From deaaecdf1cce8421eb84e7b2a230021c20f6c000 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 10 Apr 2016 16:09:39 -0700 Subject: [PATCH] Add 'nodbl' interface option. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Misc.pm | 4 ++-- Shorewall/Perl/Shorewall/Zones.pm | 2 ++ Shorewall/manpages/shorewall-interfaces.xml | 9 +++++++++ Shorewall6/manpages/shorewall6-interfaces.xml | 9 +++++++++ 4 files changed, 22 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 1a00bf098..250ae6b4f 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -859,13 +859,13 @@ sub add_common_rules ( $ ) { } } - if ( $dbl_ipset ) { + if ( $dbl_ipset && ! get_interface_option( $interface, 'nodbl' ) ) { add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" ); add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/; } for ( option_chains( $interface ) ) { - add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref; + add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ! get_interface_option( $interface, 'nodbl' ); add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT}; } } diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index a4b0423f6..c9f1d0d26 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -345,6 +345,7 @@ sub initialize( $$ ) { logmartians => BINARY_IF_OPTION, loopback => BINARY_IF_OPTION, nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER, + nodbl => SIMPLE_IF_OPTION, norfc1918 => OBSOLETE_IF_OPTION, nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST, optional => SIMPLE_IF_OPTION, @@ -392,6 +393,7 @@ sub initialize( $$ ) { loopback => BINARY_IF_OPTION, maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST, nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER, + nodbl => SIMPLE_IF_OPTION, nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST, optional => SIMPLE_IF_OPTION, optional => SIMPLE_IF_OPTION, diff --git a/Shorewall/manpages/shorewall-interfaces.xml b/Shorewall/manpages/shorewall-interfaces.xml index aa1558183..54dbf8782 100644 --- a/Shorewall/manpages/shorewall-interfaces.xml +++ b/Shorewall/manpages/shorewall-interfaces.xml @@ -488,6 +488,15 @@ loc eth2 - + + nodbl + + + Added in Shorewall 5.0.8. When specified, dynamic + blacklisting is disabled on the interface. + + + nosmurfs diff --git a/Shorewall6/manpages/shorewall6-interfaces.xml b/Shorewall6/manpages/shorewall6-interfaces.xml index 97e5afa3f..d4a96e414 100644 --- a/Shorewall6/manpages/shorewall6-interfaces.xml +++ b/Shorewall6/manpages/shorewall6-interfaces.xml @@ -365,6 +365,15 @@ loc eth2 - + + nodbl + + + Added in Shorewall 5.0.8. When specified, dynamic + blacklisting is disabled on the interface. + + + optional