mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-26 09:33:14 +01:00
Replace BLACKLISTNEWONLY with BLACKLIST
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
75fb164234
commit
fc73c3934b
@ -3871,6 +3871,8 @@ sub state_imatch( $ ) {
|
||||
|
||||
unless ( $state eq 'ALL' ) {
|
||||
have_capability 'CONNTRACK_MATCH' ? ( conntrack => "--ctstate $state" ) : ( state => "--state $state" );
|
||||
} else {
|
||||
();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -545,13 +545,16 @@ our %deprecated = ( LOGRATE => '' ,
|
||||
LOGBURST => '' ,
|
||||
EXPORTPARAMS => 'no',
|
||||
WIDE_TC_MARKS => 'no',
|
||||
HIGH_ROUTE_MARKS => 'no'
|
||||
HIGH_ROUTE_MARKS => 'no',
|
||||
BLACKLISTNEWONLY => 'yes',
|
||||
);
|
||||
#
|
||||
# Deprecated options that are eliminated via update
|
||||
#
|
||||
our %converted = ( WIDE_TC_MARKS => 1,
|
||||
HIGH_ROUTE_MARKS => 1 );
|
||||
HIGH_ROUTE_MARKS => 1,
|
||||
BLACKLISTNEWONLY => 1,
|
||||
);
|
||||
#
|
||||
# Variables involved in ?IF, ?ELSE ?ENDIF processing
|
||||
#
|
||||
@ -722,6 +725,7 @@ sub initialize( $;$$) {
|
||||
DETECT_DNAT_IPADDRS => undef,
|
||||
MUTEX_TIMEOUT => undef,
|
||||
ADMINISABSENTMINDED => undef,
|
||||
BLACKLIST => undef,
|
||||
BLACKLISTNEWONLY => undef,
|
||||
DELAYBLACKLISTLOAD => undef,
|
||||
MODULE_SUFFIX => undef,
|
||||
@ -5079,7 +5083,6 @@ sub get_configuration( $$$$ ) {
|
||||
}
|
||||
|
||||
default_yes_no 'ADMINISABSENTMINDED' , '';
|
||||
default_yes_no 'BLACKLISTNEWONLY' , '';
|
||||
default_yes_no 'DISABLE_IPV6' , '';
|
||||
|
||||
unsupported_yes_no_warning 'DYNAMIC_ZONES';
|
||||
@ -5098,7 +5101,47 @@ sub get_configuration( $$$$ ) {
|
||||
|
||||
default_yes_no 'FASTACCEPT' , '';
|
||||
|
||||
fatal_error "BLACKLISTNEWONLY=No may not be specified with FASTACCEPT=Yes" if $config{FASTACCEPT} && ! $config{BLACKLISTNEWONLY};
|
||||
if ( supplied( $val = $config{BLACKLIST} ) ) {
|
||||
my %states;
|
||||
|
||||
if ( $val eq 'ALL' ) {
|
||||
$globals{BLACKLIST_STATES} = 'ALL';
|
||||
} else {
|
||||
for ( split_list $val, 'BLACKLIST' ) {
|
||||
fatal_error "Invalid BLACKLIST state ($_)" unless /^(?:NEW|RELATED|ESTABLISHED|INVALID|UNTRACKED)$/;
|
||||
fatal_error "Duplicate BLACKLIST state($_)" if $states{$_};
|
||||
$states{$_} = 1;
|
||||
}
|
||||
|
||||
fatal_error "ESTABLISHED state may not be specified when FASTACCEPT=Yes" if $config{FASTACCEPT} && $states{ESTABLISHED};
|
||||
require_capability 'RAW_TABLE', 'UNTRACKED state', 's' if $states{UNTRACKED};
|
||||
#
|
||||
# Place the states in a predictable order
|
||||
#
|
||||
my @states;
|
||||
|
||||
for ( qw( NEW ESTABLISHED RELATED INVALID UNTRACKED ) ) {
|
||||
push @states, $_ if $states{$_};
|
||||
}
|
||||
|
||||
$globals{BLACKLIST_STATES} = join ',', @states;
|
||||
}
|
||||
} elsif ( supplied $config{BLACKLISTNEWONLY} ) {
|
||||
default_yes_no 'BLACKLISTNEWONLY' , '';
|
||||
fatal_error "BLACKLISTNEWONLY=No may not be specified with FASTACCEPT=Yes" if $config{FASTACCEPT} && ! $config{BLACKLISTNEWONLY};
|
||||
|
||||
if ( have_capability 'RAW_TABLE' ) {
|
||||
$globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED';
|
||||
} else {
|
||||
$globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID' : 'NEW,ESTABLISHED,INVALID';
|
||||
}
|
||||
} else {
|
||||
if ( have_capability 'RAW_TABLE' ) {
|
||||
$globals{BLACKLIST_STATES} = $config{FASTACCEPT} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED';
|
||||
} else {
|
||||
$globals{BLACKLIST_STATES} = $config{FASTACCEPT} ? 'NEW,INVALID' : 'NEW,INVALID,ESTABLISHED';
|
||||
}
|
||||
}
|
||||
|
||||
default_yes_no 'IMPLICIT_CONTINUE' , '';
|
||||
default_yes_no 'HIGH_ROUTE_MARKS' , '';
|
||||
|
||||
@ -764,7 +764,7 @@ sub add_common_rules ( $ ) {
|
||||
my $chain;
|
||||
my $dynamicref;
|
||||
|
||||
my @state = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
|
||||
my @state = state_imatch( $globals{BLACKLIST_STATES} );
|
||||
my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
|
||||
my $level = $config{BLACKLIST_LOGLEVEL};
|
||||
my $rejectref = $filter_table->{reject};
|
||||
|
||||
@ -2384,14 +2384,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
$auxref = new_chain 'filter', $auxchain;
|
||||
|
||||
if ( $blacklist ) {
|
||||
if ( $config{BLACKLISTNEWONLY} ) {
|
||||
if ( have_capability 'RAW_TABLE' ) {
|
||||
@state = state_imatch( 'NEW,INVALID,UNTRACKED' );
|
||||
} else {
|
||||
@state = state_imatch( 'NEW,INVALID' );
|
||||
}
|
||||
}
|
||||
|
||||
@state = state_imatch( $globals{BLACKLIST_STATES} );
|
||||
$auxref->{blacklistsection} = 1;
|
||||
} elsif ( $section == INVALID_SECTION ) {
|
||||
@state = state_imatch( 'INVALID' );
|
||||
@ -2400,7 +2393,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
} else {
|
||||
@state = state_imatch 'RELATED';
|
||||
};
|
||||
|
||||
|
||||
add_ijump( $chainref, j => $auxref, @state );
|
||||
}
|
||||
|
||||
|
||||
@ -128,7 +128,7 @@ AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
CLAMPMSS=No
|
||||
|
||||
|
||||
@ -139,7 +139,7 @@ AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
CLAMPMSS=No
|
||||
|
||||
|
||||
@ -137,7 +137,7 @@ AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
CLAMPMSS=Yes
|
||||
|
||||
|
||||
@ -140,7 +140,7 @@ AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
CLAMPMSS=Yes
|
||||
|
||||
|
||||
@ -128,7 +128,7 @@ AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
CLAMPMSS=No
|
||||
|
||||
|
||||
@ -372,6 +372,28 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">BLACKLIST=</emphasis>[{<emphasis
|
||||
role="bold">ALL</emphasis>|<emphasis
|
||||
role="bold"><replaceable>state</replaceable>[,...]</emphasis>}]</term>
|
||||
|
||||
<listitem>
|
||||
<para>where state is one of NEW, ESTABLISHED, RELATED, INVALID,or
|
||||
UNTRACKED.</para>
|
||||
|
||||
<para>Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY
|
||||
option below. Specifies the connection tracking states that are to
|
||||
be subject to blacklist screening. If neither BLACKLIST nor
|
||||
BLACKLISTNEWONLY are specified then the states subject to
|
||||
blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED.</para>
|
||||
|
||||
<para>ALL sends all packets through the blacklist chains.</para>
|
||||
|
||||
<para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
|
||||
is specified.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">BLACKLIST_DISPOSITION=</emphasis>[<emphasis
|
||||
@ -422,6 +444,9 @@
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Deprecated in Shorewall 4.5.13 in favor of BLACKLIST
|
||||
above.</para>
|
||||
|
||||
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||
role="bold">yes</emphasis>, blacklists are only consulted for new
|
||||
connections and for packets in the INVALID connection state (such as
|
||||
|
||||
@ -121,7 +121,7 @@ AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
CLAMPMSS=No
|
||||
|
||||
|
||||
@ -121,7 +121,7 @@ AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
CLAMPMSS=No
|
||||
|
||||
|
||||
@ -121,7 +121,7 @@ AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
CLAMPMSS=No
|
||||
|
||||
|
||||
@ -121,7 +121,7 @@ AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
CLAMPMSS=No
|
||||
|
||||
|
||||
@ -121,7 +121,7 @@ AUTOHELPERS=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
BLACKLISTNEWONLY=Yes
|
||||
BLACKLIST="NEW,INVALID,UNTRACKED"
|
||||
|
||||
CLAMPMSS=No
|
||||
|
||||
|
||||
@ -309,6 +309,26 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">BLACKLIST=</emphasis>[{<emphasis
|
||||
role="bold">ALL</emphasis>|<emphasis
|
||||
role="bold"><replaceable>state</replaceable>[,...]</emphasis>}]</term>
|
||||
|
||||
<listitem>
|
||||
<para>where state is one of NEW, ESTABLISHED, RELATED, INVALID,or
|
||||
UNTRACKED.</para>
|
||||
|
||||
<para>Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY
|
||||
option below. Specifies the connection tracking states that are to
|
||||
be subject to blacklist screening. If neither BLACKLIST nor
|
||||
BLACKLISTNEWONLY are specified then the states subject to
|
||||
blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED.</para>
|
||||
|
||||
<para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
|
||||
is specified.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">BLACKLIST_DISPOSITION=</emphasis>[<emphasis
|
||||
@ -354,6 +374,9 @@
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Deprecated in Shorewall 4.5.13 in favor of BLACKLIST
|
||||
above.</para>
|
||||
|
||||
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||
role="bold">yes</emphasis>, blacklists are only consulted for new
|
||||
connections, for packets in the INVALID connection state (such as a
|
||||
|
||||
Loading…
Reference in New Issue
Block a user