Replace BLACKLISTNEWONLY with BLACKLIST

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-30 03:23:47 +01:00 · 2013-01-30 08:00:47 -08:00 · 2013-01-30 08:00:47 -08:00 · fc73c3934b
commit fc73c3934b
parent 75fb164234
16 changed files with 110 additions and 24 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -3871,6 +3871,8 @@ sub state_imatch( $ ) {
    unless ( $state eq 'ALL' ) {
 	have_capability 'CONNTRACK_MATCH' ? ( conntrack => "--ctstate $state" ) : ( state => "--state $state" );
    } else {
 	();
    }
 }
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -545,13 +545,16 @@ our %deprecated = ( LOGRATE            => '' ,
 		    LOGBURST           => '' ,
 		    EXPORTPARAMS       => 'no',
 		    WIDE_TC_MARKS      => 'no',
-		    HIGH_ROUTE_MARKS   => 'no'
+		    HIGH_ROUTE_MARKS   => 'no',
 		    BLACKLISTNEWONLY   => 'yes',
 		  );
 #
 # Deprecated options that are eliminated via update
 #
 our %converted = ( WIDE_TC_MARKS => 1,
-		   HIGH_ROUTE_MARKS => 1 );
+		   HIGH_ROUTE_MARKS => 1,
 		   BLACKLISTNEWONLY => 1,
 		 );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
 #
@ -722,6 +725,7 @@ sub initialize( $;$$) {
 	  DETECT_DNAT_IPADDRS => undef,
 	  MUTEX_TIMEOUT => undef,
 	  ADMINISABSENTMINDED => undef,
 	  BLACKLIST => undef,
 	  BLACKLISTNEWONLY => undef,
 	  DELAYBLACKLISTLOAD => undef,
 	  MODULE_SUFFIX => undef,
@ -5079,7 +5083,6 @@ sub get_configuration( $$$$ ) {
    }
    default_yes_no 'ADMINISABSENTMINDED'        , '';
    default_yes_no 'BLACKLISTNEWONLY'           , '';
    default_yes_no 'DISABLE_IPV6'               , '';
    unsupported_yes_no_warning 'DYNAMIC_ZONES';
@ -5098,8 +5101,48 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'FASTACCEPT'                 , '';
    if ( supplied( $val = $config{BLACKLIST} ) ) {
 	my %states;
 	if ( $val eq 'ALL' ) {
 	    $globals{BLACKLIST_STATES} = 'ALL';
 	} else {
 	    for ( split_list $val, 'BLACKLIST' ) {
 		fatal_error "Invalid BLACKLIST state ($_)" unless /^(?:NEW|RELATED|ESTABLISHED|INVALID|UNTRACKED)$/;
 		fatal_error "Duplicate BLACKLIST state($_)" if $states{$_};
 		$states{$_} = 1;
 	    }
 	    fatal_error "ESTABLISHED state may not be specified when FASTACCEPT=Yes" if $config{FASTACCEPT} && $states{ESTABLISHED};
 	    require_capability 'RAW_TABLE', 'UNTRACKED state', 's' if $states{UNTRACKED};
 	    #
 	    # Place the states in a predictable order
 	    #
 	    my @states;
 	    for ( qw( NEW ESTABLISHED RELATED INVALID UNTRACKED ) ) {
 		push @states, $_ if $states{$_};
 	    }
 	    $globals{BLACKLIST_STATES} = join ',', @states;
 	}
    } elsif ( supplied $config{BLACKLISTNEWONLY} ) {
 	default_yes_no 'BLACKLISTNEWONLY'           , '';
 	fatal_error "BLACKLISTNEWONLY=No may not be specified with FASTACCEPT=Yes" if $config{FASTACCEPT} && ! $config{BLACKLISTNEWONLY};
 	if ( have_capability 'RAW_TABLE' ) {
 	    $globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED';
 	} else {
 	    $globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID' : 'NEW,ESTABLISHED,INVALID';
 	}
    } else {
 	if ( have_capability 'RAW_TABLE' ) {
 	    $globals{BLACKLIST_STATES} = $config{FASTACCEPT} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED';
 	} else {
 	    $globals{BLACKLIST_STATES} = $config{FASTACCEPT} ? 'NEW,INVALID' : 'NEW,INVALID,ESTABLISHED';
 	}
    }
    default_yes_no 'IMPLICIT_CONTINUE'          , '';
    default_yes_no 'HIGH_ROUTE_MARKS'           , '';
    default_yes_no 'TC_EXPERT'                  , '';
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@ -764,7 +764,7 @@ sub add_common_rules ( $ ) {
    my $chain;
    my $dynamicref;
-    my @state     = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
+    my @state     = state_imatch( $globals{BLACKLIST_STATES} );
    my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
    my $level     = $config{BLACKLIST_LOGLEVEL};
    my $rejectref = $filter_table->{reject};
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -2384,14 +2384,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		    $auxref = new_chain 'filter', $auxchain;
 		    if ( $blacklist ) {
-			if ( $config{BLACKLISTNEWONLY} ) {
+			@state = state_imatch( $globals{BLACKLIST_STATES} );
 			    if ( have_capability 'RAW_TABLE' ) {
 				@state = state_imatch( 'NEW,INVALID,UNTRACKED' );
 			    } else {
 				@state = state_imatch( 'NEW,INVALID' );
 			    }
 			}
 			$auxref->{blacklistsection} = 1;
 		    } elsif ( $section == INVALID_SECTION ) {
 			@state = state_imatch( 'INVALID' );
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@ -128,7 +128,7 @@ AUTOHELPERS=Yes
 AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 CLAMPMSS=No
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@ -139,7 +139,7 @@ AUTOHELPERS=Yes
 AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 CLAMPMSS=No
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@ -137,7 +137,7 @@ AUTOHELPERS=Yes
 AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 CLAMPMSS=Yes
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@ -140,7 +140,7 @@ AUTOHELPERS=Yes
 AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 CLAMPMSS=Yes
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@ -128,7 +128,7 @@ AUTOHELPERS=Yes
 AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 CLAMPMSS=No
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@ -372,6 +372,28 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">BLACKLIST=</emphasis>[{<emphasis
        role="bold">ALL</emphasis>|<emphasis
        role="bold"><replaceable>state</replaceable>[,...]</emphasis>}]</term>
        <listitem>
          <para>where state is one of NEW, ESTABLISHED, RELATED, INVALID,or
          UNTRACKED.</para>
          <para>Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY
          option below. Specifies the connection tracking states that are to
          be subject to blacklist screening. If neither BLACKLIST nor
          BLACKLISTNEWONLY are specified then the states subject to
          blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED.</para>
          <para>ALL sends all packets through the blacklist chains.</para>
          <para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
          is specified.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">BLACKLIST_DISPOSITION=</emphasis>[<emphasis
@ -422,6 +444,9 @@
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
        <listitem>
          <para>Deprecated in Shorewall 4.5.13 in favor of BLACKLIST
          above.</para>
          <para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis>, blacklists are only consulted for new
          connections and for packets in the INVALID connection state (such as
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@ -121,7 +121,7 @@ AUTOHELPERS=Yes
 AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 CLAMPMSS=No
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@ -121,7 +121,7 @@ AUTOHELPERS=Yes
 AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 CLAMPMSS=No
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@ -121,7 +121,7 @@ AUTOHELPERS=Yes
 AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 CLAMPMSS=No
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@ -121,7 +121,7 @@ AUTOHELPERS=Yes
 AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 CLAMPMSS=No
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@ -121,7 +121,7 @@ AUTOHELPERS=Yes
 AUTOMAKE=No
-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"
 CLAMPMSS=No
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@ -309,6 +309,26 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">BLACKLIST=</emphasis>[{<emphasis
        role="bold">ALL</emphasis>|<emphasis
        role="bold"><replaceable>state</replaceable>[,...]</emphasis>}]</term>
        <listitem>
          <para>where state is one of NEW, ESTABLISHED, RELATED, INVALID,or
          UNTRACKED.</para>
          <para>Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY
          option below. Specifies the connection tracking states that are to
          be subject to blacklist screening. If neither BLACKLIST nor
          BLACKLISTNEWONLY are specified then the states subject to
          blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED.</para>
          <para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
          is specified.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">BLACKLIST_DISPOSITION=</emphasis>[<emphasis
@ -354,6 +374,9 @@
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
        <listitem>
          <para>Deprecated in Shorewall 4.5.13 in favor of BLACKLIST
          above.</para>
          <para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis>, blacklists are only consulted for new
          connections, for packets in the INVALID connection state (such as a