Allow convertion of a legacy blacklist configuration

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-11-08 12:59:40 -08:00
parent 6108a9cad8
commit d053faadde
13 changed files with 508 additions and 77 deletions

View File

@ -54,10 +54,10 @@ my $family;
# #
# Initilize the package-globals in the other modules # Initilize the package-globals in the other modules
# #
sub initialize_package_globals() { sub initialize_package_globals( $ ) {
Shorewall::Config::initialize($family); Shorewall::Config::initialize($family);
Shorewall::Chains::initialize ($family, 1, $export ); Shorewall::Chains::initialize ($family, 1, $export );
Shorewall::Zones::initialize ($family); Shorewall::Zones::initialize ($family, shift);
Shorewall::Nat::initialize; Shorewall::Nat::initialize;
Shorewall::Providers::initialize($family); Shorewall::Providers::initialize($family);
Shorewall::Tc::initialize($family); Shorewall::Tc::initialize($family);
@ -525,8 +525,8 @@ EOF
# #
sub compiler { sub compiler {
my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate ) = my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert ) =
( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, ); ( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, , 0 );
$export = 0; $export = 0;
$test = 0; $test = 0;
@ -561,6 +561,7 @@ sub compiler {
preview => { store => \$preview, validate=> \&validate_boolean } , preview => { store => \$preview, validate=> \&validate_boolean } ,
confess => { store => \$confess, validate=> \&validate_boolean } , confess => { store => \$confess, validate=> \&validate_boolean } ,
update => { store => \$update, validate=> \&validate_boolean } , update => { store => \$update, validate=> \&validate_boolean } ,
convert => { store => \$convert, validate=> \&validate_boolean } ,
annotate => { store => \$annotate, validate=> \&validate_boolean } , annotate => { store => \$annotate, validate=> \&validate_boolean } ,
); );
# #
@ -579,7 +580,7 @@ sub compiler {
# #
# Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
# #
initialize_package_globals; initialize_package_globals( $update );
if ( $directory ne '' ) { if ( $directory ne '' ) {
fatal_error "$directory is not an existing directory" unless -d $directory; fatal_error "$directory is not an existing directory" unless -d $directory;
@ -673,7 +674,7 @@ sub compiler {
# #
# Do all of the zone-independent stuff (mostly /proc) # Do all of the zone-independent stuff (mostly /proc)
# #
add_common_rules; add_common_rules( $convert );
# #
# More /proc # More /proc
# #

View File

@ -1268,7 +1268,7 @@ sub set_debug( $$ ) {
# #
sub find_file($) sub find_file($)
{ {
my $filename=$_[0]; my ( $filename, $nosearch ) = @_;
return $filename if $filename =~ '/'; return $filename if $filename =~ '/';
@ -1279,7 +1279,7 @@ sub find_file($)
return $file if -f $file; return $file if -f $file;
} }
"$globals{CONFDIR}/$filename"; "$config_path[0]$filename";
} }
sub split_list( $$ ) { sub split_list( $$ ) {
@ -1949,9 +1949,10 @@ sub expand_variables( \$ ) {
# - Handle INCLUDE <filename> # - Handle INCLUDE <filename>
# #
sub read_a_line(;$$) { sub read_a_line(;$$$) {
my $embedded_enabled = defined $_[0] ? shift : 1; my $embedded_enabled = defined $_[0] ? shift : 1;
my $expand_variables = defined $_[0] ? shift : 1; my $expand_variables = defined $_[0] ? shift : 1;
my $strip_comments = defined $_[0] ? shift : 1;
while ( $currentfile ) { while ( $currentfile ) {
@ -1971,7 +1972,7 @@ sub read_a_line(;$$) {
# If this isn't a continued line, remove trailing comments. Note that # If this isn't a continued line, remove trailing comments. Note that
# the result may now end in '\'. # the result may now end in '\'.
# #
s/\s*#.*$// unless /\\$/; s/\s*#.*$// if $strip_comments && ! /\\$/;
# #
# Continuation # Continuation
# #
@ -1979,7 +1980,7 @@ sub read_a_line(;$$) {
# #
# Now remove concatinated comments # Now remove concatinated comments
# #
$currentline =~ s/#.*$//; $currentline =~ s/#.*$// if $strip_comments;
# #
# Ignore ( concatenated ) Blank Lines # Ignore ( concatenated ) Blank Lines
# #
@ -3126,7 +3127,7 @@ EOF
progress_message3 "No update required to configuration file $configfile; $configfile.b"; progress_message3 "No update required to configuration file $configfile; $configfile.b";
} }
exit 0; exit 0 unless -f find_file 'blacklist';
} }
} else { } else {
fatal_error "$fn does not exist"; fatal_error "$fn does not exist";

View File

@ -348,6 +348,239 @@ sub setup_blacklist() {
} }
} }
#
# Remove instances of 'blacklist' from the passed file.
#
sub remove_blacklist( $ ) {
my $file = shift;
my $fn = find_file $file;
assert( -f $fn );
my $oldfile = open_file $fn;
my $newfile;
my $changed;
open $newfile, '>', "$fn.new" or fatal_error "Unable to open $fn.new for output: $!";
while ( read_a_line(1,1,0) ) {
my ( $rule, $comment ) = split '#', $currentline, 2;
if ( $rule =~ /blacklist/ ) {
$changed = 1;
if ( $comment ) {
$comment =~ s/^/ / while $rule =~ s/blacklist,//;
$rule =~ s/blacklist/ /g;
$currentline = join( '#', $rule, $comment );
} else {
$currentline =~ s/blacklist/ /g;
}
}
print $newfile "$currentline\n";
}
close $newfile;
if ( $changed ) {
rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
progress_message2 "\u$file file $fn saved in $fn.bak"
}
}
#
# Convert a pre-4.4.25 blacklist to a 4.4.25 blacklist
#
sub convert_blacklist() {
my $zones = find_zones_by_option 'blacklist', 'in';
my $zones1 = find_zones_by_option 'blacklist', 'out';
my $chainref;
my $chainref1;
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
my $audit = $disposition =~ /^A_/;
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
my $orig_target = $target;
my @rules;
if ( @$zones || @$zones1 ) {
if ( supplied $level ) {
my $logchainref = new_standard_chain 'blacklog';
$target =~ s/A_//;
$target = 'reject' if $target eq 'REJECT';
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
add_ijump( $logchainref, g => $target );
$target = 'blacklog';
} elsif ( $audit ) {
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
$target = verify_audit( $disposition );
}
my $fn = open_file 'blacklist';
assert $fn;
first_entry "Converting $fn...";
while ( read_a_line ) {
my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };
if ( $options eq '-' ) {
$options = 'src';
} elsif ( $options eq 'audit' ) {
$options = 'audit,src';
}
my ( $to, $from, $whitelist, $auditone ) = ( 0, 0, 0, 0 );
my @options = split_list $options, 'option';
for ( @options ) {
$whitelist++ if $_ eq 'whitelist';
$auditone++ if $_ eq 'audit';
}
warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
my $tgt = $whitelist ? 'RETURN' : $target;
if ( $auditone ) {
fatal_error "'audit' not allowed in whitelist entries" if $whitelist;
if ( $audit ) {
warning_message "Superfluous 'audit' option ignored";
} else {
warning_message "Duplicate 'audit' option ignored" if $auditone > 1;
}
$tgt = verify_audit( 'A_' . $target, $orig_target, $target );
}
for ( @options ) {
if ( $_ =~ /^(?:src|from)$/ ) {
if ( $from++ ) {
warning_message "Duplicate 'src' ignored";
} else {
if ( @$zones ) {
push @rules, [ 'src', $tgt, $networks, $protocol, $ports ];
} else {
warning_message '"src" entry ignored because there are no "blacklist in" zones';
}
}
} elsif ( $_ =~ /^(?:dst|to)$/ ) {
if ( $to++ ) {
warning_message "Duplicate 'dst' ignored";
} else {
if ( @$zones1 ) {
push @rules, [ 'dst', $tgt, $networks, $protocol, $ports ];
} else {
warning_message '"dst" entry ignored because there are no "blacklist out" zones';
}
}
} else {
fatal_error "Invalid blacklist option($_)" unless $_ eq 'whitelist' || $_ eq 'audit';
}
}
}
if ( @rules ) {
my $fn1 = find_file( 'blrules' );
my $blrules;
my $date = localtime;
if ( -f $fn1 ) {
open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
} else {
open $blrules, '>', $fn1 or fatal_error "Unable to open $fn1: $!";
print $blrules <<'EOF';
#
# Shorewall version 5 - Blacklist Rules File
#
# For information about entries in this file, type "man shorewall-blrules"
#
# Please see http://shorewall.net/blacklisting_support.htm for additional
# information.
#
###################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
EOF
}
print( $blrules
"#\n" ,
"# Rules generated from blacklist file $fn by Shorewall $globals{VERSION} - $date\n" ,
"#\n" );
for ( @rules ) {
my ( $srcdst, $tgt, $networks, $protocols, $ports ) = @$_;
if ( $level ) {
$tgt .= ":$level\t";
} else {
$tgt .= "\t\t";
}
my $list = $srcdst eq 'src' ? $zones : $zones1;
for my $zone ( @$list ) {
my $rule = $tgt;
if ( $srcdst eq 'src' ) {
if ( $networks ne '-' ) {
$rule .= "$zone:$networks\tall\t\t";
} else {
$rule .= "$zone\t\t\tall\t\t";
}
} else {
if ( $networks ne '-' ) {
$rule .= "all\t\t\t$zone:$networks\t";
} else {
$rule .= "all\t\t\t$zone\t\t\t";
}
}
$rule .= "\t$protocols" if $protocols ne '-';
$rule .= "\t$ports" if $ports ne '-';
print $blrules "$rule\n";
}
}
close $blrules;
} else {
warning_message q(There are interfaces or zones with the 'blacklist' option but the 'blacklist' file is empty) unless @rules;
}
rename $fn, "$fn.bak";
progress_message2 "Blacklist file $fn saved in $fn.bak";
for my $file ( qw(zones interfaces hosts) ) {
remove_blacklist $file;
}
progress_message2 "Blacklist successfully converted";
return 1;
} else {
my $fn = find_file 'blacklist';
if ( -f $fn ) {
rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
warning_message "No zones have the blacklist option - the blacklist file was saved in $fn.bak";
}
return 0;
}
}
sub process_routestopped() { sub process_routestopped() {
if ( my $fn = open_file 'routestopped' ) { if ( my $fn = open_file 'routestopped' ) {
@ -473,7 +706,8 @@ sub process_routestopped() {
sub setup_mss(); sub setup_mss();
sub add_common_rules() { sub add_common_rules ( $ ) {
my $upgrade = shift;
my $interface; my $interface;
my $chainref; my $chainref;
my $target; my $target;
@ -594,7 +828,11 @@ sub add_common_rules() {
run_user_exit1 'initdone'; run_user_exit1 'initdone';
setup_blacklist; if ( $upgrade ) {
exit 0 unless convert_blacklist;
} else {
setup_blacklist;
}
$list = find_hosts_by_option 'nosmurfs'; $list = find_hosts_by_option 'nosmurfs';

View File

@ -177,6 +177,7 @@ my %physical;
my %basemap; my %basemap;
my %mapbase; my %mapbase;
my $family; my $family;
my $upgrade;
my $have_ipsec; my $have_ipsec;
my $baseseq; my $baseseq;
my $minroot; my $minroot;
@ -221,8 +222,8 @@ my %validhostoptions;
# 2. The compiler can run multiple times in the same process so it has to be # 2. The compiler can run multiple times in the same process so it has to be
# able to re-initialize its dependent modules' state. # able to re-initialize its dependent modules' state.
# #
sub initialize( $ ) { sub initialize( $$ ) {
$family = shift; ( $family , $upgrade ) = @_;
@zones = (); @zones = ();
%zones = (); %zones = ();
$firewall_zone = ''; $firewall_zone = '';

View File

@ -62,7 +62,8 @@ sub usage( $ ) {
[ --preview ] [ --preview ]
[ --family={4|6} ] [ --family={4|6} ]
[ --annotate ] [ --annotate ]
[ --updatee ] [ --update ]
[ --convert ]
'; ';
exit shift @_; exit shift @_;
@ -86,6 +87,7 @@ my $family = 4; # F_IPV4
my $preview = 0; my $preview = 0;
my $annotate = 0; my $annotate = 0;
my $update = 0; my $update = 0;
my $convert = 0;
Getopt::Long::Configure ('bundling'); Getopt::Long::Configure ('bundling');
@ -115,6 +117,7 @@ my $result = GetOptions('h' => \$help,
'annotate' => \$annotate, 'annotate' => \$annotate,
'u' => \$update, 'u' => \$update,
'update' => \$update, 'update' => \$update,
'convert' => \$convert,
); );
usage(1) unless $result && @ARGV < 2; usage(1) unless $result && @ARGV < 2;
@ -134,5 +137,6 @@ compiler( script => $ARGV[0] || '',
family => $family, family => $family,
confess => $confess, confess => $confess,
update => $update, update => $update,
convert => $convert,
annotate => $annotate, annotate => $annotate,
); );

View File

@ -1,12 +1,12 @@
# #
# Shorewall version 5 - Blacklist Rules File # Shorewall version 4 - Blacklist Rules File
# #
# For information about entries in this file, type "man shorewall-blrules" # For information about entries in this file, type "man shorewall-blrules"
# #
# Please see http://shorewall.net/blacklisting_support.htm for additional # Please see http://shorewall.net/blacklisting_support.htm for additional
# information. # information.
# #
###################################################################################################################################################################################### ###################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP

View File

@ -398,6 +398,7 @@ compiler() {
[ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains" [ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
[ -n "$g_confess" ] && options="$options --confess" [ -n "$g_confess" ] && options="$options --confess"
[ -n "$g_update" ] && options="$options --update" [ -n "$g_update" ] && options="$options --update"
[ -n "$g_convert" ] && options="$options --convert"
[ -n "$g_annotate" ] && options="$options --annotate" [ -n "$g_annotate" ] && options="$options --annotate"
if [ -n "$PERL" ]; then if [ -n "$PERL" ]; then
@ -728,6 +729,94 @@ check_command() {
compiler $g_debugging $nolock check compiler $g_debugging $nolock check
} }
#
# Update Command Executor
#
update_command() {
local finished
finished=0
g_update=Yes
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
e*)
g_export=Yes
option=${option#e}
;;
p*)
g_profile=Yes
option=${option#p}
;;
d*)
g_debug=Yes;
option=${option#d}
;;
r*)
g_preview=Yes
option=${option#r}
;;
T*)
g_confess=Yes
option=${option#T}
;;
a*)
g_annotate=Yes
option=${option#a}
;;
b*)
g_convert=Yes
option=${option#b}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
case $# in
0)
;;
1)
[ -n "$SHOREWALL_DIR" ] && usage 2
if [ ! -d $1 ]; then
if [ -e $1 ]; then
echo "$1 is not a directory" >&2 && exit 2
else
echo "Directory $1 does not exist" >&2 && exit 2
fi
fi
SHOREWALL_DIR=$(resolve_file $1)
;;
*)
usage 1
;;
esac
progress_message3 "Updating..."
compiler $g_debugging $nolock check
}
# #
# Restart Command Executor # Restart Command Executor
# #
@ -1431,6 +1520,8 @@ usage() # $1 = exit status
echo " reset [ <chain> ... ]" echo " reset [ <chain> ... ]"
echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]" echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
echo " restore [ -n ] [ <file name> ]" echo " restore [ -n ] [ <file name> ]"
echo " safe-restart [ <directory> ]"
echo " safe-start [ <directory> ]"
echo " save [ <file name> ]" echo " save [ <file name> ]"
echo " show [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]" echo " show [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
echo " show actions" echo " show actions"
@ -1451,13 +1542,11 @@ usage() # $1 = exit status
echo " show vardir" echo " show vardir"
echo " show zones" echo " show zones"
echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ <directory> ]" echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ <directory> ]"
echo " stop"
echo " status" echo " status"
echo " stop"
echo " try <directory> [ <timeout> ]" echo " try <directory> [ <timeout> ]"
echo " update [ -b ] [ -r ] [ -T ] [ <directory> ]"
echo " version [ -a ]" echo " version [ -a ]"
echo " safe-start [ <directory> ]"
echo " safe-restart [ <directory> ]"
echo " update [ -e ] [ -d ] [ -p ] [ -r ] [ -T ] [ -a ] [ <directory> ]"
echo echo
exit $1 exit $1
} }
@ -1541,6 +1630,7 @@ g_export=
g_refreshchains=:none: g_refreshchains=:none:
g_confess= g_confess=
g_update= g_update=
g_convert=
g_annotate= g_annotate=
# #
@ -1751,8 +1841,7 @@ case "$COMMAND" in
update) update)
get_config Yes get_config Yes
shift shift
g_update=Yes update_command $@
check_command $@
;; ;;
show|list) show|list)
get_config Yes No Yes get_config Yes No Yes

View File

@ -398,6 +398,7 @@ compiler() {
[ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains" [ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
[ -n "$g_confess" ] && options="$options --confess" [ -n "$g_confess" ] && options="$options --confess"
[ -n "$g_update" ] && options="$options --update" [ -n "$g_update" ] && options="$options --update"
[ -n "$g_convert" ] && options="$options --convert"
[ -n "$g_annotate" ] && options="$options --annotate" [ -n "$g_annotate" ] && options="$options --annotate"
[ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed" [ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed"
@ -729,6 +730,92 @@ check_command() {
compiler $g_debugging $nolock check compiler $g_debugging $nolock check
} }
#
# Update Command Executor
#
update_command() {
local finished
finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
e*)
g_export=Yes
option=${option#e}
;;
p*)
g_profile=Yes
option=${option#p}
;;
d*)
g_debug=Yes;
option=${option#d}
;;
r*)
g_preview=Yes
option=${option#r}
;;
T*)
g_confess=Yes
option=${option#T}
;;
a*)
g_annotate=Yes
option=${option#a}
;;
b*)
g_convert=Yes
option=${option#b}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
case $# in
0)
;;
1)
[ -n "$SHOREWALL_DIR" ] && usage 2
if [ ! -d $1 ]; then
if [ -e $1 ]; then
echo "$1 is not a directory" >&2 && exit 2
else
echo "Directory $1 does not exist" >&2 && exit 2
fi
fi
SHOREWALL_DIR=$(resolve_file $1)
;;
*)
usage 1
;;
esac
progress_message3 "Updating..."
compiler $g_debugging $nolock check
}
# #
# Restart Command Executor # Restart Command Executor
# #
@ -1428,6 +1515,8 @@ usage() # $1 = exit status
echo " reset [ <chain> ... ]" echo " reset [ <chain> ... ]"
echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]" echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
echo " restore [ -n ] [ <file name> ]" echo " restore [ -n ] [ <file name> ]"
echo " safe-restart [ <directory> ]"
echo " safe-start [ <directory> ]"
echo " save [ <file name> ]" echo " save [ <file name> ]"
echo " show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]" echo " show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
echo " show actions" echo " show actions"
@ -1447,13 +1536,11 @@ usage() # $1 = exit status
echo " show vardir" echo " show vardir"
echo " show zones" echo " show zones"
echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ <directory> ]" echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ <directory> ]"
echo " stop"
echo " status" echo " status"
echo " stop"
echo " try <directory> [ <timeout> ]" echo " try <directory> [ <timeout> ]"
echo " update [ -b ] [ -r ] [ -T ] [ <directory> ]"
echo " version [ -a ]" echo " version [ -a ]"
echo " safe-start [ <directory> ]"
echo " safe-restart [ <directory> ]"
echo " update [ -e ] [ -d ] [ -p ] [ -r ] [ -T ] [ -a ] [ <directory> ]"
echo echo
exit $1 exit $1
} }
@ -1537,6 +1624,7 @@ g_export=
g_refreshchains=:none: g_refreshchains=:none:
g_confess= g_confess=
g_update= g_update=
g_convert=
g_annotate= g_annotate=
# #
@ -1747,8 +1835,7 @@ case "$COMMAND" in
update) update)
get_config Yes get_config Yes
shift shift
g_update=Yes update_command $@
check_command $@
;; ;;
show|list) show|list)
get_config Yes No Yes get_config Yes No Yes

View File

@ -72,11 +72,11 @@
<title>Rule-based Blacklisting</title> <title>Rule-based Blacklisting</title>
<para>Beginning with Shorewall 4.4.25, the preferred method of <para>Beginning with Shorewall 4.4.25, the preferred method of
blacklisting and whitelisting is to use the BLACKLIST section of the rules blacklisting and whitelisting is to use the blrules file (<ulink
file. There you have access to the DROP, ACCEPT, REJECT and WHITELIST url="manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)).
actions, standard and custom macros as well as standard and custom There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions,
actions. See <ulink standard and custom macros as well as standard and custom actions. See
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) for <ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) for
details.</para> details.</para>
<para>Example:</para> <para>Example:</para>
@ -95,29 +95,16 @@ DROP net:84.108.168.139 all
DROP net:200.55.14.18 all DROP net:200.55.14.18 all
</programlisting> </programlisting>
<para>If you prefer to keep your blacklist rules in a separate file, <para>Beginning with Shorewall 4.4.26, the <command>update</command>
then:</para> command supports a <option>-b</option> option that causes your legacy
blacklisting configuration to use the blrules file.</para>
<itemizedlist> <note>
<listitem> <para>If you prefer to keep your blacklisting rules in your rules file
<para>create the separate file.</para> (<ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink>
</listitem> (5)), you can place them in the BLACKLIST section of that file rather
than in blrules.</para>
<listitem> </note>
<para>copy the column headings from your rules file to the new
file.</para>
</listitem>
<listitem>
<para>enter your blacklist rules into the new file.</para>
</listitem>
<listitem>
<para>in the BLACKLIST section of your rules file, enter:</para>
<programlisting>INCLUDE <replaceable>name-of-new-file</replaceable></programlisting>
</listitem>
</itemizedlist>
</section> </section>
<section> <section>

View File

@ -348,7 +348,8 @@
BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you
assign an empty value then packets from blacklisted hosts are not assign an empty value then packets from blacklisted hosts are not
logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in
the BLACKLIST section of <ulink the <ulink url="???">shorewall-blrules</ulink> (5) file or in the
BLACKLIST section of <ulink
url="shorewall-rules.html">shorewall-rules</ulink> (5).</para> url="shorewall-rules.html">shorewall-rules</ulink> (5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -360,8 +361,9 @@
<listitem> <listitem>
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis <para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, blacklists are only consulted for new role="bold">yes</emphasis>, blacklists are only consulted for new
connections. That includes entries in the BLACKLIST section of connections. That includes entries in the <ulink
<ulink url="shorewall-rules.html">shorewall-rules</ulink> url="???">shorewall-blrules</ulink> (5) file and in the BLACKLIST
section of <ulink url="shorewall-rules.html">shorewall-rules</ulink>
(5).</para> (5).</para>
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis <para>When set to <emphasis role="bold">No</emphasis> or <emphasis

View File

@ -628,12 +628,10 @@
<arg choice="plain"><option>update</option></arg> <arg choice="plain"><option>update</option></arg>
<arg><option>-e</option></arg> <arg><option>-b</option></arg>
<arg><option>-d</option></arg> <arg><option>-d</option></arg>
<arg><option>-p</option></arg>
<arg><option>-r</option></arg> <arg><option>-r</option></arg>
<arg><option>-T</option></arg> <arg><option>-T</option></arg>
@ -1564,6 +1562,17 @@
<filename>shorewall.conf</filename> file to be annotated with <filename>shorewall.conf</filename> file to be annotated with
documentation.</para> documentation.</para>
<para>The <option>-b</option> option was added in Shorewall 4.4.26
and causes legacy blacklisting rules (<ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink> (5) ) to
be converted to entries in the blrules file (<ulink
url="shorewall-blrules.html">shorewall-blrules</ulink> (5) ). The
blacklist keyword is removed from <ulink
url="shorewall-zones.html">shorewall-zones</ulink> (5), <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink> (5) and
<ulink url="shorewall-hosts.html">shorewall-hosts</ulink> (5). The
unmodified files are saved with a .bak suffix.</para>
<para>For a description of the other options, see the <emphasis <para>For a description of the other options, see the <emphasis
role="bold">check</emphasis> command above.</para> role="bold">check</emphasis> command above.</para>
</listitem> </listitem>

View File

@ -262,8 +262,9 @@
be dropped or REJECT if the packets are to be replied with an ICMP be dropped or REJECT if the packets are to be replied with an ICMP
port unreachable reply or a TCP RST (tcp only). If you do not assign port unreachable reply or a TCP RST (tcp only). If you do not assign
a value or if you assign an empty value then DROP is assumed. The a value or if you assign an empty value then DROP is assumed. The
BLACKLIST_DISPOSITION setting has no effect on entries in the BLACKLIST_DISPOSITION setting has no effect on entries in the <ulink
BLACKLIST section of <ulink url="???">shorewall-blrules</ulink> (5) file or in the BLACKLIST
section of <ulink
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para> url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -279,7 +280,8 @@
BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you
assign an empty value then packets from blacklisted hosts are not assign an empty value then packets from blacklisted hosts are not
logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in
the BLACKLIST section of <ulink the <ulink url="???">shorewall-blrules</ulink> (5) file and in the
BLACKLIST section of <ulink
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para> url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -291,9 +293,10 @@
<listitem> <listitem>
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis <para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, blacklists are only consulted for new role="bold">yes</emphasis>, blacklists are only consulted for new
connections. This includes entries in the BLACKLIST section of connections. This includes entries in the <ulink
<ulink url="shorewall6-rules.html">shorewall6-rules</ulink> url="???">shorewall-blrules</ulink> (5) file and in the BLACKLIST
(5).</para> section of <ulink
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis <para>When set to <emphasis role="bold">No</emphasis> or <emphasis
role="bold">no</emphasis>, blacklists are consulted for every packet role="bold">no</emphasis>, blacklists are consulted for every packet

View File

@ -529,12 +529,10 @@
<arg choice="plain"><option>update</option></arg> <arg choice="plain"><option>update</option></arg>
<arg><option>-e</option></arg> <arg><option>-b</option></arg>
<arg><option>-d</option></arg> <arg><option>-d</option></arg>
<arg><option>-p</option></arg>
<arg><option>-r</option></arg> <arg><option>-r</option></arg>
<arg><option>-T</option></arg> <arg><option>-T</option></arg>
@ -1373,6 +1371,17 @@
<filename>shorewall6.conf</filename> file to be annotated with <filename>shorewall6.conf</filename> file to be annotated with
documentation.</para> documentation.</para>
<para>The <option>-b</option> option was added in Shorewall 4.4.26
and causes legacy blacklisting rules (<ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink> (5) )
to be converted to entries in the blrules file (<ulink
url="shorewall6-blrules.html">shorewall6-blrules</ulink> (5) ). The
blacklist keyword is removed from <ulink
url="shorewall6-zones.html">shorewall6-zones</ulink> (5), <ulink
url="shorewall6-interfaces.html">shorewall-interfaces</ulink> (5)
and <ulink url="shorewall6-hosts.html">shorewall6-hosts</ulink> (5).
The unmodified files are saved with a .bak suffix.</para>
<para>For a description of the other options, see the <emphasis <para>For a description of the other options, see the <emphasis
role="bold">check</emphasis> command above.</para> role="bold">check</emphasis> command above.</para>
</listitem> </listitem>
@ -1404,8 +1413,8 @@
<para>shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5),
shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),