@ sub compiler {
|
|||||||
preview => { store => \$preview, validate=> \&validate_boolean } ,
|
preview => { store => \$preview, validate=> \&validate_boolean } ,
|
||||||
confess => { store => \$confess, validate=> \&validate_boolean } ,
|
confess => { store => \$confess, validate=> \&validate_boolean } ,
|
||||||
update => { store => \$update, validate=> \&validate_boolean } ,
|
update => { store => \$update, validate=> \&validate_boolean } ,
|
||||||
|
convert => { store => \$convert, validate=> \&validate_boolean } ,
|
||||||
annotate => { store => \$annotate, validate=> \&validate_boolean } ,
|
annotate => { store => \$annotate, validate=> \&validate_boolean } ,
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
@ -579,7 +580,7 @@ sub compiler {
|
|||||||
#
|
#
|
||||||
# Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
|
# Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
|
||||||
#
|
#
|
||||||
initialize_package_globals;
|
initialize_package_globals( $update );
|
||||||
|
|
||||||
if ( $directory ne '' ) {
|
if ( $directory ne '' ) {
|
||||||
fatal_error "$directory is not an existing directory" unless -d $directory;
|
fatal_error "$directory is not an existing directory" unless -d $directory;
|
||||||
@ -673,7 +674,7 @@ sub compiler {
|
|||||||
#
|
#
|
||||||
# Do all of the zone-independent stuff (mostly /proc)
|
# Do all of the zone-independent stuff (mostly /proc)
|
||||||
#
|
#
|
||||||
add_common_rules;
|
add_common_rules( $convert );
|
||||||
#
|
#
|
||||||
# More /proc
|
# More /proc
|
||||||
#
|
#
|
||||||
|
@ -1268,7 +1268,7 @@ sub set_debug( $$ ) {
|
|||||||
#
|
#
|
||||||
sub find_file($)
|
sub find_file($)
|
||||||
{
|
{
|
||||||
my $filename=$_[0];
|
my ( $filename, $nosearch ) = @_;
|
||||||
|
|
||||||
return $filename if $filename =~ '/';
|
return $filename if $filename =~ '/';
|
||||||
|
|
||||||
@ -1279,7 +1279,7 @@ sub find_file($)
|
|||||||
return $file if -f $file;
|
return $file if -f $file;
|
||||||
}
|
}
|
||||||
|
|
||||||
"$globals{CONFDIR}/$filename";
|
"$config_path[0]$filename";
|
||||||
}
|
}
|
||||||
|
|
||||||
sub split_list( $$ ) {
|
sub split_list( $$ ) {
|
||||||
@ -1949,9 +1949,10 @@ sub expand_variables( \$ ) {
|
|||||||
# - Handle INCLUDE <filename>
|
# - Handle INCLUDE <filename>
|
||||||
#
|
#
|
||||||
|
|
||||||
sub read_a_line(;$$) {
|
sub read_a_line(;$$$) {
|
||||||
my $embedded_enabled = defined $_[0] ? shift : 1;
|
my $embedded_enabled = defined $_[0] ? shift : 1;
|
||||||
my $expand_variables = defined $_[0] ? shift : 1;
|
my $expand_variables = defined $_[0] ? shift : 1;
|
||||||
|
my $strip_comments = defined $_[0] ? shift : 1;
|
||||||
|
|
||||||
while ( $currentfile ) {
|
while ( $currentfile ) {
|
||||||
|
|
||||||
@ -1971,7 +1972,7 @@ sub read_a_line(;$$) {
|
|||||||
# If this isn't a continued line, remove trailing comments. Note that
|
# If this isn't a continued line, remove trailing comments. Note that
|
||||||
# the result may now end in '\'.
|
# the result may now end in '\'.
|
||||||
#
|
#
|
||||||
s/\s*#.*$// unless /\\$/;
|
s/\s*#.*$// if $strip_comments && ! /\\$/;
|
||||||
#
|
#
|
||||||
# Continuation
|
# Continuation
|
||||||
#
|
#
|
||||||
@ -1979,7 +1980,7 @@ sub read_a_line(;$$) {
|
|||||||
#
|
#
|
||||||
# Now remove concatinated comments
|
# Now remove concatinated comments
|
||||||
#
|
#
|
||||||
$currentline =~ s/#.*$//;
|
$currentline =~ s/#.*$// if $strip_comments;
|
||||||
#
|
#
|
||||||
# Ignore ( concatenated ) Blank Lines
|
# Ignore ( concatenated ) Blank Lines
|
||||||
#
|
#
|
||||||
@ -3126,7 +3127,7 @@ EOF
|
|||||||
progress_message3 "No update required to configuration file $configfile; $configfile.b";
|
progress_message3 "No update required to configuration file $configfile; $configfile.b";
|
||||||
}
|
}
|
||||||
|
|
||||||
exit 0;
|
exit 0 unless -f find_file 'blacklist';
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
fatal_error "$fn does not exist";
|
fatal_error "$fn does not exist";
|
||||||
|
@ -348,6 +348,239 @@ sub setup_blacklist() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Remove instances of 'blacklist' from the passed file.
|
||||||
|
#
|
||||||
|
sub remove_blacklist( $ ) {
|
||||||
|
my $file = shift;
|
||||||
|
|
||||||
|
my $fn = find_file $file;
|
||||||
|
|
||||||
|
assert( -f $fn );
|
||||||
|
|
||||||
|
my $oldfile = open_file $fn;
|
||||||
|
my $newfile;
|
||||||
|
my $changed;
|
||||||
|
|
||||||
|
open $newfile, '>', "$fn.new" or fatal_error "Unable to open $fn.new for output: $!";
|
||||||
|
|
||||||
|
while ( read_a_line(1,1,0) ) {
|
||||||
|
my ( $rule, $comment ) = split '#', $currentline, 2;
|
||||||
|
|
||||||
|
if ( $rule =~ /blacklist/ ) {
|
||||||
|
$changed = 1;
|
||||||
|
|
||||||
|
if ( $comment ) {
|
||||||
|
$comment =~ s/^/ / while $rule =~ s/blacklist,//;
|
||||||
|
$rule =~ s/blacklist/ /g;
|
||||||
|
$currentline = join( '#', $rule, $comment );
|
||||||
|
} else {
|
||||||
|
$currentline =~ s/blacklist/ /g;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
print $newfile "$currentline\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
close $newfile;
|
||||||
|
|
||||||
|
if ( $changed ) {
|
||||||
|
rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
|
||||||
|
rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
|
||||||
|
progress_message2 "\u$file file $fn saved in $fn.bak"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Convert a pre-4.4.25 blacklist to a 4.4.25 blacklist
|
||||||
|
#
|
||||||
|
sub convert_blacklist() {
|
||||||
|
my $zones = find_zones_by_option 'blacklist', 'in';
|
||||||
|
my $zones1 = find_zones_by_option 'blacklist', 'out';
|
||||||
|
my $chainref;
|
||||||
|
my $chainref1;
|
||||||
|
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
|
||||||
|
my $audit = $disposition =~ /^A_/;
|
||||||
|
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
|
||||||
|
my $orig_target = $target;
|
||||||
|
my @rules;
|
||||||
|
|
||||||
|
if ( @$zones || @$zones1 ) {
|
||||||
|
if ( supplied $level ) {
|
||||||
|
my $logchainref = new_standard_chain 'blacklog';
|
||||||
|
|
||||||
|
$target =~ s/A_//;
|
||||||
|
$target = 'reject' if $target eq 'REJECT';
|
||||||
|
|
||||||
|
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
|
||||||
|
|
||||||
|
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
|
||||||
|
add_ijump( $logchainref, g => $target );
|
||||||
|
|
||||||
|
$target = 'blacklog';
|
||||||
|
} elsif ( $audit ) {
|
||||||
|
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
|
||||||
|
$target = verify_audit( $disposition );
|
||||||
|
}
|
||||||
|
|
||||||
|
my $fn = open_file 'blacklist';
|
||||||
|
|
||||||
|
assert $fn;
|
||||||
|
|
||||||
|
first_entry "Converting $fn...";
|
||||||
|
|
||||||
|
while ( read_a_line ) {
|
||||||
|
my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };
|
||||||
|
|
||||||
|
if ( $options eq '-' ) {
|
||||||
|
$options = 'src';
|
||||||
|
} elsif ( $options eq 'audit' ) {
|
||||||
|
$options = 'audit,src';
|
||||||
|
}
|
||||||
|
|
||||||
|
my ( $to, $from, $whitelist, $auditone ) = ( 0, 0, 0, 0 );
|
||||||
|
|
||||||
|
my @options = split_list $options, 'option';
|
||||||
|
|
||||||
|
for ( @options ) {
|
||||||
|
$whitelist++ if $_ eq 'whitelist';
|
||||||
|
$auditone++ if $_ eq 'audit';
|
||||||
|
}
|
||||||
|
|
||||||
|
warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
|
||||||
|
|
||||||
|
my $tgt = $whitelist ? 'RETURN' : $target;
|
||||||
|
|
||||||
|
if ( $auditone ) {
|
||||||
|
fatal_error "'audit' not allowed in whitelist entries" if $whitelist;
|
||||||
|
|
||||||
|
if ( $audit ) {
|
||||||
|
warning_message "Superfluous 'audit' option ignored";
|
||||||
|
} else {
|
||||||
|
warning_message "Duplicate 'audit' option ignored" if $auditone > 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
$tgt = verify_audit( 'A_' . $target, $orig_target, $target );
|
||||||
|
}
|
||||||
|
|
||||||
|
for ( @options ) {
|
||||||
|
if ( $_ =~ /^(?:src|from)$/ ) {
|
||||||
|
if ( $from++ ) {
|
||||||
|
warning_message "Duplicate 'src' ignored";
|
||||||
|
} else {
|
||||||
|
if ( @$zones ) {
|
||||||
|
push @rules, [ 'src', $tgt, $networks, $protocol, $ports ];
|
||||||
|
} else {
|
||||||
|
warning_message '"src" entry ignored because there are no "blacklist in" zones';
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} elsif ( $_ =~ /^(?:dst|to)$/ ) {
|
||||||
|
if ( $to++ ) {
|
||||||
|
warning_message "Duplicate 'dst' ignored";
|
||||||
|
} else {
|
||||||
|
if ( @$zones1 ) {
|
||||||
|
push @rules, [ 'dst', $tgt, $networks, $protocol, $ports ];
|
||||||
|
} else {
|
||||||
|
warning_message '"dst" entry ignored because there are no "blacklist out" zones';
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
fatal_error "Invalid blacklist option($_)" unless $_ eq 'whitelist' || $_ eq 'audit';
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( @rules ) {
|
||||||
|
my $fn1 = find_file( 'blrules' );
|
||||||
|
my $blrules;
|
||||||
|
my $date = localtime;
|
||||||
|
|
||||||
|
if ( -f $fn1 ) {
|
||||||
|
open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
||||||
|
} else {
|
||||||
|
open $blrules, '>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
||||||
|
print $blrules <<'EOF';
|
||||||
|
#
|
||||||
|
# Shorewall version 5 - Blacklist Rules File
|
||||||
|
#
|
||||||
|
# For information about entries in this file, type "man shorewall-blrules"
|
||||||
|
#
|
||||||
|
# Please see http://shorewall.net/blacklisting_support.htm for additional
|
||||||
|
# information.
|
||||||
|
#
|
||||||
|
###################################################################################################################################################################################################
|
||||||
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||||
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
print( $blrules
|
||||||
|
"#\n" ,
|
||||||
|
"# Rules generated from blacklist file $fn by Shorewall $globals{VERSION} - $date\n" ,
|
||||||
|
"#\n" );
|
||||||
|
|
||||||
|
for ( @rules ) {
|
||||||
|
my ( $srcdst, $tgt, $networks, $protocols, $ports ) = @$_;
|
||||||
|
|
||||||
|
if ( $level ) {
|
||||||
|
$tgt .= ":$level\t";
|
||||||
|
} else {
|
||||||
|
$tgt .= "\t\t";
|
||||||
|
}
|
||||||
|
|
||||||
|
my $list = $srcdst eq 'src' ? $zones : $zones1;
|
||||||
|
|
||||||
|
for my $zone ( @$list ) {
|
||||||
|
my $rule = $tgt;
|
||||||
|
|
||||||
|
if ( $srcdst eq 'src' ) {
|
||||||
|
if ( $networks ne '-' ) {
|
||||||
|
$rule .= "$zone:$networks\tall\t\t";
|
||||||
|
} else {
|
||||||
|
$rule .= "$zone\t\t\tall\t\t";
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if ( $networks ne '-' ) {
|
||||||
|
$rule .= "all\t\t\t$zone:$networks\t";
|
||||||
|
} else {
|
||||||
|
$rule .= "all\t\t\t$zone\t\t\t";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
$rule .= "\t$protocols" if $protocols ne '-';
|
||||||
|
$rule .= "\t$ports" if $ports ne '-';
|
||||||
|
|
||||||
|
print $blrules "$rule\n";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
close $blrules;
|
||||||
|
} else {
|
||||||
|
warning_message q(There are interfaces or zones with the 'blacklist' option but the 'blacklist' file is empty) unless @rules;
|
||||||
|
}
|
||||||
|
|
||||||
|
rename $fn, "$fn.bak";
|
||||||
|
|
||||||
|
progress_message2 "Blacklist file $fn saved in $fn.bak";
|
||||||
|
|
||||||
|
for my $file ( qw(zones interfaces hosts) ) {
|
||||||
|
remove_blacklist $file;
|
||||||
|
}
|
||||||
|
|
||||||
|
progress_message2 "Blacklist successfully converted";
|
||||||
|
|
||||||
|
return 1;
|
||||||
|
} else {
|
||||||
|
my $fn = find_file 'blacklist';
|
||||||
|
if ( -f $fn ) {
|
||||||
|
rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
|
||||||
|
warning_message "No zones have the blacklist option - the blacklist file was saved in $fn.bak";
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
sub process_routestopped() {
|
sub process_routestopped() {
|
||||||
|
|
||||||
if ( my $fn = open_file 'routestopped' ) {
|
if ( my $fn = open_file 'routestopped' ) {
|
||||||
@ -473,7 +706,8 @@ sub process_routestopped() {
|
|||||||
|
|
||||||
sub setup_mss();
|
sub setup_mss();
|
||||||
|
|
||||||
sub add_common_rules() {
|
sub add_common_rules ( $ ) {
|
||||||
|
my $upgrade = shift;
|
||||||
my $interface;
|
my $interface;
|
||||||
my $chainref;
|
my $chainref;
|
||||||
my $target;
|
my $target;
|
||||||
@ -594,7 +828,11 @@ sub add_common_rules() {
|
|||||||
|
|
||||||
run_user_exit1 'initdone';
|
run_user_exit1 'initdone';
|
||||||
|
|
||||||
setup_blacklist;
|
if ( $upgrade ) {
|
||||||
|
exit 0 unless convert_blacklist;
|
||||||
|
} else {
|
||||||
|
setup_blacklist;
|
||||||
|
}
|
||||||
|
|
||||||
$list = find_hosts_by_option 'nosmurfs';
|
$list = find_hosts_by_option 'nosmurfs';
|
||||||
|
|
||||||
|
@ -177,6 +177,7 @@ my %physical;
|
|||||||
my %basemap;
|
my %basemap;
|
||||||
my %mapbase;
|
my %mapbase;
|
||||||
my $family;
|
my $family;
|
||||||
|
my $upgrade;
|
||||||
my $have_ipsec;
|
my $have_ipsec;
|
||||||
my $baseseq;
|
my $baseseq;
|
||||||
my $minroot;
|
my $minroot;
|
||||||
@ -221,8 +222,8 @@ my %validhostoptions;
|
|||||||
# 2. The compiler can run multiple times in the same process so it has to be
|
# 2. The compiler can run multiple times in the same process so it has to be
|
||||||
# able to re-initialize its dependent modules' state.
|
# able to re-initialize its dependent modules' state.
|
||||||
#
|
#
|
||||||
sub initialize( $ ) {
|
sub initialize( $$ ) {
|
||||||
$family = shift;
|
( $family , $upgrade ) = @_;
|
||||||
@zones = ();
|
@zones = ();
|
||||||
%zones = ();
|
%zones = ();
|
||||||
$firewall_zone = '';
|
$firewall_zone = '';
|
||||||
|
@ -62,7 +62,8 @@ sub usage( $ ) {
|
|||||||
[ --preview ]
|
[ --preview ]
|
||||||
[ --family={4|6} ]
|
[ --family={4|6} ]
|
||||||
[ --annotate ]
|
[ --annotate ]
|
||||||
[ --updatee ]
|
[ --update ]
|
||||||
|
[ --convert ]
|
||||||
';
|
';
|
||||||
|
|
||||||
exit shift @_;
|
exit shift @_;
|
||||||
@ -86,6 +87,7 @@ my $family = 4; # F_IPV4
|
|||||||
my $preview = 0;
|
my $preview = 0;
|
||||||
my $annotate = 0;
|
my $annotate = 0;
|
||||||
my $update = 0;
|
my $update = 0;
|
||||||
|
my $convert = 0;
|
||||||
|
|
||||||
Getopt::Long::Configure ('bundling');
|
Getopt::Long::Configure ('bundling');
|
||||||
|
|
||||||
@ -115,6 +117,7 @@ my $result = GetOptions('h' => \$help,
|
|||||||
'annotate' => \$annotate,
|
'annotate' => \$annotate,
|
||||||
'u' => \$update,
|
'u' => \$update,
|
||||||
'update' => \$update,
|
'update' => \$update,
|
||||||
|
'convert' => \$convert,
|
||||||
);
|
);
|
||||||
|
|
||||||
usage(1) unless $result && @ARGV < 2;
|
usage(1) unless $result && @ARGV < 2;
|
||||||
@ -134,5 +137,6 @@ compiler( script => $ARGV[0] || '',
|
|||||||
family => $family,
|
family => $family,
|
||||||
confess => $confess,
|
confess => $confess,
|
||||||
update => $update,
|
update => $update,
|
||||||
|
convert => $convert,
|
||||||
annotate => $annotate,
|
annotate => $annotate,
|
||||||
);
|
);
|
||||||
|
@ -1,12 +1,12 @@
|
|||||||
#
|
#
|
||||||
# Shorewall version 5 - Blacklist Rules File
|
# Shorewall version 4 - Blacklist Rules File
|
||||||
#
|
#
|
||||||
# For information about entries in this file, type "man shorewall-blrules"
|
# For information about entries in this file, type "man shorewall-blrules"
|
||||||
#
|
#
|
||||||
# Please see http://shorewall.net/blacklisting_support.htm for additional
|
# Please see http://shorewall.net/blacklisting_support.htm for additional
|
||||||
# information.
|
# information.
|
||||||
#
|
#
|
||||||
######################################################################################################################################################################################
|
###################################################################################################################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
# PORT PORT(S) DEST LIMIT GROUP
|
||||||
|
|
||||||
|
@ -398,6 +398,7 @@ compiler() {
|
|||||||
[ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
|
[ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
|
||||||
[ -n "$g_confess" ] && options="$options --confess"
|
[ -n "$g_confess" ] && options="$options --confess"
|
||||||
[ -n "$g_update" ] && options="$options --update"
|
[ -n "$g_update" ] && options="$options --update"
|
||||||
|
[ -n "$g_convert" ] && options="$options --convert"
|
||||||
[ -n "$g_annotate" ] && options="$options --annotate"
|
[ -n "$g_annotate" ] && options="$options --annotate"
|
||||||
|
|
||||||
if [ -n "$PERL" ]; then
|
if [ -n "$PERL" ]; then
|
||||||
@ -728,6 +729,94 @@ check_command() {
|
|||||||
compiler $g_debugging $nolock check
|
compiler $g_debugging $nolock check
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Update Command Executor
|
||||||
|
#
|
||||||
|
update_command() {
|
||||||
|
local finished
|
||||||
|
finished=0
|
||||||
|
|
||||||
|
g_update=Yes
|
||||||
|
|
||||||
|
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||||
|
option=$1
|
||||||
|
case $option in
|
||||||
|
-*)
|
||||||
|
option=${option#-}
|
||||||
|
|
||||||
|
while [ -n "$option" ]; do
|
||||||
|
case $option in
|
||||||
|
-)
|
||||||
|
finished=1
|
||||||
|
option=
|
||||||
|
;;
|
||||||
|
e*)
|
||||||
|
g_export=Yes
|
||||||
|
option=${option#e}
|
||||||
|
;;
|
||||||
|
p*)
|
||||||
|
g_profile=Yes
|
||||||
|
option=${option#p}
|
||||||
|
;;
|
||||||
|
d*)
|
||||||
|
g_debug=Yes;
|
||||||
|
option=${option#d}
|
||||||
|
;;
|
||||||
|
r*)
|
||||||
|
g_preview=Yes
|
||||||
|
option=${option#r}
|
||||||
|
;;
|
||||||
|
T*)
|
||||||
|
g_confess=Yes
|
||||||
|
option=${option#T}
|
||||||
|
;;
|
||||||
|
a*)
|
||||||
|
g_annotate=Yes
|
||||||
|
option=${option#a}
|
||||||
|
;;
|
||||||
|
b*)
|
||||||
|
g_convert=Yes
|
||||||
|
option=${option#b}
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
usage 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
finished=1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
case $# in
|
||||||
|
0)
|
||||||
|
;;
|
||||||
|
1)
|
||||||
|
[ -n "$SHOREWALL_DIR" ] && usage 2
|
||||||
|
|
||||||
|
if [ ! -d $1 ]; then
|
||||||
|
if [ -e $1 ]; then
|
||||||
|
echo "$1 is not a directory" >&2 && exit 2
|
||||||
|
else
|
||||||
|
echo "Directory $1 does not exist" >&2 && exit 2
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
SHOREWALL_DIR=$(resolve_file $1)
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
usage 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
progress_message3 "Updating..."
|
||||||
|
|
||||||
|
compiler $g_debugging $nolock check
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Restart Command Executor
|
# Restart Command Executor
|
||||||
#
|
#
|
||||||
@ -1431,6 +1520,8 @@ usage() # $1 = exit status
|
|||||||
echo " reset [ <chain> ... ]"
|
echo " reset [ <chain> ... ]"
|
||||||
echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
|
echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
|
||||||
echo " restore [ -n ] [ <file name> ]"
|
echo " restore [ -n ] [ <file name> ]"
|
||||||
|
echo " safe-restart [ <directory> ]"
|
||||||
|
echo " safe-start [ <directory> ]"
|
||||||
echo " save [ <file name> ]"
|
echo " save [ <file name> ]"
|
||||||
echo " show [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
|
echo " show [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
|
||||||
echo " show actions"
|
echo " show actions"
|
||||||
@ -1451,13 +1542,11 @@ usage() # $1 = exit status
|
|||||||
echo " show vardir"
|
echo " show vardir"
|
||||||
echo " show zones"
|
echo " show zones"
|
||||||
echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ <directory> ]"
|
echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ <directory> ]"
|
||||||
echo " stop"
|
|
||||||
echo " status"
|
echo " status"
|
||||||
|
echo " stop"
|
||||||
echo " try <directory> [ <timeout> ]"
|
echo " try <directory> [ <timeout> ]"
|
||||||
|
echo " update [ -b ] [ -r ] [ -T ] [ <directory> ]"
|
||||||
echo " version [ -a ]"
|
echo " version [ -a ]"
|
||||||
echo " safe-start [ <directory> ]"
|
|
||||||
echo " safe-restart [ <directory> ]"
|
|
||||||
echo " update [ -e ] [ -d ] [ -p ] [ -r ] [ -T ] [ -a ] [ <directory> ]"
|
|
||||||
echo
|
echo
|
||||||
exit $1
|
exit $1
|
||||||
}
|
}
|
||||||
@ -1541,6 +1630,7 @@ g_export=
|
|||||||
g_refreshchains=:none:
|
g_refreshchains=:none:
|
||||||
g_confess=
|
g_confess=
|
||||||
g_update=
|
g_update=
|
||||||
|
g_convert=
|
||||||
g_annotate=
|
g_annotate=
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -1751,8 +1841,7 @@ case "$COMMAND" in
|
|||||||
update)
|
update)
|
||||||
get_config Yes
|
get_config Yes
|
||||||
shift
|
shift
|
||||||
g_update=Yes
|
update_command $@
|
||||||
check_command $@
|
|
||||||
;;
|
;;
|
||||||
show|list)
|
show|list)
|
||||||
get_config Yes No Yes
|
get_config Yes No Yes
|
||||||
|
@ -398,6 +398,7 @@ compiler() {
|
|||||||
[ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
|
[ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
|
||||||
[ -n "$g_confess" ] && options="$options --confess"
|
[ -n "$g_confess" ] && options="$options --confess"
|
||||||
[ -n "$g_update" ] && options="$options --update"
|
[ -n "$g_update" ] && options="$options --update"
|
||||||
|
[ -n "$g_convert" ] && options="$options --convert"
|
||||||
[ -n "$g_annotate" ] && options="$options --annotate"
|
[ -n "$g_annotate" ] && options="$options --annotate"
|
||||||
[ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed"
|
[ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed"
|
||||||
|
|
||||||
@ -729,6 +730,92 @@ check_command() {
|
|||||||
compiler $g_debugging $nolock check
|
compiler $g_debugging $nolock check
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Update Command Executor
|
||||||
|
#
|
||||||
|
update_command() {
|
||||||
|
local finished
|
||||||
|
finished=0
|
||||||
|
|
||||||
|
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||||
|
option=$1
|
||||||
|
case $option in
|
||||||
|
-*)
|
||||||
|
option=${option#-}
|
||||||
|
|
||||||
|
while [ -n "$option" ]; do
|
||||||
|
case $option in
|
||||||
|
-)
|
||||||
|
finished=1
|
||||||
|
option=
|
||||||
|
;;
|
||||||
|
e*)
|
||||||
|
g_export=Yes
|
||||||
|
option=${option#e}
|
||||||
|
;;
|
||||||
|
p*)
|
||||||
|
g_profile=Yes
|
||||||
|
option=${option#p}
|
||||||
|
;;
|
||||||
|
d*)
|
||||||
|
g_debug=Yes;
|
||||||
|
option=${option#d}
|
||||||
|
;;
|
||||||
|
r*)
|
||||||
|
g_preview=Yes
|
||||||
|
option=${option#r}
|
||||||
|
;;
|
||||||
|
T*)
|
||||||
|
g_confess=Yes
|
||||||
|
option=${option#T}
|
||||||
|
;;
|
||||||
|
a*)
|
||||||
|
g_annotate=Yes
|
||||||
|
option=${option#a}
|
||||||
|
;;
|
||||||
|
b*)
|
||||||
|
g_convert=Yes
|
||||||
|
option=${option#b}
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
usage 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
finished=1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
case $# in
|
||||||
|
0)
|
||||||
|
;;
|
||||||
|
1)
|
||||||
|
[ -n "$SHOREWALL_DIR" ] && usage 2
|
||||||
|
|
||||||
|
if [ ! -d $1 ]; then
|
||||||
|
if [ -e $1 ]; then
|
||||||
|
echo "$1 is not a directory" >&2 && exit 2
|
||||||
|
else
|
||||||
|
echo "Directory $1 does not exist" >&2 && exit 2
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
SHOREWALL_DIR=$(resolve_file $1)
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
usage 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
progress_message3 "Updating..."
|
||||||
|
|
||||||
|
compiler $g_debugging $nolock check
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Restart Command Executor
|
# Restart Command Executor
|
||||||
#
|
#
|
||||||
@ -1428,6 +1515,8 @@ usage() # $1 = exit status
|
|||||||
echo " reset [ <chain> ... ]"
|
echo " reset [ <chain> ... ]"
|
||||||
echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
|
echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
|
||||||
echo " restore [ -n ] [ <file name> ]"
|
echo " restore [ -n ] [ <file name> ]"
|
||||||
|
echo " safe-restart [ <directory> ]"
|
||||||
|
echo " safe-start [ <directory> ]"
|
||||||
echo " save [ <file name> ]"
|
echo " save [ <file name> ]"
|
||||||
echo " show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
|
echo " show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
|
||||||
echo " show actions"
|
echo " show actions"
|
||||||
@ -1447,13 +1536,11 @@ usage() # $1 = exit status
|
|||||||
echo " show vardir"
|
echo " show vardir"
|
||||||
echo " show zones"
|
echo " show zones"
|
||||||
echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ <directory> ]"
|
echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ <directory> ]"
|
||||||
echo " stop"
|
|
||||||
echo " status"
|
echo " status"
|
||||||
|
echo " stop"
|
||||||
echo " try <directory> [ <timeout> ]"
|
echo " try <directory> [ <timeout> ]"
|
||||||
|
echo " update [ -b ] [ -r ] [ -T ] [ <directory> ]"
|
||||||
echo " version [ -a ]"
|
echo " version [ -a ]"
|
||||||
echo " safe-start [ <directory> ]"
|
|
||||||
echo " safe-restart [ <directory> ]"
|
|
||||||
echo " update [ -e ] [ -d ] [ -p ] [ -r ] [ -T ] [ -a ] [ <directory> ]"
|
|
||||||
echo
|
echo
|
||||||
exit $1
|
exit $1
|
||||||
}
|
}
|
||||||
@ -1537,6 +1624,7 @@ g_export=
|
|||||||
g_refreshchains=:none:
|
g_refreshchains=:none:
|
||||||
g_confess=
|
g_confess=
|
||||||
g_update=
|
g_update=
|
||||||
|
g_convert=
|
||||||
g_annotate=
|
g_annotate=
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -1747,8 +1835,7 @@ case "$COMMAND" in
|
|||||||
update)
|
update)
|
||||||
get_config Yes
|
get_config Yes
|
||||||
shift
|
shift
|
||||||
g_update=Yes
|
update_command $@
|
||||||
check_command $@
|
|
||||||
;;
|
;;
|
||||||
show|list)
|
show|list)
|
||||||
get_config Yes No Yes
|
get_config Yes No Yes
|
||||||
|
@ -72,11 +72,11 @@
|
|||||||
<title>Rule-based Blacklisting</title>
|
<title>Rule-based Blacklisting</title>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.4.25, the preferred method of
|
<para>Beginning with Shorewall 4.4.25, the preferred method of
|
||||||
blacklisting and whitelisting is to use the BLACKLIST section of the rules
|
blacklisting and whitelisting is to use the blrules file (<ulink
|
||||||
file. There you have access to the DROP, ACCEPT, REJECT and WHITELIST
|
url="manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)).
|
||||||
actions, standard and custom macros as well as standard and custom
|
There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions,
|
||||||
actions. See <ulink
|
standard and custom macros as well as standard and custom actions. See
|
||||||
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) for
|
<ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) for
|
||||||
details.</para>
|
details.</para>
|
||||||
|
|
||||||
<para>Example:</para>
|
<para>Example:</para>
|
||||||
@ -95,29 +95,16 @@ DROP net:84.108.168.139 all
|
|||||||
DROP net:200.55.14.18 all
|
DROP net:200.55.14.18 all
|
||||||
</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para>If you prefer to keep your blacklist rules in a separate file,
|
<para>Beginning with Shorewall 4.4.26, the <command>update</command>
|
||||||
then:</para>
|
command supports a <option>-b</option> option that causes your legacy
|
||||||
|
blacklisting configuration to use the blrules file.</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<note>
|
||||||
<listitem>
|
<para>If you prefer to keep your blacklisting rules in your rules file
|
||||||
<para>create the separate file.</para>
|
(<ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink>
|
||||||
</listitem>
|
(5)), you can place them in the BLACKLIST section of that file rather
|
||||||
|
than in blrules.</para>
|
||||||
<listitem>
|
</note>
|
||||||
<para>copy the column headings from your rules file to the new
|
|
||||||
file.</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>enter your blacklist rules into the new file.</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>in the BLACKLIST section of your rules file, enter:</para>
|
|
||||||
|
|
||||||
<programlisting>INCLUDE <replaceable>name-of-new-file</replaceable></programlisting>
|
|
||||||
</listitem>
|
|
||||||
</itemizedlist>
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
|
@ -348,7 +348,8 @@
|
|||||||
BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you
|
BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you
|
||||||
assign an empty value then packets from blacklisted hosts are not
|
assign an empty value then packets from blacklisted hosts are not
|
||||||
logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in
|
logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in
|
||||||
the BLACKLIST section of <ulink
|
the <ulink url="???">shorewall-blrules</ulink> (5) file or in the
|
||||||
|
BLACKLIST section of <ulink
|
||||||
url="shorewall-rules.html">shorewall-rules</ulink> (5).</para>
|
url="shorewall-rules.html">shorewall-rules</ulink> (5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -360,8 +361,9 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||||
role="bold">yes</emphasis>, blacklists are only consulted for new
|
role="bold">yes</emphasis>, blacklists are only consulted for new
|
||||||
connections. That includes entries in the BLACKLIST section of
|
connections. That includes entries in the <ulink
|
||||||
<ulink url="shorewall-rules.html">shorewall-rules</ulink>
|
url="???">shorewall-blrules</ulink> (5) file and in the BLACKLIST
|
||||||
|
section of <ulink url="shorewall-rules.html">shorewall-rules</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
|
|
||||||
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
|
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
|
||||||
|
@ -628,12 +628,10 @@
|
|||||||
|
|
||||||
<arg choice="plain"><option>update</option></arg>
|
<arg choice="plain"><option>update</option></arg>
|
||||||
|
|
||||||
<arg><option>-e</option></arg>
|
<arg><option>-b</option></arg>
|
||||||
|
|
||||||
<arg><option>-d</option></arg>
|
<arg><option>-d</option></arg>
|
||||||
|
|
||||||
<arg><option>-p</option></arg>
|
|
||||||
|
|
||||||
<arg><option>-r</option></arg>
|
<arg><option>-r</option></arg>
|
||||||
|
|
||||||
<arg><option>-T</option></arg>
|
<arg><option>-T</option></arg>
|
||||||
@ -1564,6 +1562,17 @@
|
|||||||
<filename>shorewall.conf</filename> file to be annotated with
|
<filename>shorewall.conf</filename> file to be annotated with
|
||||||
documentation.</para>
|
documentation.</para>
|
||||||
|
|
||||||
|
<para>The <option>-b</option> option was added in Shorewall 4.4.26
|
||||||
|
and causes legacy blacklisting rules (<ulink
|
||||||
|
url="shorewall-blacklist.html">shorewall-blacklist</ulink> (5) ) to
|
||||||
|
be converted to entries in the blrules file (<ulink
|
||||||
|
url="shorewall-blrules.html">shorewall-blrules</ulink> (5) ). The
|
||||||
|
blacklist keyword is removed from <ulink
|
||||||
|
url="shorewall-zones.html">shorewall-zones</ulink> (5), <ulink
|
||||||
|
url="shorewall-interfaces.html">shorewall-interfaces</ulink> (5) and
|
||||||
|
<ulink url="shorewall-hosts.html">shorewall-hosts</ulink> (5). The
|
||||||
|
unmodified files are saved with a .bak suffix.</para>
|
||||||
|
|
||||||
<para>For a description of the other options, see the <emphasis
|
<para>For a description of the other options, see the <emphasis
|
||||||
role="bold">check</emphasis> command above.</para>
|
role="bold">check</emphasis> command above.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -262,8 +262,9 @@
|
|||||||
be dropped or REJECT if the packets are to be replied with an ICMP
|
be dropped or REJECT if the packets are to be replied with an ICMP
|
||||||
port unreachable reply or a TCP RST (tcp only). If you do not assign
|
port unreachable reply or a TCP RST (tcp only). If you do not assign
|
||||||
a value or if you assign an empty value then DROP is assumed. The
|
a value or if you assign an empty value then DROP is assumed. The
|
||||||
BLACKLIST_DISPOSITION setting has no effect on entries in the
|
BLACKLIST_DISPOSITION setting has no effect on entries in the <ulink
|
||||||
BLACKLIST section of <ulink
|
url="???">shorewall-blrules</ulink> (5) file or in the BLACKLIST
|
||||||
|
section of <ulink
|
||||||
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
|
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -279,7 +280,8 @@
|
|||||||
BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you
|
BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you
|
||||||
assign an empty value then packets from blacklisted hosts are not
|
assign an empty value then packets from blacklisted hosts are not
|
||||||
logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in
|
logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in
|
||||||
the BLACKLIST section of <ulink
|
the <ulink url="???">shorewall-blrules</ulink> (5) file and in the
|
||||||
|
BLACKLIST section of <ulink
|
||||||
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
|
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@ -291,9 +293,10 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||||
role="bold">yes</emphasis>, blacklists are only consulted for new
|
role="bold">yes</emphasis>, blacklists are only consulted for new
|
||||||
connections. This includes entries in the BLACKLIST section of
|
connections. This includes entries in the <ulink
|
||||||
<ulink url="shorewall6-rules.html">shorewall6-rules</ulink>
|
url="???">shorewall-blrules</ulink> (5) file and in the BLACKLIST
|
||||||
(5).</para>
|
section of <ulink
|
||||||
|
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
|
||||||
|
|
||||||
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
|
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
|
||||||
role="bold">no</emphasis>, blacklists are consulted for every packet
|
role="bold">no</emphasis>, blacklists are consulted for every packet
|
||||||
|
@ -529,12 +529,10 @@
|
|||||||
|
|
||||||
<arg choice="plain"><option>update</option></arg>
|
<arg choice="plain"><option>update</option></arg>
|
||||||
|
|
||||||
<arg><option>-e</option></arg>
|
<arg><option>-b</option></arg>
|
||||||
|
|
||||||
<arg><option>-d</option></arg>
|
<arg><option>-d</option></arg>
|
||||||
|
|
||||||
<arg><option>-p</option></arg>
|
|
||||||
|
|
||||||
<arg><option>-r</option></arg>
|
<arg><option>-r</option></arg>
|
||||||
|
|
||||||
<arg><option>-T</option></arg>
|
<arg><option>-T</option></arg>
|
||||||
@ -1373,6 +1371,17 @@
|
|||||||
<filename>shorewall6.conf</filename> file to be annotated with
|
<filename>shorewall6.conf</filename> file to be annotated with
|
||||||
documentation.</para>
|
documentation.</para>
|
||||||
|
|
||||||
|
<para>The <option>-b</option> option was added in Shorewall 4.4.26
|
||||||
|
and causes legacy blacklisting rules (<ulink
|
||||||
|
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink> (5) )
|
||||||
|
to be converted to entries in the blrules file (<ulink
|
||||||
|
url="shorewall6-blrules.html">shorewall6-blrules</ulink> (5) ). The
|
||||||
|
blacklist keyword is removed from <ulink
|
||||||
|
url="shorewall6-zones.html">shorewall6-zones</ulink> (5), <ulink
|
||||||
|
url="shorewall6-interfaces.html">shorewall-interfaces</ulink> (5)
|
||||||
|
and <ulink url="shorewall6-hosts.html">shorewall6-hosts</ulink> (5).
|
||||||
|
The unmodified files are saved with a .bak suffix.</para>
|
||||||
|
|
||||||
<para>For a description of the other options, see the <emphasis
|
<para>For a description of the other options, see the <emphasis
|
||||||
role="bold">check</emphasis> command above.</para>
|
role="bold">check</emphasis> command above.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -1404,8 +1413,8 @@
|
|||||||
|
|
||||||
<para>shorewall6-accounting(5), shorewall6-actions(5),
|
<para>shorewall6-accounting(5), shorewall6-actions(5),
|
||||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||||
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5),
|
||||||
shorewall6-providers(5), shorewall6-route_rules(5),
|
shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5),
|
||||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
||||||
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
||||||
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
|
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
|
||||||
|
Loading…
Reference in New Issue
Block a user