forked from extern/shorewall_code
Don't create classic blacklist chains if no blacklist file.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
89289f95ba
commit
a223245c01
@ -204,25 +204,24 @@ sub setup_blacklist() {
|
|||||||
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
|
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
|
||||||
my $orig_target = $target;
|
my $orig_target = $target;
|
||||||
|
|
||||||
#
|
|
||||||
# We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
|
|
||||||
# for 'refresh' to work properly.
|
|
||||||
#
|
|
||||||
if ( @$zones || @$zones1 ) {
|
|
||||||
$chainref = set_optflags( new_standard_chain( 'blacklst' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones;
|
|
||||||
$chainref1 = set_optflags( new_standard_chain( 'blackout' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones1;
|
|
||||||
|
|
||||||
if ( supplied $level ) {
|
|
||||||
$target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
|
|
||||||
} elsif ( $audit ) {
|
|
||||||
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
|
|
||||||
$target = verify_audit( $disposition );
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
BLACKLIST:
|
BLACKLIST:
|
||||||
{
|
{
|
||||||
if ( my $fn = open_file 'blacklist' ) {
|
if ( my $fn = open_file 'blacklist' ) {
|
||||||
|
#
|
||||||
|
# We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
|
||||||
|
# for 'refresh' to work properly.
|
||||||
|
#
|
||||||
|
if ( @$zones || @$zones1 ) {
|
||||||
|
$chainref = set_optflags( new_standard_chain( 'blacklst' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones;
|
||||||
|
$chainref1 = set_optflags( new_standard_chain( 'blackout' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones1;
|
||||||
|
|
||||||
|
if ( supplied $level ) {
|
||||||
|
$target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
|
||||||
|
} elsif ( $audit ) {
|
||||||
|
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
|
||||||
|
$target = verify_audit( $disposition );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
my $first_entry = 1;
|
my $first_entry = 1;
|
||||||
|
|
||||||
|
@ -2373,41 +2373,42 @@ sub classic_blacklist() {
|
|||||||
my $zoneref = find_zone( $zone );
|
my $zoneref = find_zone( $zone );
|
||||||
my $simple = @zones <= 2 && ! $zoneref->{complex};
|
my $simple = @zones <= 2 && ! $zoneref->{complex};
|
||||||
|
|
||||||
if ( $zoneref->{options}{in}{blacklist} ) {
|
if ( my $blackref = $filter_table->{blacklst} ) {
|
||||||
my $blackref = $filter_table->{blacklst};
|
if ( $zoneref->{options}{in}{blacklist} ) {
|
||||||
add_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , @state for firewall_zone, @vservers;
|
add_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , @state for firewall_zone, @vservers;
|
||||||
|
|
||||||
if ( $simple ) {
|
if ( $simple ) {
|
||||||
#
|
#
|
||||||
# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
|
# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
|
||||||
#
|
#
|
||||||
for my $zone1 ( @zones ) {
|
for my $zone1 ( @zones ) {
|
||||||
my $ruleschain = rules_chain( $zone, $zone1 );
|
my $ruleschain = rules_chain( $zone, $zone1 );
|
||||||
|
my $ruleschainref = $filter_table->{$ruleschain};
|
||||||
|
|
||||||
|
if ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) {
|
||||||
|
add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
$result = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $zoneref->{options}{out}{blacklist} ) {
|
||||||
|
$blackref = $filter_table->{blackout};
|
||||||
|
add_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , @state;
|
||||||
|
|
||||||
|
for my $zone1 ( @zones, @vservers ) {
|
||||||
|
my $ruleschain = rules_chain( $zone1, $zone );
|
||||||
my $ruleschainref = $filter_table->{$ruleschain};
|
my $ruleschainref = $filter_table->{$ruleschain};
|
||||||
|
|
||||||
if ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) {
|
if ( ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) ) {
|
||||||
add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
|
add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$result = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
$result = 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( $zoneref->{options}{out}{blacklist} ) {
|
|
||||||
my $blackref = $filter_table->{blackout};
|
|
||||||
add_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , @state;
|
|
||||||
|
|
||||||
for my $zone1 ( @zones, @vservers ) {
|
|
||||||
my $ruleschain = rules_chain( $zone1, $zone );
|
|
||||||
my $ruleschainref = $filter_table->{$ruleschain};
|
|
||||||
|
|
||||||
if ( ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) ) {
|
|
||||||
add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
$result = 1;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
unless ( $simple ) {
|
unless ( $simple ) {
|
||||||
@ -2416,7 +2417,7 @@ sub classic_blacklist() {
|
|||||||
#
|
#
|
||||||
my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
|
my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
|
||||||
|
|
||||||
add_ijump( $frwd_ref , j => $filter_table->{blacklst}, @state ) if $zoneref->{options}{in}{blacklist};
|
add_ijump( $frwd_ref , j => $filter_table->{blacklst}, @state ) if $filter_table->{blacklst} && $zoneref->{options}{in}{blacklist};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user