Update config files and manpages for BLACKLISTSECTION

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-06-20 17:58:07 +02:00 · 2011-11-06 12:05:07 -08:00 · 2011-11-06 12:05:07 -08:00 · da7516d401
commit da7516d401
parent b0103a51d5
21 changed files with 84 additions and 18 deletions
--- a/Samples/Universal/shorewall.conf
+++ b/Samples/Universal/shorewall.conf
@ -110,6 +110,8 @@ AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 BLACKLISTSECTION=No
 CLAMPMSS=No
 CLEAR_TC=Yes
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@ -121,6 +121,8 @@ AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 BLACKLISTSECTION=No
 CLAMPMSS=No
 CLEAR_TC=Yes
--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@ -119,6 +119,8 @@ AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 BLACKLISTSECTION=No
 CLAMPMSS=Yes
 CLEAR_TC=Yes
--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@ -122,6 +122,8 @@ AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 BLACKLISTSECTION=No
 CLAMPMSS=Yes
 CLEAR_TC=Yes
--- a/Samples6/Universal/rules
+++ b/Samples6/Universal/rules
@ -9,7 +9,6 @@
 ###########################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION BLACKLIST
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
--- a/Samples6/Universal/shorewall6.conf
+++ b/Samples6/Universal/shorewall6.conf
@ -105,6 +105,8 @@ AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 BLACKLISTSECTION=No
 CLAMPMSS=No
 CLEAR_TC=Yes
--- a/Samples6/one-interface/rules
+++ b/Samples6/one-interface/rules
@ -13,7 +13,6 @@
 ###########################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION BLACKLIST
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
--- a/Samples6/one-interface/shorewall6.conf
+++ b/Samples6/one-interface/shorewall6.conf
@ -105,6 +105,8 @@ AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 BLACKLISTSECTION=No
 CLAMPMSS=No
 CLEAR_TC=Yes
--- a/Samples6/three-interfaces/rules
+++ b/Samples6/three-interfaces/rules
@ -13,7 +13,6 @@
 ###########################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION BLACKLIST
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
--- a/Samples6/three-interfaces/shorewall6.conf
+++ b/Samples6/three-interfaces/shorewall6.conf
@ -105,6 +105,8 @@ AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 BLACKLISTSECTION=No
 CLAMPMSS=No
 CLEAR_TC=Yes
--- a/Samples6/two-interfaces/rules
+++ b/Samples6/two-interfaces/rules
@ -13,7 +13,6 @@
 ###########################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION BLACKLIST
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
--- a/Samples6/two-interfaces/shorewall6.conf
+++ b/Samples6/two-interfaces/shorewall6.conf
@ -105,6 +105,8 @@ AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 BLACKLISTSECTION=No
 CLAMPMSS=No
 CLEAR_TC=Yes
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -1796,6 +1796,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	$bt =~ s/[-+!]$//;
 	my %functions = ( ACCEPT => sub() { $action = 'RETURN' if $blacklist; } ,
 			  REDIRECT => sub () {
 			      my $z = $actiontype & NATONLY ? '' : firewall_zone;
 			      if ( $dest eq '-' ) {
@ -1806,8 +1807,11 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 				  $dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/;
 			      }
 			  } ,
 			  REJECT => sub { $action = 'reject'; } ,
 			  CONTINUE => sub { $action = 'RETURN'; } ,
 			  WHITELIST => sub { 
 			      unless ( $blacklist ) { 
 				  if ( $config{BLACKLISTSECTION} ) {
@ -1817,8 +1821,11 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 				  }
 			      }
-			      $action = 'RETURN'; } ,
+			      $action = 'RETURN';
 			  } ,
 			  COUNT => sub { $action = ''; } ,
 			  LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
 		     );
--- a/Shorewall/configfiles/blrules
+++ b/Shorewall/configfiles/blrules
@ -0,0 +1,12 @@
 #
 # Shorewall version 5 - Blacklist Rules File
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
 # Please see http://shorewall.net/blacklisting_support.htm for additional
 # information.
 #
 ######################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@ -110,6 +110,8 @@ AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 BLACKLISTSECTION=No
 CLAMPMSS=No
 CLEAR_TC=Yes
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@ -616,6 +616,16 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/blacklist ]; then
    echo "Blacklist file installed as ${DESTDIR}/etc/shorewall/blacklist"
 fi
 #
 # Install the blacklist rules file
 #
 run_install $OWNERSHIP -m 0644 configfiles/blrules           ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/blrules.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/blrules ]; then
    run_install $OWNERSHIP -m 0600 configfiles/blrules${suffix} ${DESTDIR}/etc/shorewall/blrules
    echo "Blacklist rules file installed as ${DESTDIR}/etc/shorewall/blrules"
 fi
 #
 # Install the findgw file
 #
 run_install $OWNERSHIP -m 0644 configfiles/findgw ${DESTDIR}/usr/share/shorewall/configfiles
--- a/Shorewall6/configfiles/blrules
+++ b/Shorewall6/configfiles/blrules
@ -0,0 +1,11 @@
 #
 # Shorewall6 version 4 - Blacklist File
 #
 # For information about entries in this file, type "man shorewall6-blrules"
 #
 # Please see http://shorewall.net/blacklisting_support.htm for additional
 # information.
 #
 ###########################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@ -105,6 +105,8 @@ AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 BLACKLISTSECTION=No
 CLAMPMSS=No
 CLEAR_TC=No
--- a/Shorewall6/install.sh
+++ b/Shorewall6/install.sh
@ -586,6 +586,16 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/blacklist ]; then
    echo "Blacklist file installed as ${DESTDIR}/etc/shorewall6/blacklist"
 fi
 #
 # Install the blacklist rules file
 #
 run_install $OWNERSHIP -m 0644 blrules           ${DESTDIR}/usr/share/shorewall6/configfiles/
 run_install $OWNERSHIP -m 0644 blrules.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/blrules ]; then
    run_install $OWNERSHIP -m 0600 blrules${suffix} ${DESTDIR}/etc/shorewall6/blrules
    echo "Blrules file installed as ${DESTDIR}/etc/shorewall6/blrules"
 fi
 #
 # Install the Providers file
 #
 run_install $OWNERSHIP -m 0644 providers           ${DESTDIR}/usr/share/shorewall6/configfiles/
--- a/manpages/shorewall-blrules.xml
+++ b/manpages/shorewall-blrules.xml
@ -16,7 +16,7 @@
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall6/blrules</command>
+      <command>/etc/shorewall/blrules</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@ -154,7 +154,7 @@
                <para>the rest of the line will be attached as a comment to
                the Netfilter rule(s) generated by the following entries. The
                comment will appear delimited by "/* ... */" in the output of
-                "shorewall6 show &lt;chain&gt;". To stop the comment from
+                "shorewall show &lt;chain&gt;". To stop the comment from
                being attached to further rules, simply include COMMENT on a
                line by itself.</para>
              </listitem>
@ -167,7 +167,7 @@
                <para>The name of an <emphasis>action</emphasis> declared in
                <ulink
                url="shorewall-actions.html">shorewall-actions</ulink>(5) or
-                in /usr/share/shorewall6/actions.std.</para>
+                in /usr/share/shorewall/actions.std.</para>
              </listitem>
            </varlistentry>
@ -199,7 +199,7 @@
          <para>If the <emphasis role="bold">ACTION</emphasis> names an
          <emphasis>action</emphasis> declared in <ulink
          url="shorewall-actions.html">shorewall-actions</ulink>(5) or in
-          /usr/share/shorewall6/actions.std then:</para>
+          /usr/share/shorewall/actions.std then:</para>
          <itemizedlist>
            <listitem>
@ -234,7 +234,7 @@
    </variablelist>
    <para>For the remaining columns, see <ulink
-    url="shorewall6-rules.html">shorewall6-rules (5)</ulink>.</para>
+    url="shorewall-rules.html">shorewall-rules (5)</ulink>.</para>
  </refsect1>
  <refsect1>
@ -245,9 +245,9 @@
        <term>Example 1:</term>
        <listitem>
-          <para>Disallow SMTP from the local zone to the net zone.</para>
+          <para>Drop Teredo packets from the net.</para>
-          <programlisting>DROP          loc            net         tcp         25</programlisting>
+          <programlisting>DROP          net:[2001::/32]            all</programlisting>
        </listitem>
      </varlistentry>
@ -255,10 +255,10 @@
        <term>Example 2:</term>
        <listitem>
-          <para>Don't subject packets from 192.0.2.0/24 to the remaining rules
+          <para>Don't subject packets from 2001:DB8::/64 to the remaining
-          in the file.</para>
+          rules in the file.</para>
-          <programlisting>WHITELIST     net:192.0.2.0/24        all</programlisting>
+          <programlisting>WHITELIST     net:[2001:DB8::/64]        all</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/manpages6/shorewall6-blrules.xml
+++ b/manpages6/shorewall6-blrules.xml
@ -29,7 +29,7 @@
    <para>Rules in this file are applied depending on the setting of
    BLACKLISTNEWONLY in <ulink
-    url="shorewall6.conf.html">shorewall6.conf</ulink>(5). If
+    url="shorewall.conf.html">shorewall6.conf</ulink>(5). If
    BLACKLISTNEWONLY=No, then they are applied regardless of the connection
    tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
    connections in the NEW and INVALID states.</para>