diff --git a/Samples/Universal/shorewall.conf b/Samples/Universal/shorewall.conf index 44093dbee..437f76d28 100644 --- a/Samples/Universal/shorewall.conf +++ b/Samples/Universal/shorewall.conf @@ -110,8 +110,6 @@ AUTOMAKE=No BLACKLISTNEWONLY=Yes -BLACKLISTSECTION=No - CLAMPMSS=No CLEAR_TC=Yes diff --git a/Samples/one-interface/shorewall.conf b/Samples/one-interface/shorewall.conf index b42faf0bb..25baa6d0a 100644 --- a/Samples/one-interface/shorewall.conf +++ b/Samples/one-interface/shorewall.conf @@ -121,8 +121,6 @@ AUTOMAKE=No BLACKLISTNEWONLY=Yes -BLACKLISTSECTION=No - CLAMPMSS=No CLEAR_TC=Yes diff --git a/Samples/three-interfaces/shorewall.conf b/Samples/three-interfaces/shorewall.conf index d89ab47cc..101c5b4aa 100644 --- a/Samples/three-interfaces/shorewall.conf +++ b/Samples/three-interfaces/shorewall.conf @@ -119,8 +119,6 @@ AUTOMAKE=No BLACKLISTNEWONLY=Yes -BLACKLISTSECTION=No - CLAMPMSS=Yes CLEAR_TC=Yes diff --git a/Samples/two-interfaces/shorewall.conf b/Samples/two-interfaces/shorewall.conf index 545a32e2c..6d85ed6ad 100644 --- a/Samples/two-interfaces/shorewall.conf +++ b/Samples/two-interfaces/shorewall.conf @@ -122,8 +122,6 @@ AUTOMAKE=No BLACKLISTNEWONLY=Yes -BLACKLISTSECTION=No - CLAMPMSS=Yes CLEAR_TC=Yes diff --git a/Samples6/Universal/shorewall6.conf b/Samples6/Universal/shorewall6.conf index 45de42211..a56f46e06 100644 --- a/Samples6/Universal/shorewall6.conf +++ b/Samples6/Universal/shorewall6.conf @@ -105,8 +105,6 @@ AUTOMAKE=No BLACKLISTNEWONLY=Yes -BLACKLISTSECTION=No - CLAMPMSS=No CLEAR_TC=Yes diff --git a/Samples6/one-interface/shorewall6.conf b/Samples6/one-interface/shorewall6.conf index de7bb7be2..23b4577e3 100644 --- a/Samples6/one-interface/shorewall6.conf +++ b/Samples6/one-interface/shorewall6.conf @@ -105,8 +105,6 @@ AUTOMAKE=No BLACKLISTNEWONLY=Yes -BLACKLISTSECTION=No - CLAMPMSS=No CLEAR_TC=Yes diff --git a/Samples6/three-interfaces/shorewall6.conf b/Samples6/three-interfaces/shorewall6.conf index 3c0394aac..3b038757f 100644 --- a/Samples6/three-interfaces/shorewall6.conf +++ b/Samples6/three-interfaces/shorewall6.conf @@ -105,8 +105,6 @@ AUTOMAKE=No BLACKLISTNEWONLY=Yes -BLACKLISTSECTION=No - CLAMPMSS=No CLEAR_TC=Yes diff --git a/Samples6/two-interfaces/shorewall6.conf b/Samples6/two-interfaces/shorewall6.conf index a2f1d5800..f51ec661d 100644 --- a/Samples6/two-interfaces/shorewall6.conf +++ b/Samples6/two-interfaces/shorewall6.conf @@ -105,8 +105,6 @@ AUTOMAKE=No BLACKLISTNEWONLY=Yes -BLACKLISTSECTION=No - CLAMPMSS=No CLEAR_TC=Yes diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 7934443a7..4e46d4870 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -569,7 +569,6 @@ sub initialize( $ ) { COMPLETE => undef, EXPORTMODULES => undef, LEGACY_FASTSTART => undef, - BLACKLISTSECTION => undef, # # Packet Disposition # @@ -1571,6 +1570,8 @@ sub copy1( $ ) { my $filename = find_file $line[1]; + warning_message "Reserved filename ($1) in INCLUDE directive" if $filename =~ '/(.*)' && $config_files{$1}; + fatal_error "INCLUDE file $filename not found" unless -f $filename; fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _; @@ -3694,7 +3695,6 @@ sub get_configuration( $$$ ) { default_yes_no 'COMPLETE' , ''; default_yes_no 'EXPORTMODULES' , ''; default_yes_no 'LEGACY_FASTSTART' , 'Yes'; - default_yes_no 'BLACKLISTSECTION' , 'Yes'; require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK}; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index ab538e3f7..c90b29ef8 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1741,13 +1741,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) { # # We can now dispense with the postfix character # - if ( $action =~ s/[\+\-!]$// && $blacklist ) { - if ( $config{BLACKLISTSECTION} ) { - fatal_error "The +, - and ! modifiers are not allowed in the BLACKLIST section"; - } else { - fatal_error "The +, - and ! modifiers are not allowed in the blrules file"; - } - } + fatal_error "The +, - and ! modifiers are not allowed in the bllist file or in the BLACKLIST section" if $action =~ s/[\+\-!]$// && $blacklist; # # Handle actions # @@ -1813,14 +1807,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) { CONTINUE => sub { $action = 'RETURN'; } , WHITELIST => sub { - unless ( $blacklist ) { - if ( $config{BLACKLISTSECTION} ) { - fatal_error "'WHITELIST' may only be used in the 'BLACKLIST' section"; - } else { - fatal_error "'WHITELIST' may only be used in the blrules file"; - } - } - + fatal_error "'WHITELIST' may only be used in the blrules file and in the 'BLACKLIST' section" unless $blacklist; $action = 'RETURN'; } , @@ -2298,9 +2285,7 @@ sub process_section ($) { fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect}; $sections{$sect} = 1; - if ( $sect eq 'BLACKLIST' ) { - fatal_error "A BLACKLIST section is not allowed when BLACKLISTSECTION=No" unless $config{BLACKLISTSECTION}; - } elsif ( $sect eq 'ALL' ) { + if ( $sect eq 'ALL' ) { $sections{BLACKLIST} = 1; } elsif ( $sect eq 'ESTABLISHED' ) { $sections{'BLACKLIST','ALL'} = ( 1, 1); @@ -2457,21 +2442,19 @@ sub process_rule ( ) { # sub process_rules() { - unless ( $config{BLACKLISTSECTION} ) { - my $fn = open_file 'blrules'; + my $fn = open_file 'blrules'; - if ( $fn ) { - first_entry "$doing $fn..."; + if ( $fn ) { + first_entry "$doing $fn..."; - $section = 'BLACKLIST'; + $section = 'BLACKLIST'; - process_rule while read_a_line; + process_rule while read_a_line; - $section = ''; - } + $section = ''; } - my $fn = open_file 'rules'; + $fn = open_file 'rules'; if ( $fn ) { diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 6d624693d..8ff338023 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -110,8 +110,6 @@ AUTOMAKE=No BLACKLISTNEWONLY=Yes -BLACKLISTSECTION=No - CLAMPMSS=No CLEAR_TC=Yes diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf index 0d4966fb4..3b7314959 100644 --- a/Shorewall6/configfiles/shorewall6.conf +++ b/Shorewall6/configfiles/shorewall6.conf @@ -105,8 +105,6 @@ AUTOMAKE=No BLACKLISTNEWONLY=Yes -BLACKLISTSECTION=No - CLAMPMSS=No CLEAR_TC=No diff --git a/manpages/shorewall-blrules.xml b/manpages/shorewall-blrules.xml index aae27ac33..36456d9b2 100644 --- a/manpages/shorewall-blrules.xml +++ b/manpages/shorewall-blrules.xml @@ -23,9 +23,7 @@ Description - This file is used to perform blacklisting and whitelisting when - BLACKLISTSECTION=No in shorewall.conf(5)l. + This file is used to perform blacklisting and whitelisting. Rules in this file are applied depending on the setting of BLACKLISTNEWONLY in the rest of the line will be attached as a comment to the Netfilter rule(s) generated by the following entries. The comment will appear delimited by "/* ... */" in the output of - "shorewall show <chain>". To stop the comment from - being attached to further rules, simply include COMMENT on a - line by itself. + "shorewall show <chain>". To stop the comment from being + attached to further rules, simply include COMMENT on a line by + itself. diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml index d49190ada..9f061ab6a 100644 --- a/manpages/shorewall-rules.xml +++ b/manpages/shorewall-rules.xml @@ -50,13 +50,19 @@ BLACKLIST - This section was added in Shorewall 4.4.25. Rules in this - section are applied depending on the setting of BLACKLISTNEWONLY in - shorewall.conf(5). If + This section was added in Shorewall 4.4.25. + + Rules in this section are applied depending on the setting of + BLACKLISTNEWONLY in shorewall.conf(5). If BLACKLISTNEWONLY=No, then they are applied regardless of the connection tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to connections in the NEW and INVALID states. + + When there are rules in this sectionas well as in + shorewall-blrules (5), those in this section are processed + last. diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml index d0c1f9379..b1944954f 100644 --- a/manpages/shorewall.conf.xml +++ b/manpages/shorewall.conf.xml @@ -377,19 +377,6 @@ - - BLACKLISTSECTION={Yes|No} - - - Added in Shorewall 4.4.26. When omitted or set to Yes, - zone-specific blacklisting rules are placed in the BLACKLIST section - of shorewall-rules (5). - When set to No, zone-specific blacklisting rules are place in shorewall-blrules (5). - - - CLAMPMSS=[Yes| Description - This file is used to perform blacklisting and whitelisting when - BLACKLISTSECTION=No in shorewall6.conf(5)l. + This file is used to perform zone-specific blacklisting and + whitelisting. Rules in this file are applied depending on the setting of BLACKLISTNEWONLY in BLACKLIST - This section was added in Shorewall 4.4.25 and is only - permitted when BLACKLISTSECTION=Yes in shorewall6.conf(5). + This section was added in Shorewall 4.4.25. Rules in this section are applied depending on the setting of BLACKLISTNEWONLY in + + When there are rules in this sectionas well as in + shorewall-blrules (5), those in this section are processed + last. diff --git a/manpages6/shorewall6.conf.xml b/manpages6/shorewall6.conf.xml index 62c7eb501..df6cbae97 100644 --- a/manpages6/shorewall6.conf.xml +++ b/manpages6/shorewall6.conf.xml @@ -308,19 +308,6 @@ - - BLACKLISTSECTION={Yes|No} - - - Added in Shorewall 4.4.26. When omitted or set to Yes, - zone-specific blacklisting rules are placed in the BLACKLIST section - of shorewall6-rules (5). - When set to No, zone-specific blacklisting rules are place in shorewall6-blrules (5). - - - CLAMPMSS=[Yes|