diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 31f3a6313..39fd22fef 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -224,10 +224,12 @@ sub remove_blacklist( $ ) {
$changed = 1;
if ( $comment ) {
- $comment =~ s/^/ / while $rule =~ s/blacklist,//;
+ $comment =~ s/^/ / while $rule =~ s/blacklist,// || $rule =~ s/,blacklist//;
$rule =~ s/blacklist/ /g;
$currentline = join( '#', $rule, $comment );
} else {
+ $currentline =~ s/blacklist,//g;
+ $currentline =~ s/,blacklist//g;
$currentline =~ s/blacklist/ /g;
}
}
@@ -540,7 +542,7 @@ EOF
if ( $notrack{$host} ) {
print $stoppedrules "NOTRACK\t$interface:$h\t-\t$rule\n";
- print $stoppedrules "NOTRACK\t\$FW\$interface:$h\t\$rule\n";
+ print $stoppedrules "NOTRACK\t\$FW\t$interface:$h\t$rule\n";
}
unless ( $matched ) {
@@ -824,6 +826,8 @@ sub add_common_rules ( $$$ ) {
if ( $upgrade_blacklist ) {
exit 0 unless convert_blacklist || $upgrade_tcrules || $upgrade_routestopped;
+ } elsif ( my $fn = find_file 'blacklist' ) {
+ warning_message "The blacklist file is no longer supported -- use '$product update -b' to convert $fn to the equivalent blrules file";
}
$list = find_hosts_by_option 'nosmurfs';
@@ -2462,7 +2466,12 @@ EOF
}
}
- convert_routestopped if $routestopped;
+ if ( $routestopped ) {
+ convert_routestopped;
+ } elsif ( my $fn = find_file 'routestopped' ) {
+ warning_message "The routestopped file is no longer supported - use '$product update -s' to convert $fn to an equivalent 'stoppedrules' file";
+ }
+
process_stoppedrules;
if ( have_capability 'IFACE_MATCH' ) {
diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index b636c0ed7..77ac0a676 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -1226,6 +1226,11 @@ sub process_interface( $$ ) {
fatal_error "Option $option does not take a value" if defined $value;
if ( $option eq 'blacklist' ) {
warning_message "The 'blacklist' interface option is no longer supported";
+ if ( $zone ) {
+ $zoneref->{options}{in}{blacklist} = 1;
+ } else {
+ warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
+ }
} else {
$options{$option} = 1;
$hostoptions{$option} = 1 if $hostopt;
@@ -2068,6 +2073,7 @@ sub process_host( ) {
warning_message "The 'norfc1918' host option is no longer supported"
} elsif ( $option eq 'blacklist' ) {
warning_message "The 'blacklist' option is no longer supported";
+ $zoneref->{options}{in}{blacklist} = 1;
} elsif ( $option =~ /^mss=(\d+)$/ ) {
fatal_error "Invalid mss ($1)" unless $1 >= 500;
require_capability 'TCPMSS_TARGET', $option, 's';
diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml
index cf8ac57e0..4c570e28b 100644
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -34,8 +34,8 @@
role="bold">raw table. In 4.5.7, the file's name was changed to
conntrack.
- The file supports two different column layouts: FORMAT 1, FORMAT 2,
- and FORMAT 3, FORMAT 1 being the default. The three differ as
+ The file supports three different column layouts: FORMAT 1, FORMAT
+ 2, and FORMAT 3, FORMAT 1 being the default. The three differ as
follows:
@@ -366,7 +366,7 @@
SOURCE (formats 1 and 2) ‒
- {zone[:interface][:address-list]|COMMENT}
+ {zone[:interface][:address-list]}
where zone is the name of a zone,
@@ -397,10 +397,6 @@
shorewall-exclusion
(5)).
-
- COMMENT is only allowed in format 1; the remainder of the line
- is treated as a comment that will be associated with the generated
- rule(s).
@@ -556,7 +552,7 @@ DROP:PO - 1.2.3.4
FILES
- /etc/shorewall/notrack
+ /etc/shorewall/conntrack