holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Replace to/from with dst/src

Browse Source
This commit is contained in:
Tom Eastep 2010-09-15 11:25:46 -07:00
parent 8147671eb2
commit 69a2fa1907
3 changed files with 28 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -260,14 +260,14 @@ sub setup_blacklist() {
my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file';
$options = 'from' if $options eq '-';
$options = 'src' if $options eq '-';
my ( $to, $from ) = ( 0, 0 );
for ( split /,/, $options ) {
if ( $_ eq 'from' ) {
if ( $_ =~ /^(?:from|src)$/ ) {
if ( $from++ ) {
warning_message "Duplicate 'from' ignored";
warning_message "Duplicate 'src' ignored";
} else {
if ( @$hosts ) {
expand_rule(
@ -285,9 +285,9 @@ sub setup_blacklist() {
warning_message 'Blacklist entry ignored because there are no "blacklist=1" interfaces';
}
}
} elsif ( $_ eq 'to' ) {
} elsif ( $_ =~ /^(?:dst|to)$/ ) {
if ( $to++ ) {
warning_message "Duplicate 'to' ignored";
warning_message "Duplicate 'dst' ignored";
} else {
expand_rule(
$chainref1 ,

24
Shorewall/releasenotes.txt
View File

@ -187,27 +187,33 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
As part of this change, the tcrules file now accepts $FW in the
DEST column for marking packets in the INPUT chain.
4) The 'blacklist' interface option may now have one of 2 values:
4) Blacklisting has undergone considerable change in this release.
The OPTIONS column may now contain a comma-separated list of the
options 'src' and 'dst'. The 'src' keyword supercedes 'from' and
'dst' supercedes 'to'. The old keywords are still supported but are
no longer documented.
The 'blacklist' interface option may now have one of 2 values:
1 - Inbound blacklisting
2 - Outbond blacklisting
Inbound blacklisting is targeted for use on Internet-facing
interfaces. Incoming packets are passed against the blacklist
entries with the 'from' option (either explicitly or defaulted).
entries with the 'src' option (either explicitly or defaulted).
Traffic originating on the firewall is passed against the blacklist
entries with the 'to' option.
entries with the 'dst' option.
Outbound blacklisting is targeted for use on internal
interfaces. Packets arriving on these interfaces is passed against
the blacklist entries with the 'to' option.
the blacklist entries with the 'dst' option.
As part of this change, the OPTIONS may now be a comma-separated
list of 'to' and 'from'.
Additionally, the 'blacklist' option in /etc/shorewall/hosts is no
longer supported and is ignored with a warning:
Additionally, the 'blacklist' option in /etc/shorewall/hosts is now
deprecated and is treated as if 'blacklist=1' had been specified in
the corresponding entry in /etc/shorewall/interfaces.
WARNING: The "blacklist" host option is no longer supported
and will be ignored.
5) There is now an OUT-BANDWIDTH column in
/etc/shorewall/tcinterfaces.

14
manpages/shorewall-blacklist.xml
View File

@ -75,14 +75,16 @@
<varlistentry>
<term>OPTIONS (Optional - Added in 4.4.12) -
{-|{to|from}[,...]}</term>
{-|{dst|src}[,...]}</term>
<listitem>
<para>If specified, indicates whether traffic <emphasis
role="bold">to</emphasis> or <emphasis role="bold">from</emphasis>
the ADDRESS/SUBNET should be blacklisted. The default is <emphasis
role="bold">from</emphasis>. If the ADDRESS/SUBNET column is empty,
then this column has no effect on the generated rule.</para>
<para>If specified, indicates whether traffic
<emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
role="bold">src</emphasis>) or traffic <emphasis>to</emphasis>
ADDRESS/SUBNET (<emphasis role="bold">dst</emphasis>) should be
blacklisted. The default is <emphasis role="bold">src</emphasis>. If
the ADDRESS/SUBNET column is empty, then this column has no effect
on the generated rule.</para>
<note>
<para>In Shorewall 4.4.12, blacklisting is still restricted to