diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 2b4ae2af3..39f056eb9 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -3871,6 +3871,8 @@ sub state_imatch( $ ) {
unless ( $state eq 'ALL' ) {
have_capability 'CONNTRACK_MATCH' ? ( conntrack => "--ctstate $state" ) : ( state => "--state $state" );
+ } else {
+ ();
}
}
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 71c970239..b2c663b17 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -545,13 +545,16 @@ our %deprecated = ( LOGRATE => '' ,
LOGBURST => '' ,
EXPORTPARAMS => 'no',
WIDE_TC_MARKS => 'no',
- HIGH_ROUTE_MARKS => 'no'
+ HIGH_ROUTE_MARKS => 'no',
+ BLACKLISTNEWONLY => 'yes',
);
#
# Deprecated options that are eliminated via update
#
our %converted = ( WIDE_TC_MARKS => 1,
- HIGH_ROUTE_MARKS => 1 );
+ HIGH_ROUTE_MARKS => 1,
+ BLACKLISTNEWONLY => 1,
+ );
#
# Variables involved in ?IF, ?ELSE ?ENDIF processing
#
@@ -722,6 +725,7 @@ sub initialize( $;$$) {
DETECT_DNAT_IPADDRS => undef,
MUTEX_TIMEOUT => undef,
ADMINISABSENTMINDED => undef,
+ BLACKLIST => undef,
BLACKLISTNEWONLY => undef,
DELAYBLACKLISTLOAD => undef,
MODULE_SUFFIX => undef,
@@ -5079,7 +5083,6 @@ sub get_configuration( $$$$ ) {
}
default_yes_no 'ADMINISABSENTMINDED' , '';
- default_yes_no 'BLACKLISTNEWONLY' , '';
default_yes_no 'DISABLE_IPV6' , '';
unsupported_yes_no_warning 'DYNAMIC_ZONES';
@@ -5098,7 +5101,47 @@ sub get_configuration( $$$$ ) {
default_yes_no 'FASTACCEPT' , '';
- fatal_error "BLACKLISTNEWONLY=No may not be specified with FASTACCEPT=Yes" if $config{FASTACCEPT} && ! $config{BLACKLISTNEWONLY};
+ if ( supplied( $val = $config{BLACKLIST} ) ) {
+ my %states;
+
+ if ( $val eq 'ALL' ) {
+ $globals{BLACKLIST_STATES} = 'ALL';
+ } else {
+ for ( split_list $val, 'BLACKLIST' ) {
+ fatal_error "Invalid BLACKLIST state ($_)" unless /^(?:NEW|RELATED|ESTABLISHED|INVALID|UNTRACKED)$/;
+ fatal_error "Duplicate BLACKLIST state($_)" if $states{$_};
+ $states{$_} = 1;
+ }
+
+ fatal_error "ESTABLISHED state may not be specified when FASTACCEPT=Yes" if $config{FASTACCEPT} && $states{ESTABLISHED};
+ require_capability 'RAW_TABLE', 'UNTRACKED state', 's' if $states{UNTRACKED};
+ #
+ # Place the states in a predictable order
+ #
+ my @states;
+
+ for ( qw( NEW ESTABLISHED RELATED INVALID UNTRACKED ) ) {
+ push @states, $_ if $states{$_};
+ }
+
+ $globals{BLACKLIST_STATES} = join ',', @states;
+ }
+ } elsif ( supplied $config{BLACKLISTNEWONLY} ) {
+ default_yes_no 'BLACKLISTNEWONLY' , '';
+ fatal_error "BLACKLISTNEWONLY=No may not be specified with FASTACCEPT=Yes" if $config{FASTACCEPT} && ! $config{BLACKLISTNEWONLY};
+
+ if ( have_capability 'RAW_TABLE' ) {
+ $globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED';
+ } else {
+ $globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID' : 'NEW,ESTABLISHED,INVALID';
+ }
+ } else {
+ if ( have_capability 'RAW_TABLE' ) {
+ $globals{BLACKLIST_STATES} = $config{FASTACCEPT} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED';
+ } else {
+ $globals{BLACKLIST_STATES} = $config{FASTACCEPT} ? 'NEW,INVALID' : 'NEW,INVALID,ESTABLISHED';
+ }
+ }
default_yes_no 'IMPLICIT_CONTINUE' , '';
default_yes_no 'HIGH_ROUTE_MARKS' , '';
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 15776d60e..65c652fc2 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -764,7 +764,7 @@ sub add_common_rules ( $ ) {
my $chain;
my $dynamicref;
- my @state = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
+ my @state = state_imatch( $globals{BLACKLIST_STATES} );
my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
my $level = $config{BLACKLIST_LOGLEVEL};
my $rejectref = $filter_table->{reject};
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 10888c8cd..931c585a9 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -2384,14 +2384,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
$auxref = new_chain 'filter', $auxchain;
if ( $blacklist ) {
- if ( $config{BLACKLISTNEWONLY} ) {
- if ( have_capability 'RAW_TABLE' ) {
- @state = state_imatch( 'NEW,INVALID,UNTRACKED' );
- } else {
- @state = state_imatch( 'NEW,INVALID' );
- }
- }
-
+ @state = state_imatch( $globals{BLACKLIST_STATES} );
$auxref->{blacklistsection} = 1;
} elsif ( $section == INVALID_SECTION ) {
@state = state_imatch( 'INVALID' );
@@ -2400,7 +2393,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
} else {
@state = state_imatch 'RELATED';
};
-
+
add_ijump( $chainref, j => $auxref, @state );
}
diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf
index a69ef3295..b8470fcea 100644
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -128,7 +128,7 @@ AUTOHELPERS=Yes
AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No
diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf
index b3c9581dd..ebd806ce7 100644
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -139,7 +139,7 @@ AUTOHELPERS=Yes
AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No
diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf
index ffb0c07b6..46877f93e 100644
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -137,7 +137,7 @@ AUTOHELPERS=Yes
AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=Yes
diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf
index c65eb818d..53b74c5b8 100644
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -140,7 +140,7 @@ AUTOHELPERS=Yes
AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=Yes
diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf
index a325b8648..cc13d51e3 100644
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -128,7 +128,7 @@ AUTOHELPERS=Yes
AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index 76208ed67..b8abea340 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -372,6 +372,28 @@
+
+ BLACKLIST=[{ALL|state[,...]}]
+
+
+ where state is one of NEW, ESTABLISHED, RELATED, INVALID,or
+ UNTRACKED.
+
+ Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY
+ option below. Specifies the connection tracking states that are to
+ be subject to blacklist screening. If neither BLACKLIST nor
+ BLACKLISTNEWONLY are specified then the states subject to
+ blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED.
+
+ ALL sends all packets through the blacklist chains.
+
+ Note: The ESTABLISHED state may not be specified if FASTACCEPT
+ is specified.
+
+
+
BLACKLIST_DISPOSITION=[Yes|No}
+ Deprecated in Shorewall 4.5.13 in favor of BLACKLIST
+ above.
+
When set to Yes or yes, blacklists are only consulted for new
connections and for packets in the INVALID connection state (such as
diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf
index 2183d92db..48a8df721 100644
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -121,7 +121,7 @@ AUTOHELPERS=Yes
AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No
diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf
index 6d44bad8a..5975448b4 100644
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -121,7 +121,7 @@ AUTOHELPERS=Yes
AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No
diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
index df6a9e909..0cb5eaa12 100644
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -121,7 +121,7 @@ AUTOHELPERS=Yes
AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No
diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
index e1a3a175c..bd57dea15 100644
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -121,7 +121,7 @@ AUTOHELPERS=Yes
AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No
diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf
index 134a790ae..ca3d2ceeb 100644
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -121,7 +121,7 @@ AUTOHELPERS=Yes
AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index d105c6511..ea102d21a 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -309,6 +309,26 @@
+
+ BLACKLIST=[{ALL|state[,...]}]
+
+
+ where state is one of NEW, ESTABLISHED, RELATED, INVALID,or
+ UNTRACKED.
+
+ Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY
+ option below. Specifies the connection tracking states that are to
+ be subject to blacklist screening. If neither BLACKLIST nor
+ BLACKLISTNEWONLY are specified then the states subject to
+ blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED.
+
+ Note: The ESTABLISHED state may not be specified if FASTACCEPT
+ is specified.
+
+
+
BLACKLIST_DISPOSITION=[Yes|No}
+ Deprecated in Shorewall 4.5.13 in favor of BLACKLIST
+ above.
+
When set to Yes or yes, blacklists are only consulted for new
connections, for packets in the INVALID connection state (such as a