diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 2c3426bbd..baa10ee9e 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -894,10 +894,6 @@ sub use_output_chain($$) {
#
return 1 if $nets > 1;
#
- # Must also use the interface's chain if there is type-1 blacklisting on the interface
- #
- return 1 if $interfaceref->{options}{blacklist} & BL_IN;
- #
# Don't need it if it isn't associated with any zone
#
return 0 unless $nets;
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index dc665aa4b..48124064f 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -213,19 +213,16 @@ sub add_rule_pair( $$$$ ) {
sub setup_blacklist() {
- my $hosts = find_hosts_by_option1 'blacklist', BL_IN;
- my $hosts1 = find_hosts_by_option1 'blacklist', BL_OUT;
+ my $hosts = find_hosts_by_option 'blacklist';
my $chainref;
- my $chainref1;
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
#
- # We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
+ # We go ahead and generate the blacklist chain and jump to it, even if it turns out to be empty. That is necessary
# for 'refresh' to work properly.
#
- if ( @$hosts || @$hosts1 ) {
- $chainref = dont_delete new_standard_chain 'blacklst' if @$hosts;
- $chainref1 = dont_delete new_standard_chain 'blackout' if @$hosts || @$hosts1;
+ if ( @$hosts ) {
+ $chainref = dont_delete new_standard_chain 'blacklst';
if ( defined $level && $level ne '' ) {
my $logchainref = new_standard_chain 'blacklog';
@@ -249,7 +246,7 @@ sub setup_blacklist() {
while ( read_a_line ) {
if ( $first_entry ) {
- unless ( @$hosts || @$hosts1 ) {
+ unless ( @$hosts ) {
warning_message qq(The entries in $fn have been ignored because there are no 'blacklist' interfaces);
close_file;
last BLACKLIST;
@@ -258,59 +255,25 @@ sub setup_blacklist() {
$first_entry = 0;
}
- my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file';
+ my ( $networks, $protocol, $ports ) = split_line 1, 3, 'blacklist file';
- $options = 'src' if $options eq '-';
-
- my ( $to, $from ) = ( 0, 0 );
-
- for ( split /,/, $options ) {
- if ( $_ =~ /^(?:from|src)$/ ) {
- if ( $from++ ) {
- warning_message "Duplicate 'src' ignored";
- } else {
- if ( @$hosts ) {
- expand_rule(
- $chainref ,
- NO_RESTRICT ,
- do_proto( $protocol , $ports, '' ) ,
- $networks,
- '',
- '' ,
- $target ,
- '' ,
- $target ,
- '' );
- } else {
- warning_message 'Blacklist entry ignored because there are no "blacklist=1" interfaces';
- }
- }
- } elsif ( $_ =~ /^(?:dst|to)$/ ) {
- if ( $to++ ) {
- warning_message "Duplicate 'dst' ignored";
- } else {
- expand_rule(
- $chainref1 ,
- NO_RESTRICT ,
- do_proto( $protocol , $ports, '' ) ,
- '',
- $networks,
- '' ,
- $target ,
- '' ,
- $target ,
- '' );
- }
- } else {
- fatal_error "Invalid blacklist option($_)";
- }
- }
+ expand_rule(
+ $chainref ,
+ NO_RESTRICT ,
+ do_proto( $protocol , $ports, '' ) ,
+ $networks ,
+ '' ,
+ '' ,
+ $target ,
+ '' ,
+ $disposition ,
+ '' );
progress_message " \"$currentline\" added to blacklist";
}
warning_message q(There are interfaces or hosts with the 'blacklist' option but the 'blacklist' file is empty) if $first_entry && @$hosts;
- } elsif ( @$hosts || @$hosts1 ) {
+ } elsif ( @$hosts ) {
warning_message q(There are interfaces or hosts with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size);
}
@@ -331,24 +294,7 @@ sub setup_blacklist() {
set_interface_option $interface, 'use_input_chain', 1;
set_interface_option $interface, 'use_forward_chain', 1;
- progress_message " Type 1 blacklisting enabled on ${interface}:${network}";
- }
-
- if ( $chainref1 && @{$chainref1->{rules}} ) {
- for my $hostref ( @$hosts1 ) {
- my $interface = $hostref->[0];
- my $ipsec = $hostref->[1];
- my $policy = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
- my $network = $hostref->[2];
- my $source = match_source_net $network;
- my $target = source_exclusion( $hostref->[3], $chainref1 );
-
- add_jump $filter_table->{forward_chain $interface} , $target, 0, "${source}${state}${policy}";
-
- set_interface_option $interface, 'use_forward_chain', 1;
-
- progress_message " Type 2 blacklisting enabled on ${interface}:${network}";
- }
+ progress_message " Blacklisting enabled on ${interface}:${network}";
}
}
}
@@ -1885,14 +1831,12 @@ sub generate_matrix() {
my $fw = firewall_zone;
my $notrackref = $raw_table->{notrack_chain $fw};
my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
- my $blackout = $filter_table->{blackout};
my @zones = off_firewall_zones;
my @vservers = vserver_zones;
my $interface_jumps_added = 0;
our %input_jump_added = ();
our %output_jump_added = ();
our %forward_jump_added = ();
- my %needs_bl_jump = ();
progress_message2 'Generating Rule Matrix...';
#
@@ -2021,7 +1965,6 @@ sub generate_matrix() {
my $ipsec_in_match = match_ipsec_in $zone , $hostref;
my $ipsec_out_match = match_ipsec_out $zone , $hostref;
my $exclusions = $hostref->{exclusions};
- my $blacklist = $blackout && $hostref->{options}{blacklist} & BL_IN;
for my $net ( @{$hostref->{hosts}} ) {
my $dest = match_dest_net $net;
@@ -2038,7 +1981,6 @@ sub generate_matrix() {
$outputref = $interfacechainref;
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
$use_output = 1;
- $needs_bl_jump{output_chain $interface} = 1 if $blacklist;
unless ( lc $net eq IPv6_LINKLOCAL ) {
for my $vzone ( vserver_zones ) {
@@ -2301,7 +2243,6 @@ sub generate_matrix() {
add_jump $frwd_ref , $last_chain, 1 if $frwd_ref && $last_chain;
}
- add_jump( $filter_table->{$_}, $filter_table->{blackout} , 0 , $state , 0 , 0 ) for keys %needs_bl_jump;
add_interface_jumps @interfaces unless $interface_jumps_added;
my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index 368bee1a2..a92571b45 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -41,8 +41,6 @@ our @EXPORT = qw( NOTHING
IP
BPORT
IPSEC
- BL_IN
- BL_OUT
determine_zones
zone_report
@@ -98,12 +96,6 @@ use constant { NOTHING => 'NOTHING',
IPSECMODE => 'tunnel|transport'
};
#
-# blacklist option values
-#
-use constant {
- BL_IN => 1 ,
- BL_OUT => 2 };
-#
# Zone Table.
#
# @zones contains the ordered list of zones with sub-zones appearing before their parents.
@@ -239,7 +231,7 @@ sub initialize( $ ) {
if ( $family == F_IPV4 ) {
%validinterfaceoptions = (arp_filter => BINARY_IF_OPTION,
arp_ignore => ENUM_IF_OPTION,
- blacklist => ENUM_IF_OPTION + IF_OPTION_HOST,
+ blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
bridge => SIMPLE_IF_OPTION,
detectnets => OBSOLETE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION,
@@ -272,7 +264,7 @@ sub initialize( $ ) {
sourceonly => 1,
);
} else {
- %validinterfaceoptions = ( blacklist => ENUM_IF_OPTION + IF_OPTION_HOST,
+ %validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
bridge => SIMPLE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION,
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -653,8 +645,6 @@ sub add_group_to_zone($$$$$)
$zoneref->{interfaces}{$interface} = 1;
- $options->{blacklist} ||= 0;
-
my @newnetworks;
my @exclusions = ();
my $new = \@newnetworks;
@@ -919,7 +909,6 @@ sub process_interface( $$ ) {
my %options;
$options{port} = 1 if $port;
- $options{blacklist} = 0;
my $hostoptionsref = {};
@@ -931,7 +920,7 @@ sub process_interface( $$ ) {
if ( $options ne '-' ) {
- my %hostoptions = ( blacklist => 0, dynamic => 0 );
+ my %hostoptions = ( dynamic => 0 );
for my $option (split_list1 $options, 'option' ) {
next if $option eq '-';
@@ -974,11 +963,6 @@ sub process_interface( $$ ) {
} else {
$options{arp_ignore} = 1;
}
- } elsif ( $option eq 'blacklist' ) {
- fatal_error "Duplicate blacklist option" if $options{blacklist};
- $value = BL_IN unless ( defined $value && $value ne '' );
- fatal_error "Invalid 'blacklist' value ( $value )" unless $value =~ /^[12]$/;
- $options{blacklist} = $value;
} else {
assert( 0 );
}
@@ -1141,7 +1125,7 @@ sub validate_interfaces_file( $ ) {
number => $nextinum ,
root => $interface ,
broadcasts => undef ,
- options => { blacklist => 0 } ,
+ options => {} ,
zone => '',
physical => 'lo',
};
@@ -1680,11 +1664,11 @@ sub process_host( ) {
}
}
- my $optionsref = { blacklist => 0, dynamic => 0 };
+ my $optionsref = { dynamic => 0 };
if ( $options ne '-' ) {
my @options = split_list $options, 'option';
- my %options = ( blacklist => 0, dynamic => 0 );
+ my %options = ( dynamic => 0 );
for my $option ( @options ) {
if ( $option eq 'ipsec' ) {
@@ -1696,12 +1680,7 @@ sub process_host( ) {
warning_message "The 'norfc1918' option is no longer supported"
} elsif ( $validhostoptions{$option}) {
fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
-
- if ( $option eq 'blacklist' ) {
- warning_message qq(The "blacklist" host option is no longer supported and will be ignored);
- } else {
- $options{$option} = 1;
- }
+ $options{$option} = 1;
} else {
fatal_error "Invalid option ($option)";
}
diff --git a/Shorewall/configfiles/blacklist b/Shorewall/configfiles/blacklist
index 9bb785124..9e7722cb9 100644
--- a/Shorewall/configfiles/blacklist
+++ b/Shorewall/configfiles/blacklist
@@ -7,5 +7,5 @@
# information.
#
###############################################################################
-#ADDRESS/SUBNET PROTOCOL PORT OPTIONS
+#ADDRESS/SUBNET PROTOCOL PORT
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index c5d2c869c..b1159db02 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -187,33 +187,10 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
As part of this change, the tcrules file now accepts $FW in the
DEST column for marking packets in the INPUT chain.
-4) Blacklisting has undergone considerable change in this release.
-
- The OPTIONS column may now contain a comma-separated list of the
- options 'src' and 'dst'. The 'src' keyword supercedes 'from' and
- 'dst' supercedes 'to'. The old keywords are still supported but are
- no longer documented.
-
- The 'blacklist' interface option may now have one of 2 values:
-
- 1 - Inbound blacklisting
- 2 - Outbond blacklisting
-
- Inbound blacklisting is targeted for use on Internet-facing
- interfaces. Incoming packets are passed against the blacklist
- entries with the 'src' option (either explicitly or defaulted).
- Traffic originating on the firewall is passed against the blacklist
- entries with the 'dst' option.
-
- Outbound blacklisting is targeted for use on internal
- interfaces. Packets arriving on these interfaces is passed against
- the blacklist entries with the 'dst' option.
-
- Additionally, the 'blacklist' option in /etc/shorewall/hosts is no
- longer supported and is ignored with a warning:
-
- WARNING: The "blacklist" host option is no longer supported
- and will be ignored.
+4) After a failed attempt to improve blacklisting by destination IP
+ address, I've decided to remove the OPTIONS column from the
+ blacklist files and take a fresh start at implementing this
+ feature in a later release.
5) There is now an OUT-BANDWIDTH column in
/etc/shorewall/tcinterfaces.
@@ -450,14 +427,10 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
where 'iface' is a capitalized interface name (e.g., ETH0) and
'provider' is the capitalized name of a provider.
-15) The 'blacklist' option in /etc/shorewall/hosts
- (/etc/shorewall6/hosts) is now ignored with a warning:
-
- WARNING: The "blacklist" host option is no longer supported and
- will be ignored
-
- The option was originally implemented to handle post kernel-2.6.21
- bridges which are now handled completely in the interfaces file.
+15) Support for the OPTIONS column in /etc/shorewall/blacklist
+ (/etc/shorewall6/blacklist) has been removed. Blacklisting by
+ destination IP address will be included in a later Shorewall
+ release.
----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
diff --git a/Shorewall6/blacklist b/Shorewall6/blacklist
index 4edfd1505..6b519040e 100755
--- a/Shorewall6/blacklist
+++ b/Shorewall6/blacklist
@@ -7,4 +7,4 @@
# information.
#
###############################################################################
-#ADDRESS/SUBNET PROTOCOL PORT OPTIONS
+#ADDRESS/SUBNET PROTOCOL PORT
diff --git a/docs/blacklisting_support.xml b/docs/blacklisting_support.xml
index f0710fe02..0ef13ac94 100644
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -174,29 +174,6 @@ ipset -A Blacklist 206.124.146.177
ipset -B Blacklist 206.124.146.177 -b SMTP
This will blacklist SMTP traffic from host 206.124.146.177.
-
- Beginning with Shoreall 4.4.13, outgoing blacklisting is also
- supported. The "blacklist" setting in /etc/shorewall/interfaces
- specifes whether an interface is an Internet-facing interface (value 1) or
- an internal interface (value 2). Additionally, entries in
- /etc/shorewall/blacklist can be specified as defining
- the destination IP address rather than the source address.
-
-
-
- Traffic entering an Internet-facing interface is passed against
- those blacklist entries that specify the source IP address. Traffic
- originating on the firewall and leaving on an Interface-facing
- interface is passed against the blacklist entries that specify the
- destination IP address.
-
-
-
- Traffic entering an internal interface is passed against those
- blacklist entries that specify the destination IP address.
-
-
diff --git a/manpages/shorewall-blacklist.xml b/manpages/shorewall-blacklist.xml
index 02890cde0..ca5b1ef7f 100644
--- a/manpages/shorewall-blacklist.xml
+++ b/manpages/shorewall-blacklist.xml
@@ -72,62 +72,6 @@
from services(5).
-
-
- OPTIONS (Optional - Added in 4.4.12) -
- {-|{dst|src}[,...]}
-
-
- If specified, indicates whether traffic
- from ADDRESS/SUBNET (src) or traffic to
- ADDRESS/SUBNET (dst) should be
- blacklisted. The default is src. If
- the ADDRESS/SUBNET column is empty, then this column has no effect
- on the generated rule.
-
-
- In Shorewall 4.4.12, blacklisting is still restricted to
- traffic arriving on an interface that has the
- 'blacklist' option set. So to block traffic from your local
- network to an internet host, you must specify
- on your internal interface in shorewall-interfaces
- (5).
-
-
-
- Beginning with Shorewall 4.4.13, entries specifying
- to are applied based on the
- blacklist setting in shorewall-interfaces(5):
-
-
-
- Input blacklisting (default if no value given). Traffic
- entering this interface are passed against the entries in
- shorewall-blacklist(5)
- that have the from option
- (specified or defaulted). Traffic originating on the firewall
- and leaving by this interface is passed against the entries in
- shorewall-blacklist(5)
- that have the to
- option.
-
-
-
- Output blacklisting. Traffic entering on this interface
- is passed against the entries in shorewall-blacklist(5)
- that have the to
- option.
-
-
-
-
-
diff --git a/manpages/shorewall-hosts.xml b/manpages/shorewall-hosts.xml
index 3e7ac6cca..b9934e1ba 100644
--- a/manpages/shorewall-hosts.xml
+++ b/manpages/shorewall-hosts.xml
@@ -139,15 +139,8 @@
blacklist
- This option only makes sense for ports on a bridge. As
- of Shoreawall 4.4.13, ithe option is no longer supported and
- is ignored with a warning:
-
-
- WARNING: The "blacklist" host
- option is no longer supported and will be
- ignored.
-
+ This option only makes sense for ports on a bridge.
+ Check packets arriving on this port against the shorewall-blacklist(5)
diff --git a/manpages/shorewall-interfaces.xml b/manpages/shorewall-interfaces.xml
index 9c50ed7b9..14bb5c335 100644
--- a/manpages/shorewall-interfaces.xml
+++ b/manpages/shorewall-interfaces.xml
@@ -223,45 +223,13 @@ loc eth2 -
- blacklist[=value]
+ blacklistCheck packets arriving on this interface against the
shorewall-blacklist(5)
- file. The value may be specified when running Shorewall 4.4.13
- or later and can have a value in the range 1-2; entering no
- value is equivalent to blacklist=1.
-
-
-
- Input blacklisting (default if no value given). This
- setting is intended for Internet-facing interfaces.
-
- Traffic entering this interface is passed against
- the entries in shorewall-blacklist(5)
- that have the from option
- (specified or defaulted). Traffic originating on the
- firewall and leaving by this interface is passed against
- the entries in shorewall-blacklist(5)
- that have the to
- option.
-
-
-
- Output blacklisting. This setting is intended for
- internal interfaces.
-
- Forwarded traffic that entered through this
- interface is passed against the entries in shorewall-blacklist(5)
- that have the to
- option.
-
-
+ url="shorewall6-blacklist.html">shorewall6-blacklist(5)
+ file.
diff --git a/manpages6/shorewall6-hosts.xml b/manpages6/shorewall6-hosts.xml
index 88d6ded73..a748cda52 100644
--- a/manpages6/shorewall6-hosts.xml
+++ b/manpages6/shorewall6-hosts.xml
@@ -127,15 +127,8 @@
blacklist
- This option only makes sense for ports on a bridge. As
- of Shorewall 4.4.13, its is ignored with a warning
- message:
-
-
- WARNING: The "blacklist" host
- option is no longer supported and will be
- ignored.
-
+ This option only makes sense for ports on a
+ bridge.Check packets arriving on this port against the shorewall6-blacklist(5)
diff --git a/manpages6/shorewall6-interfaces.xml b/manpages6/shorewall6-interfaces.xml
index a60ce572b..69711b0d1 100644
--- a/manpages6/shorewall6-interfaces.xml
+++ b/manpages6/shorewall6-interfaces.xml
@@ -115,42 +115,13 @@ loc eth2 -
- blacklist[=value]
+ blacklist
- The value may be specified when running Shorewall 4.4.13
- or later and can have a value in the range 1-2. Specifying no
- value is equivalent to blacklist=1.
-
-
-
- Input blacklisting (default if no value given). This
- setting is intended for Internet-facing interfaces.
-
- Traffic entering this interface is passed against
- the entries in shorewall6-blacklist(5)
- that have the from option
- (specified or defaulted). Traffic originating on the
- firewall and leaving by this interface is passed against
- the entries in shorewall6-blacklist(5)
- that have the to
- option.
-
-
-
- Output blacklisting. This setting is intended for
- internal interfaces.
-
- Traffic entering on this interface is passed against
- the entries in shorewall6-blacklist(5)
- that have the to
- option.
-
-
+ Check packets arriving on this interface against the
+ shorewall6-blacklist(5)
+ file.