diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 31f3a6313..39fd22fef 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -224,10 +224,12 @@ sub remove_blacklist( $ ) { $changed = 1; if ( $comment ) { - $comment =~ s/^/ / while $rule =~ s/blacklist,//; + $comment =~ s/^/ / while $rule =~ s/blacklist,// || $rule =~ s/,blacklist//; $rule =~ s/blacklist/ /g; $currentline = join( '#', $rule, $comment ); } else { + $currentline =~ s/blacklist,//g; + $currentline =~ s/,blacklist//g; $currentline =~ s/blacklist/ /g; } } @@ -540,7 +542,7 @@ EOF if ( $notrack{$host} ) { print $stoppedrules "NOTRACK\t$interface:$h\t-\t$rule\n"; - print $stoppedrules "NOTRACK\t\$FW\$interface:$h\t\$rule\n"; + print $stoppedrules "NOTRACK\t\$FW\t$interface:$h\t$rule\n"; } unless ( $matched ) { @@ -824,6 +826,8 @@ sub add_common_rules ( $$$ ) { if ( $upgrade_blacklist ) { exit 0 unless convert_blacklist || $upgrade_tcrules || $upgrade_routestopped; + } elsif ( my $fn = find_file 'blacklist' ) { + warning_message "The blacklist file is no longer supported -- use '$product update -b' to convert $fn to the equivalent blrules file"; } $list = find_hosts_by_option 'nosmurfs'; @@ -2462,7 +2466,12 @@ EOF } } - convert_routestopped if $routestopped; + if ( $routestopped ) { + convert_routestopped; + } elsif ( my $fn = find_file 'routestopped' ) { + warning_message "The routestopped file is no longer supported - use '$product update -s' to convert $fn to an equivalent 'stoppedrules' file"; + } + process_stoppedrules; if ( have_capability 'IFACE_MATCH' ) { diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index b636c0ed7..77ac0a676 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -1226,6 +1226,11 @@ sub process_interface( $$ ) { fatal_error "Option $option does not take a value" if defined $value; if ( $option eq 'blacklist' ) { warning_message "The 'blacklist' interface option is no longer supported"; + if ( $zone ) { + $zoneref->{options}{in}{blacklist} = 1; + } else { + warning_message "The 'blacklist' option is ignored on multi-zone interfaces"; + } } else { $options{$option} = 1; $hostoptions{$option} = 1 if $hostopt; @@ -2068,6 +2073,7 @@ sub process_host( ) { warning_message "The 'norfc1918' host option is no longer supported" } elsif ( $option eq 'blacklist' ) { warning_message "The 'blacklist' option is no longer supported"; + $zoneref->{options}{in}{blacklist} = 1; } elsif ( $option =~ /^mss=(\d+)$/ ) { fatal_error "Invalid mss ($1)" unless $1 >= 500; require_capability 'TCPMSS_TARGET', $option, 's'; diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml index cf8ac57e0..4c570e28b 100644 --- a/Shorewall/manpages/shorewall-conntrack.xml +++ b/Shorewall/manpages/shorewall-conntrack.xml @@ -34,8 +34,8 @@ role="bold">raw table. In 4.5.7, the file's name was changed to conntrack. - The file supports two different column layouts: FORMAT 1, FORMAT 2, - and FORMAT 3, FORMAT 1 being the default. The three differ as + The file supports three different column layouts: FORMAT 1, FORMAT + 2, and FORMAT 3, FORMAT 1 being the default. The three differ as follows: @@ -366,7 +366,7 @@ SOURCE (formats 1 and 2) ‒ - {zone[:interface][:address-list]|COMMENT} + {zone[:interface][:address-list]} where zone is the name of a zone, @@ -397,10 +397,6 @@ shorewall-exclusion (5)). - - COMMENT is only allowed in format 1; the remainder of the line - is treated as a comment that will be associated with the generated - rule(s). @@ -556,7 +552,7 @@ DROP:PO - 1.2.3.4 FILES - /etc/shorewall/notrack + /etc/shorewall/conntrack