From 0f61bd34e660b8bfe5ccfb82e5297aca3a7f7c3f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 3 Aug 2015 14:45:52 -0700 Subject: [PATCH] Drop support for the 'blacklist' zone option Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Zones.pm | 40 ++------------------------ Shorewall/manpages/shorewall-zones.xml | 24 ---------------- 2 files changed, 3 insertions(+), 61 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 72846c079..c00a5eef3 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -253,7 +253,6 @@ use constant { NO_UPDOWN => 1, our %validinterfaceoptions; our %prohibitunmanaged = ( - blacklist => 1, bridge => 1, destonly => 1, detectnets => 1, @@ -279,7 +278,6 @@ our %validhostoptions; our %validzoneoptions = ( mss => NUMERIC, nomark => NOTHING, - blacklist => NOTHING, dynamic_shared => NOTHING, strict => NOTHING, next => NOTHING, @@ -296,7 +294,6 @@ use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 }; # Hash of options that have their own key in the returned hash. # our %zonekey = ( mss => UNRESTRICTED | COMPLEX , - blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY, dynamic_shared => IN_OUT_ONLY ); @@ -336,7 +333,6 @@ sub initialize( $$ ) { if ( $family == F_IPV4 ) { %validinterfaceoptions = (arp_filter => BINARY_IF_OPTION, arp_ignore => ENUM_IF_OPTION, - blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST, bridge => SIMPLE_IF_OPTION, destonly => SIMPLE_IF_OPTION + IF_OPTION_HOST, detectnets => OBSOLETE_IF_OPTION, @@ -365,7 +361,6 @@ sub initialize( $$ ) { wait => NUMERIC_IF_OPTION + IF_OPTION_WILDOK, ); %validhostoptions = ( - blacklist => 1, maclist => 1, nosmurfs => 1, routeback => 1, @@ -385,7 +380,6 @@ sub initialize( $$ ) { 64 => 'local' ); } else { %validinterfaceoptions = ( accept_ra => NUMERIC_IF_OPTION, - blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST, bridge => SIMPLE_IF_OPTION, destonly => SIMPLE_IF_OPTION + IF_OPTION_HOST, dhcp => SIMPLE_IF_OPTION, @@ -410,7 +404,6 @@ sub initialize( $$ ) { wait => NUMERIC_IF_OPTION + IF_OPTION_WILDOK, ); %validhostoptions = ( - blacklist => 1, maclist => 1, routeback => 1, tcpflags => 1, @@ -617,21 +610,6 @@ sub process_zone( \$ ) { } } - if ( $zoneref->{options}{in_out}{blacklist} ) { - warning_message q(The 'blacklist' option is deprecated); - for ( qw/in out/ ) { - unless ( $zoneref->{options}{$_}{blacklist} ) { - $zoneref->{options}{$_}{blacklist} = 1; - } else { - warning_message( "Redundant 'blacklist' in " . uc( $_ ) . '_OPTIONS' ); - } - } - } else { - for ( qw/in out/ ) { - warning_message q(The 'blacklist' option is deprecated), last if $zoneref->{options}{$_}{blacklist}; - } - } - return $zone; } @@ -829,7 +807,7 @@ sub add_group_to_zone($$$$$$) # # Make 'find_hosts_by_option()' work correctly for this zone # - for ( qw/blacklist maclist nosmurfs tcpflags/ ) { + for ( qw/maclist nosmurfs tcpflags/ ) { $options->{$_} = $interfaceref->{options}{$_} if $interfaceref->{options}{$_} && ! exists $options->{$_}; } } @@ -1222,16 +1200,8 @@ sub process_interface( $$ ) { if ( $type == SIMPLE_IF_OPTION ) { fatal_error "Option $option does not take a value" if defined $value; - if ( $option eq 'blacklist' ) { - if ( $zone ) { - $zoneref->{options}{in}{blacklist} = 1; - } else { - warning_message "The 'blacklist' option is ignored on multi-zone interfaces"; - } - } else { - $options{$option} = 1; - $hostoptions{$option} = 1 if $hostopt; - } + $options{$option} = 1; + $hostoptions{$option} = 1 if $hostopt; } elsif ( $type == BINARY_IF_OPTION ) { $value = 1 unless defined $value; fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' ); @@ -1402,7 +1372,6 @@ sub process_interface( $$ ) { for ( qw/arp_filter arp_ignore - blacklist bridge detectnets dhcp @@ -2069,9 +2038,6 @@ sub process_host( ) { $ipsec = $interfaceref->{ipsec} = 1; } elsif ( $option eq 'norfc1918' ) { warning_message "The 'norfc1918' host option is no longer supported" - } elsif ( $option eq 'blacklist' ) { - warning_message "The 'blacklist' option is deprecated"; - $zoneref->{options}{in}{blacklist} = 1; } elsif ( $option =~ /^mss=(\d+)$/ ) { fatal_error "Invalid mss ($1)" unless $1 >= 500; require_capability 'TCPMSS_TARGET', $option, 's'; diff --git a/Shorewall/manpages/shorewall-zones.xml b/Shorewall/manpages/shorewall-zones.xml index e6a5d7c36..b0914bd76 100644 --- a/Shorewall/manpages/shorewall-zones.xml +++ b/Shorewall/manpages/shorewall-zones.xml @@ -282,30 +282,6 @@ c:a,b ipv4 only apply to TYPE zones. - - blacklist - - - Added in Shorewall 4.4.13. May not be specified for - firewall or vserver zones. - - When specified in the IN_OPTIONS column, causes all - traffic from this zone to be passed against the src entries in shorewall-blacklist(5). - - When specified in the OUT_OPTIONS column, causes all - traffic to this zone to be passed against the dst entries in shorewall-blacklist(5). - - Specifying this option in the OPTIONS column is - equivalent to entering it in both of the IN_OPTIONS and - OUT_OPTIONS column. - - - dynamic_shared