forked from extern/shorewall_code
Replace to/from with dst/src
This commit is contained in:
Tom Eastep
parent
8147671eb2
commit
69a2fa1907
@ -260,14 +260,14 @@ sub setup_blacklist() {
|
|||||||
|
|
||||||
my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file';
|
my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file';
|
||||||
|
|
||||||
$options = 'from' if $options eq '-';
|
$options = 'src' if $options eq '-';
|
||||||
|
|
||||||
my ( $to, $from ) = ( 0, 0 );
|
my ( $to, $from ) = ( 0, 0 );
|
||||||
|
|
||||||
for ( split /,/, $options ) {
|
for ( split /,/, $options ) {
|
||||||
if ( $_ eq 'from' ) {
|
if ( $_ =~ /^(?:from|src)$/ ) {
|
||||||
if ( $from++ ) {
|
if ( $from++ ) {
|
||||||
warning_message "Duplicate 'from' ignored";
|
warning_message "Duplicate 'src' ignored";
|
||||||
} else {
|
} else {
|
||||||
if ( @$hosts ) {
|
if ( @$hosts ) {
|
||||||
expand_rule(
|
expand_rule(
|
||||||
@ -285,9 +285,9 @@ sub setup_blacklist() {
|
|||||||
warning_message 'Blacklist entry ignored because there are no "blacklist=1" interfaces';
|
warning_message 'Blacklist entry ignored because there are no "blacklist=1" interfaces';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} elsif ( $_ eq 'to' ) {
|
} elsif ( $_ =~ /^(?:dst|to)$/ ) {
|
||||||
if ( $to++ ) {
|
if ( $to++ ) {
|
||||||
warning_message "Duplicate 'to' ignored";
|
warning_message "Duplicate 'dst' ignored";
|
||||||
} else {
|
} else {
|
||||||
expand_rule(
|
expand_rule(
|
||||||
$chainref1 ,
|
$chainref1 ,
|
||||||
|
|||||||
@ -187,27 +187,33 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
|||||||
As part of this change, the tcrules file now accepts $FW in the
|
As part of this change, the tcrules file now accepts $FW in the
|
||||||
DEST column for marking packets in the INPUT chain.
|
DEST column for marking packets in the INPUT chain.
|
||||||
|
|
||||||
4) The 'blacklist' interface option may now have one of 2 values:
|
4) Blacklisting has undergone considerable change in this release.
|
||||||
|
|
||||||
|
The OPTIONS column may now contain a comma-separated list of the
|
||||||
|
options 'src' and 'dst'. The 'src' keyword supercedes 'from' and
|
||||||
|
'dst' supercedes 'to'. The old keywords are still supported but are
|
||||||
|
no longer documented.
|
||||||
|
|
||||||
|
The 'blacklist' interface option may now have one of 2 values:
|
||||||
|
|
||||||
1 - Inbound blacklisting
|
1 - Inbound blacklisting
|
||||||
2 - Outbond blacklisting
|
2 - Outbond blacklisting
|
||||||
|
|
||||||
Inbound blacklisting is targeted for use on Internet-facing
|
Inbound blacklisting is targeted for use on Internet-facing
|
||||||
interfaces. Incoming packets are passed against the blacklist
|
interfaces. Incoming packets are passed against the blacklist
|
||||||
entries with the 'from' option (either explicitly or defaulted).
|
entries with the 'src' option (either explicitly or defaulted).
|
||||||
Traffic originating on the firewall is passed against the blacklist
|
Traffic originating on the firewall is passed against the blacklist
|
||||||
entries with the 'to' option.
|
entries with the 'dst' option.
|
||||||
|
|
||||||
Outbound blacklisting is targeted for use on internal
|
Outbound blacklisting is targeted for use on internal
|
||||||
interfaces. Packets arriving on these interfaces is passed against
|
interfaces. Packets arriving on these interfaces is passed against
|
||||||
the blacklist entries with the 'to' option.
|
the blacklist entries with the 'dst' option.
|
||||||
|
|
||||||
As part of this change, the OPTIONS may now be a comma-separated
|
Additionally, the 'blacklist' option in /etc/shorewall/hosts is no
|
||||||
list of 'to' and 'from'.
|
longer supported and is ignored with a warning:
|
||||||
|
|
||||||
Additionally, the 'blacklist' option in /etc/shorewall/hosts is now
|
WARNING: The "blacklist" host option is no longer supported
|
||||||
deprecated and is treated as if 'blacklist=1' had been specified in
|
and will be ignored.
|
||||||
the corresponding entry in /etc/shorewall/interfaces.
|
|
||||||
|
|
||||||
5) There is now an OUT-BANDWIDTH column in
|
5) There is now an OUT-BANDWIDTH column in
|
||||||
/etc/shorewall/tcinterfaces.
|
/etc/shorewall/tcinterfaces.
|
||||||
|
|||||||
@ -75,14 +75,16 @@
|
|||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>OPTIONS (Optional - Added in 4.4.12) -
|
<term>OPTIONS (Optional - Added in 4.4.12) -
|
||||||
{-|{to|from}[,...]}</term>
|
{-|{dst|src}[,...]}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If specified, indicates whether traffic <emphasis
|
<para>If specified, indicates whether traffic
|
||||||
role="bold">to</emphasis> or <emphasis role="bold">from</emphasis>
|
<emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
|
||||||
the ADDRESS/SUBNET should be blacklisted. The default is <emphasis
|
role="bold">src</emphasis>) or traffic <emphasis>to</emphasis>
|
||||||
role="bold">from</emphasis>. If the ADDRESS/SUBNET column is empty,
|
ADDRESS/SUBNET (<emphasis role="bold">dst</emphasis>) should be
|
||||||
then this column has no effect on the generated rule.</para>
|
blacklisted. The default is <emphasis role="bold">src</emphasis>. If
|
||||||
|
the ADDRESS/SUBNET column is empty, then this column has no effect
|
||||||
|
on the generated rule.</para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>In Shorewall 4.4.12, blacklisting is still restricted to
|
<para>In Shorewall 4.4.12, blacklisting is still restricted to
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user