diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 56790f15d..0b6259bb3 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1885,7 +1885,7 @@ sub generate_matrix() {
my $fw = firewall_zone;
my $notrackref = $raw_table->{notrack_chain $fw};
my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
- my $blackout = $filter_table->{blackout} && @{$filter_table->{blackout}{rules}};
+ my $blackout = $filter_table->{blackout};
my @zones = off_firewall_zones;
my @vservers = vserver_zones;
my $interface_jumps_added = 0;
@@ -2034,7 +2034,7 @@ sub generate_matrix() {
my $interfacematch = '';
my $use_output = 0;
- if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( ( $blacklist || @{$interfacechainref->{rules}} ) && ! $chain1ref ) ) {
+ if ( @vservers || use_output_chain( $interface, $interfacechainref ) || $blacklist || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
$outputref = $interfacechainref;
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
$use_output = 1;
@@ -2048,7 +2048,6 @@ sub generate_matrix() {
} else {
$outputref = $filter_table->{OUTPUT};
$interfacematch = match_dest_dev $interface;
- $needs_bl_jump{output_chain $interface} = 1 if $blacklist;
}
add_jump $outputref , $nextchain, 0, join( '', $interfacematch, $dest, $ipsec_out_match );
diff --git a/manpages/shorewall-interfaces.xml b/manpages/shorewall-interfaces.xml
index da7470785..9c50ed7b9 100644
--- a/manpages/shorewall-interfaces.xml
+++ b/manpages/shorewall-interfaces.xml
@@ -231,13 +231,16 @@ loc eth2 -
shorewall-blacklist(5)
file. The value may be specified when running Shorewall 4.4.13
- or later and can have a value in the range 1-2
+ or later and can have a value in the range 1-2; entering no
+ value is equivalent to blacklist=1.
- Input blacklisting (default if no value given).
- Traffic entering this interface are passed against the
- entries in Input blacklisting (default if no value given). This
+ setting is intended for Internet-facing interfaces.
+
+ Traffic entering this interface is passed against
+ the entries in shorewall-blacklist(5)
that have the from option
(specified or defaulted). Traffic originating on the
@@ -249,9 +252,11 @@ loc eth2 -
- Output blacklisting. Forward traffic that entered
- through this interface is passed against the entries in
- Output blacklisting. This setting is intended for
+ internal interfaces.
+
+ Forwarded traffic that entered through this
+ interface is passed against the entries in shorewall-blacklist(5)
that have the to
option.
diff --git a/manpages/shorewall-modules.xml b/manpages/shorewall-modules.xml
index f94aa890d..d3133f947 100644
--- a/manpages/shorewall-modules.xml
+++ b/manpages/shorewall-modules.xml
@@ -18,14 +18,25 @@
/usr/share/shorewall/modules
+
+
+ /usr/share/shorewall/helpers
+
Description
- This file specifies which kernel modules Shorewall will load before
- trying to determine your iptables/kernel's capabilities. Each record in
- the file has the following format:
+ These files specify which kernel modules Shorewall will load before
+ trying to determine your iptables/kernel's capabilities.
+
+ The modules file is used when
+ LOAD_HELPERS_ONLY=No in shorewall.conf(8); the
+ helpers file is used when
+ LOAD_HELPERS_ONLY=Yes
+
+ Each record in the files has the following format:
loadmodule
@@ -45,7 +56,8 @@
The /usr/share/shorewall/modules file contains a large number of
modules. Users are encouraged to copy the file to /etc/shorewall/modules
- and modify the copy to load only the modules required.
+ and modify the copy to load only the modules required or to use
+ LOAD_HELPERS_ONLY=Yes.
If you build monolithic kernels and have not installed
module-init-tools, then create an empty /etc/shorewall/modules file;
that will prevent Shorewall from trying to load modules at all.
@@ -63,7 +75,11 @@
/usr/share/shorewall/modules
+ /usr/share/shorewall/helpers
+
/etc/shorewall/modules
+
+ /etc/shorewall/helpers
@@ -74,8 +90,9 @@
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
- shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
- shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
- shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+ shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+ shorewall-zones(5)
diff --git a/manpages6/shorewall6-interfaces.xml b/manpages6/shorewall6-interfaces.xml
index 430695df7..a60ce572b 100644
--- a/manpages6/shorewall6-interfaces.xml
+++ b/manpages6/shorewall6-interfaces.xml
@@ -120,13 +120,16 @@ loc eth2 -
The value may be specified when running Shorewall 4.4.13
- or later and can have a value in the range 1-2
+ or later and can have a value in the range 1-2. Specifying no
+ value is equivalent to blacklist=1.
- Input blacklisting (default if no value given).
- Traffic entering this interface are passed against the
- entries in Input blacklisting (default if no value given). This
+ setting is intended for Internet-facing interfaces.
+
+ Traffic entering this interface is passed against
+ the entries in shorewall6-blacklist(5)
that have the from option
(specified or defaulted). Traffic originating on the
@@ -138,8 +141,11 @@ loc eth2 -
- Output blacklisting. Traffic entering on this
- interface is passed against the entries in Output blacklisting. This setting is intended for
+ internal interfaces.
+
+ Traffic entering on this interface is passed against
+ the entries in shorewall6-blacklist(5)
that have the to
option.
@@ -382,8 +388,8 @@ dmz eth2 -
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
- shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
- shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
- shorewall6-tunnels(5), shorewall6-zones(5)
+ shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
+ shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
+ shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)
diff --git a/manpages6/shorewall6-modules.xml b/manpages6/shorewall6-modules.xml
index 351aeb4d0..92360a2f2 100644
--- a/manpages6/shorewall6-modules.xml
+++ b/manpages6/shorewall6-modules.xml
@@ -18,14 +18,23 @@
/usr/share/shorewall6/modules
+
+
+ /usr/share/shorewall6/helpers
+
Description
- This file specifies which kernel modules shorewall6 will load before
- trying to determine your ip6tables/kernel's capabilities. Each record in
- the file has the following format:
+ These files specify which kernel modules shorewall6 will load before
+ trying to determine your ip6tables/kernel's capabilities. The
+ modules file is used when LOAD_HELPERS_ONLY=No in
+ shorewall6.conf(8); the
+ helpers file is used when
+ LOAD_HELPERS_ONLY=Yes.
+
+ Each record in the files has the following format:
loadmodule
@@ -45,7 +54,8 @@
The /usr/share/shorewall6/modules file contains a large number of
modules. Users are encouraged to copy the file to /etc/shorewall6/modules
- and modify the copy to load only the modules required.
+ and modify the copy to load only the modules required or use
+ LOAD_HELPERS_ONLY=Yes.
If you build monolithic kernels and have not installed
module-init-tools, then create an empty /etc/shorewall6/modules file;
that will prevent shorewall6 from trying to load modules at
@@ -64,7 +74,11 @@
/usr/share/shorewall6/modules
+ /usr/share/shorewall6/helpers
+
/etc/shorewall6/modules
+
+ /etc/shorewall6/helpers
@@ -74,8 +88,9 @@
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
- shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
- shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
- shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)
+ shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+ shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+ shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
+ shorewall6-zones(5)