forked from extern/shorewall_code
Allow convertion of a legacy blacklist configuration
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
6108a9cad8
commit
d053faadde
@ -54,10 +54,10 @@ my $family;
|
||||
#
|
||||
# Initilize the package-globals in the other modules
|
||||
#
|
||||
sub initialize_package_globals() {
|
||||
sub initialize_package_globals( $ ) {
|
||||
Shorewall::Config::initialize($family);
|
||||
Shorewall::Chains::initialize ($family, 1, $export );
|
||||
Shorewall::Zones::initialize ($family);
|
||||
Shorewall::Zones::initialize ($family, shift);
|
||||
Shorewall::Nat::initialize;
|
||||
Shorewall::Providers::initialize($family);
|
||||
Shorewall::Tc::initialize($family);
|
||||
@ -525,8 +525,8 @@ EOF
|
||||
#
|
||||
sub compiler {
|
||||
|
||||
my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate ) =
|
||||
( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, );
|
||||
my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert ) =
|
||||
( '', '', -1, '', 0, '', '', -1, 0, 0, 0, 0, , 0 );
|
||||
|
||||
$export = 0;
|
||||
$test = 0;
|
||||
@ -561,6 +561,7 @@ sub compiler {
|
||||
preview => { store => \$preview, validate=> \&validate_boolean } ,
|
||||
confess => { store => \$confess, validate=> \&validate_boolean } ,
|
||||
update => { store => \$update, validate=> \&validate_boolean } ,
|
||||
convert => { store => \$convert, validate=> \&validate_boolean } ,
|
||||
annotate => { store => \$annotate, validate=> \&validate_boolean } ,
|
||||
);
|
||||
#
|
||||
@ -579,7 +580,7 @@ sub compiler {
|
||||
#
|
||||
# Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
|
||||
#
|
||||
initialize_package_globals;
|
||||
initialize_package_globals( $update );
|
||||
|
||||
if ( $directory ne '' ) {
|
||||
fatal_error "$directory is not an existing directory" unless -d $directory;
|
||||
@ -673,7 +674,7 @@ sub compiler {
|
||||
#
|
||||
# Do all of the zone-independent stuff (mostly /proc)
|
||||
#
|
||||
add_common_rules;
|
||||
add_common_rules( $convert );
|
||||
#
|
||||
# More /proc
|
||||
#
|
||||
|
@ -1268,7 +1268,7 @@ sub set_debug( $$ ) {
|
||||
#
|
||||
sub find_file($)
|
||||
{
|
||||
my $filename=$_[0];
|
||||
my ( $filename, $nosearch ) = @_;
|
||||
|
||||
return $filename if $filename =~ '/';
|
||||
|
||||
@ -1279,7 +1279,7 @@ sub find_file($)
|
||||
return $file if -f $file;
|
||||
}
|
||||
|
||||
"$globals{CONFDIR}/$filename";
|
||||
"$config_path[0]$filename";
|
||||
}
|
||||
|
||||
sub split_list( $$ ) {
|
||||
@ -1949,9 +1949,10 @@ sub expand_variables( \$ ) {
|
||||
# - Handle INCLUDE <filename>
|
||||
#
|
||||
|
||||
sub read_a_line(;$$) {
|
||||
sub read_a_line(;$$$) {
|
||||
my $embedded_enabled = defined $_[0] ? shift : 1;
|
||||
my $expand_variables = defined $_[0] ? shift : 1;
|
||||
my $strip_comments = defined $_[0] ? shift : 1;
|
||||
|
||||
while ( $currentfile ) {
|
||||
|
||||
@ -1971,7 +1972,7 @@ sub read_a_line(;$$) {
|
||||
# If this isn't a continued line, remove trailing comments. Note that
|
||||
# the result may now end in '\'.
|
||||
#
|
||||
s/\s*#.*$// unless /\\$/;
|
||||
s/\s*#.*$// if $strip_comments && ! /\\$/;
|
||||
#
|
||||
# Continuation
|
||||
#
|
||||
@ -1979,7 +1980,7 @@ sub read_a_line(;$$) {
|
||||
#
|
||||
# Now remove concatinated comments
|
||||
#
|
||||
$currentline =~ s/#.*$//;
|
||||
$currentline =~ s/#.*$// if $strip_comments;
|
||||
#
|
||||
# Ignore ( concatenated ) Blank Lines
|
||||
#
|
||||
@ -3126,7 +3127,7 @@ EOF
|
||||
progress_message3 "No update required to configuration file $configfile; $configfile.b";
|
||||
}
|
||||
|
||||
exit 0;
|
||||
exit 0 unless -f find_file 'blacklist';
|
||||
}
|
||||
} else {
|
||||
fatal_error "$fn does not exist";
|
||||
|
@ -348,6 +348,239 @@ sub setup_blacklist() {
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Remove instances of 'blacklist' from the passed file.
|
||||
#
|
||||
sub remove_blacklist( $ ) {
|
||||
my $file = shift;
|
||||
|
||||
my $fn = find_file $file;
|
||||
|
||||
assert( -f $fn );
|
||||
|
||||
my $oldfile = open_file $fn;
|
||||
my $newfile;
|
||||
my $changed;
|
||||
|
||||
open $newfile, '>', "$fn.new" or fatal_error "Unable to open $fn.new for output: $!";
|
||||
|
||||
while ( read_a_line(1,1,0) ) {
|
||||
my ( $rule, $comment ) = split '#', $currentline, 2;
|
||||
|
||||
if ( $rule =~ /blacklist/ ) {
|
||||
$changed = 1;
|
||||
|
||||
if ( $comment ) {
|
||||
$comment =~ s/^/ / while $rule =~ s/blacklist,//;
|
||||
$rule =~ s/blacklist/ /g;
|
||||
$currentline = join( '#', $rule, $comment );
|
||||
} else {
|
||||
$currentline =~ s/blacklist/ /g;
|
||||
}
|
||||
}
|
||||
|
||||
print $newfile "$currentline\n";
|
||||
}
|
||||
|
||||
close $newfile;
|
||||
|
||||
if ( $changed ) {
|
||||
rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
|
||||
rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
|
||||
progress_message2 "\u$file file $fn saved in $fn.bak"
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Convert a pre-4.4.25 blacklist to a 4.4.25 blacklist
|
||||
#
|
||||
sub convert_blacklist() {
|
||||
my $zones = find_zones_by_option 'blacklist', 'in';
|
||||
my $zones1 = find_zones_by_option 'blacklist', 'out';
|
||||
my $chainref;
|
||||
my $chainref1;
|
||||
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
|
||||
my $audit = $disposition =~ /^A_/;
|
||||
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
|
||||
my $orig_target = $target;
|
||||
my @rules;
|
||||
|
||||
if ( @$zones || @$zones1 ) {
|
||||
if ( supplied $level ) {
|
||||
my $logchainref = new_standard_chain 'blacklog';
|
||||
|
||||
$target =~ s/A_//;
|
||||
$target = 'reject' if $target eq 'REJECT';
|
||||
|
||||
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
|
||||
|
||||
add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
|
||||
add_ijump( $logchainref, g => $target );
|
||||
|
||||
$target = 'blacklog';
|
||||
} elsif ( $audit ) {
|
||||
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
|
||||
$target = verify_audit( $disposition );
|
||||
}
|
||||
|
||||
my $fn = open_file 'blacklist';
|
||||
|
||||
assert $fn;
|
||||
|
||||
first_entry "Converting $fn...";
|
||||
|
||||
while ( read_a_line ) {
|
||||
my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };
|
||||
|
||||
if ( $options eq '-' ) {
|
||||
$options = 'src';
|
||||
} elsif ( $options eq 'audit' ) {
|
||||
$options = 'audit,src';
|
||||
}
|
||||
|
||||
my ( $to, $from, $whitelist, $auditone ) = ( 0, 0, 0, 0 );
|
||||
|
||||
my @options = split_list $options, 'option';
|
||||
|
||||
for ( @options ) {
|
||||
$whitelist++ if $_ eq 'whitelist';
|
||||
$auditone++ if $_ eq 'audit';
|
||||
}
|
||||
|
||||
warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
|
||||
|
||||
my $tgt = $whitelist ? 'RETURN' : $target;
|
||||
|
||||
if ( $auditone ) {
|
||||
fatal_error "'audit' not allowed in whitelist entries" if $whitelist;
|
||||
|
||||
if ( $audit ) {
|
||||
warning_message "Superfluous 'audit' option ignored";
|
||||
} else {
|
||||
warning_message "Duplicate 'audit' option ignored" if $auditone > 1;
|
||||
}
|
||||
|
||||
$tgt = verify_audit( 'A_' . $target, $orig_target, $target );
|
||||
}
|
||||
|
||||
for ( @options ) {
|
||||
if ( $_ =~ /^(?:src|from)$/ ) {
|
||||
if ( $from++ ) {
|
||||
warning_message "Duplicate 'src' ignored";
|
||||
} else {
|
||||
if ( @$zones ) {
|
||||
push @rules, [ 'src', $tgt, $networks, $protocol, $ports ];
|
||||
} else {
|
||||
warning_message '"src" entry ignored because there are no "blacklist in" zones';
|
||||
}
|
||||
}
|
||||
} elsif ( $_ =~ /^(?:dst|to)$/ ) {
|
||||
if ( $to++ ) {
|
||||
warning_message "Duplicate 'dst' ignored";
|
||||
} else {
|
||||
if ( @$zones1 ) {
|
||||
push @rules, [ 'dst', $tgt, $networks, $protocol, $ports ];
|
||||
} else {
|
||||
warning_message '"dst" entry ignored because there are no "blacklist out" zones';
|
||||
}
|
||||
}
|
||||
} else {
|
||||
fatal_error "Invalid blacklist option($_)" unless $_ eq 'whitelist' || $_ eq 'audit';
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ( @rules ) {
|
||||
my $fn1 = find_file( 'blrules' );
|
||||
my $blrules;
|
||||
my $date = localtime;
|
||||
|
||||
if ( -f $fn1 ) {
|
||||
open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
||||
} else {
|
||||
open $blrules, '>', $fn1 or fatal_error "Unable to open $fn1: $!";
|
||||
print $blrules <<'EOF';
|
||||
#
|
||||
# Shorewall version 5 - Blacklist Rules File
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-blrules"
|
||||
#
|
||||
# Please see http://shorewall.net/blacklisting_support.htm for additional
|
||||
# information.
|
||||
#
|
||||
###################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
EOF
|
||||
}
|
||||
|
||||
print( $blrules
|
||||
"#\n" ,
|
||||
"# Rules generated from blacklist file $fn by Shorewall $globals{VERSION} - $date\n" ,
|
||||
"#\n" );
|
||||
|
||||
for ( @rules ) {
|
||||
my ( $srcdst, $tgt, $networks, $protocols, $ports ) = @$_;
|
||||
|
||||
if ( $level ) {
|
||||
$tgt .= ":$level\t";
|
||||
} else {
|
||||
$tgt .= "\t\t";
|
||||
}
|
||||
|
||||
my $list = $srcdst eq 'src' ? $zones : $zones1;
|
||||
|
||||
for my $zone ( @$list ) {
|
||||
my $rule = $tgt;
|
||||
|
||||
if ( $srcdst eq 'src' ) {
|
||||
if ( $networks ne '-' ) {
|
||||
$rule .= "$zone:$networks\tall\t\t";
|
||||
} else {
|
||||
$rule .= "$zone\t\t\tall\t\t";
|
||||
}
|
||||
} else {
|
||||
if ( $networks ne '-' ) {
|
||||
$rule .= "all\t\t\t$zone:$networks\t";
|
||||
} else {
|
||||
$rule .= "all\t\t\t$zone\t\t\t";
|
||||
}
|
||||
}
|
||||
|
||||
$rule .= "\t$protocols" if $protocols ne '-';
|
||||
$rule .= "\t$ports" if $ports ne '-';
|
||||
|
||||
print $blrules "$rule\n";
|
||||
}
|
||||
}
|
||||
|
||||
close $blrules;
|
||||
} else {
|
||||
warning_message q(There are interfaces or zones with the 'blacklist' option but the 'blacklist' file is empty) unless @rules;
|
||||
}
|
||||
|
||||
rename $fn, "$fn.bak";
|
||||
|
||||
progress_message2 "Blacklist file $fn saved in $fn.bak";
|
||||
|
||||
for my $file ( qw(zones interfaces hosts) ) {
|
||||
remove_blacklist $file;
|
||||
}
|
||||
|
||||
progress_message2 "Blacklist successfully converted";
|
||||
|
||||
return 1;
|
||||
} else {
|
||||
my $fn = find_file 'blacklist';
|
||||
if ( -f $fn ) {
|
||||
rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
|
||||
warning_message "No zones have the blacklist option - the blacklist file was saved in $fn.bak";
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
sub process_routestopped() {
|
||||
|
||||
if ( my $fn = open_file 'routestopped' ) {
|
||||
@ -473,7 +706,8 @@ sub process_routestopped() {
|
||||
|
||||
sub setup_mss();
|
||||
|
||||
sub add_common_rules() {
|
||||
sub add_common_rules ( $ ) {
|
||||
my $upgrade = shift;
|
||||
my $interface;
|
||||
my $chainref;
|
||||
my $target;
|
||||
@ -594,7 +828,11 @@ sub add_common_rules() {
|
||||
|
||||
run_user_exit1 'initdone';
|
||||
|
||||
setup_blacklist;
|
||||
if ( $upgrade ) {
|
||||
exit 0 unless convert_blacklist;
|
||||
} else {
|
||||
setup_blacklist;
|
||||
}
|
||||
|
||||
$list = find_hosts_by_option 'nosmurfs';
|
||||
|
||||
|
@ -177,6 +177,7 @@ my %physical;
|
||||
my %basemap;
|
||||
my %mapbase;
|
||||
my $family;
|
||||
my $upgrade;
|
||||
my $have_ipsec;
|
||||
my $baseseq;
|
||||
my $minroot;
|
||||
@ -221,8 +222,8 @@ my %validhostoptions;
|
||||
# 2. The compiler can run multiple times in the same process so it has to be
|
||||
# able to re-initialize its dependent modules' state.
|
||||
#
|
||||
sub initialize( $ ) {
|
||||
$family = shift;
|
||||
sub initialize( $$ ) {
|
||||
( $family , $upgrade ) = @_;
|
||||
@zones = ();
|
||||
%zones = ();
|
||||
$firewall_zone = '';
|
||||
|
@ -62,7 +62,8 @@ sub usage( $ ) {
|
||||
[ --preview ]
|
||||
[ --family={4|6} ]
|
||||
[ --annotate ]
|
||||
[ --updatee ]
|
||||
[ --update ]
|
||||
[ --convert ]
|
||||
';
|
||||
|
||||
exit shift @_;
|
||||
@ -86,6 +87,7 @@ my $family = 4; # F_IPV4
|
||||
my $preview = 0;
|
||||
my $annotate = 0;
|
||||
my $update = 0;
|
||||
my $convert = 0;
|
||||
|
||||
Getopt::Long::Configure ('bundling');
|
||||
|
||||
@ -115,6 +117,7 @@ my $result = GetOptions('h' => \$help,
|
||||
'annotate' => \$annotate,
|
||||
'u' => \$update,
|
||||
'update' => \$update,
|
||||
'convert' => \$convert,
|
||||
);
|
||||
|
||||
usage(1) unless $result && @ARGV < 2;
|
||||
@ -134,5 +137,6 @@ compiler( script => $ARGV[0] || '',
|
||||
family => $family,
|
||||
confess => $confess,
|
||||
update => $update,
|
||||
convert => $convert,
|
||||
annotate => $annotate,
|
||||
);
|
||||
|
@ -1,12 +1,12 @@
|
||||
#
|
||||
# Shorewall version 5 - Blacklist Rules File
|
||||
# Shorewall version 4 - Blacklist Rules File
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-blrules"
|
||||
#
|
||||
# Please see http://shorewall.net/blacklisting_support.htm for additional
|
||||
# information.
|
||||
#
|
||||
######################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
###################################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
|
||||
|
@ -398,6 +398,7 @@ compiler() {
|
||||
[ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
|
||||
[ -n "$g_confess" ] && options="$options --confess"
|
||||
[ -n "$g_update" ] && options="$options --update"
|
||||
[ -n "$g_convert" ] && options="$options --convert"
|
||||
[ -n "$g_annotate" ] && options="$options --annotate"
|
||||
|
||||
if [ -n "$PERL" ]; then
|
||||
@ -728,6 +729,94 @@ check_command() {
|
||||
compiler $g_debugging $nolock check
|
||||
}
|
||||
|
||||
#
|
||||
# Update Command Executor
|
||||
#
|
||||
update_command() {
|
||||
local finished
|
||||
finished=0
|
||||
|
||||
g_update=Yes
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
case $option in
|
||||
-*)
|
||||
option=${option#-}
|
||||
|
||||
while [ -n "$option" ]; do
|
||||
case $option in
|
||||
-)
|
||||
finished=1
|
||||
option=
|
||||
;;
|
||||
e*)
|
||||
g_export=Yes
|
||||
option=${option#e}
|
||||
;;
|
||||
p*)
|
||||
g_profile=Yes
|
||||
option=${option#p}
|
||||
;;
|
||||
d*)
|
||||
g_debug=Yes;
|
||||
option=${option#d}
|
||||
;;
|
||||
r*)
|
||||
g_preview=Yes
|
||||
option=${option#r}
|
||||
;;
|
||||
T*)
|
||||
g_confess=Yes
|
||||
option=${option#T}
|
||||
;;
|
||||
a*)
|
||||
g_annotate=Yes
|
||||
option=${option#a}
|
||||
;;
|
||||
b*)
|
||||
g_convert=Yes
|
||||
option=${option#b}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
finished=1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
case $# in
|
||||
0)
|
||||
;;
|
||||
1)
|
||||
[ -n "$SHOREWALL_DIR" ] && usage 2
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
echo "$1 is not a directory" >&2 && exit 2
|
||||
else
|
||||
echo "Directory $1 does not exist" >&2 && exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
SHOREWALL_DIR=$(resolve_file $1)
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
progress_message3 "Updating..."
|
||||
|
||||
compiler $g_debugging $nolock check
|
||||
}
|
||||
|
||||
#
|
||||
# Restart Command Executor
|
||||
#
|
||||
@ -1431,6 +1520,8 @@ usage() # $1 = exit status
|
||||
echo " reset [ <chain> ... ]"
|
||||
echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
|
||||
echo " restore [ -n ] [ <file name> ]"
|
||||
echo " safe-restart [ <directory> ]"
|
||||
echo " safe-start [ <directory> ]"
|
||||
echo " save [ <file name> ]"
|
||||
echo " show [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
|
||||
echo " show actions"
|
||||
@ -1451,13 +1542,11 @@ usage() # $1 = exit status
|
||||
echo " show vardir"
|
||||
echo " show zones"
|
||||
echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ <directory> ]"
|
||||
echo " stop"
|
||||
echo " status"
|
||||
echo " stop"
|
||||
echo " try <directory> [ <timeout> ]"
|
||||
echo " update [ -b ] [ -r ] [ -T ] [ <directory> ]"
|
||||
echo " version [ -a ]"
|
||||
echo " safe-start [ <directory> ]"
|
||||
echo " safe-restart [ <directory> ]"
|
||||
echo " update [ -e ] [ -d ] [ -p ] [ -r ] [ -T ] [ -a ] [ <directory> ]"
|
||||
echo
|
||||
exit $1
|
||||
}
|
||||
@ -1541,6 +1630,7 @@ g_export=
|
||||
g_refreshchains=:none:
|
||||
g_confess=
|
||||
g_update=
|
||||
g_convert=
|
||||
g_annotate=
|
||||
|
||||
#
|
||||
@ -1751,8 +1841,7 @@ case "$COMMAND" in
|
||||
update)
|
||||
get_config Yes
|
||||
shift
|
||||
g_update=Yes
|
||||
check_command $@
|
||||
update_command $@
|
||||
;;
|
||||
show|list)
|
||||
get_config Yes No Yes
|
||||
|
@ -398,6 +398,7 @@ compiler() {
|
||||
[ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
|
||||
[ -n "$g_confess" ] && options="$options --confess"
|
||||
[ -n "$g_update" ] && options="$options --update"
|
||||
[ -n "$g_convert" ] && options="$options --convert"
|
||||
[ -n "$g_annotate" ] && options="$options --annotate"
|
||||
[ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed"
|
||||
|
||||
@ -729,6 +730,92 @@ check_command() {
|
||||
compiler $g_debugging $nolock check
|
||||
}
|
||||
|
||||
#
|
||||
# Update Command Executor
|
||||
#
|
||||
update_command() {
|
||||
local finished
|
||||
finished=0
|
||||
|
||||
while [ $finished -eq 0 -a $# -gt 0 ]; do
|
||||
option=$1
|
||||
case $option in
|
||||
-*)
|
||||
option=${option#-}
|
||||
|
||||
while [ -n "$option" ]; do
|
||||
case $option in
|
||||
-)
|
||||
finished=1
|
||||
option=
|
||||
;;
|
||||
e*)
|
||||
g_export=Yes
|
||||
option=${option#e}
|
||||
;;
|
||||
p*)
|
||||
g_profile=Yes
|
||||
option=${option#p}
|
||||
;;
|
||||
d*)
|
||||
g_debug=Yes;
|
||||
option=${option#d}
|
||||
;;
|
||||
r*)
|
||||
g_preview=Yes
|
||||
option=${option#r}
|
||||
;;
|
||||
T*)
|
||||
g_confess=Yes
|
||||
option=${option#T}
|
||||
;;
|
||||
a*)
|
||||
g_annotate=Yes
|
||||
option=${option#a}
|
||||
;;
|
||||
b*)
|
||||
g_convert=Yes
|
||||
option=${option#b}
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
finished=1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
case $# in
|
||||
0)
|
||||
;;
|
||||
1)
|
||||
[ -n "$SHOREWALL_DIR" ] && usage 2
|
||||
|
||||
if [ ! -d $1 ]; then
|
||||
if [ -e $1 ]; then
|
||||
echo "$1 is not a directory" >&2 && exit 2
|
||||
else
|
||||
echo "Directory $1 does not exist" >&2 && exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
SHOREWALL_DIR=$(resolve_file $1)
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
progress_message3 "Updating..."
|
||||
|
||||
compiler $g_debugging $nolock check
|
||||
}
|
||||
|
||||
#
|
||||
# Restart Command Executor
|
||||
#
|
||||
@ -1428,6 +1515,8 @@ usage() # $1 = exit status
|
||||
echo " reset [ <chain> ... ]"
|
||||
echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
|
||||
echo " restore [ -n ] [ <file name> ]"
|
||||
echo " safe-restart [ <directory> ]"
|
||||
echo " safe-start [ <directory> ]"
|
||||
echo " save [ <file name> ]"
|
||||
echo " show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
|
||||
echo " show actions"
|
||||
@ -1447,13 +1536,11 @@ usage() # $1 = exit status
|
||||
echo " show vardir"
|
||||
echo " show zones"
|
||||
echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ <directory> ]"
|
||||
echo " stop"
|
||||
echo " status"
|
||||
echo " stop"
|
||||
echo " try <directory> [ <timeout> ]"
|
||||
echo " update [ -b ] [ -r ] [ -T ] [ <directory> ]"
|
||||
echo " version [ -a ]"
|
||||
echo " safe-start [ <directory> ]"
|
||||
echo " safe-restart [ <directory> ]"
|
||||
echo " update [ -e ] [ -d ] [ -p ] [ -r ] [ -T ] [ -a ] [ <directory> ]"
|
||||
echo
|
||||
exit $1
|
||||
}
|
||||
@ -1537,6 +1624,7 @@ g_export=
|
||||
g_refreshchains=:none:
|
||||
g_confess=
|
||||
g_update=
|
||||
g_convert=
|
||||
g_annotate=
|
||||
|
||||
#
|
||||
@ -1747,8 +1835,7 @@ case "$COMMAND" in
|
||||
update)
|
||||
get_config Yes
|
||||
shift
|
||||
g_update=Yes
|
||||
check_command $@
|
||||
update_command $@
|
||||
;;
|
||||
show|list)
|
||||
get_config Yes No Yes
|
||||
|
@ -72,11 +72,11 @@
|
||||
<title>Rule-based Blacklisting</title>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.25, the preferred method of
|
||||
blacklisting and whitelisting is to use the BLACKLIST section of the rules
|
||||
file. There you have access to the DROP, ACCEPT, REJECT and WHITELIST
|
||||
actions, standard and custom macros as well as standard and custom
|
||||
actions. See <ulink
|
||||
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) for
|
||||
blacklisting and whitelisting is to use the blrules file (<ulink
|
||||
url="manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)).
|
||||
There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions,
|
||||
standard and custom macros as well as standard and custom actions. See
|
||||
<ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) for
|
||||
details.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
@ -95,29 +95,16 @@ DROP net:84.108.168.139 all
|
||||
DROP net:200.55.14.18 all
|
||||
</programlisting>
|
||||
|
||||
<para>If you prefer to keep your blacklist rules in a separate file,
|
||||
then:</para>
|
||||
<para>Beginning with Shorewall 4.4.26, the <command>update</command>
|
||||
command supports a <option>-b</option> option that causes your legacy
|
||||
blacklisting configuration to use the blrules file.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>create the separate file.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>copy the column headings from your rules file to the new
|
||||
file.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>enter your blacklist rules into the new file.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>in the BLACKLIST section of your rules file, enter:</para>
|
||||
|
||||
<programlisting>INCLUDE <replaceable>name-of-new-file</replaceable></programlisting>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
<note>
|
||||
<para>If you prefer to keep your blacklisting rules in your rules file
|
||||
(<ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink>
|
||||
(5)), you can place them in the BLACKLIST section of that file rather
|
||||
than in blrules.</para>
|
||||
</note>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
@ -348,7 +348,8 @@
|
||||
BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you
|
||||
assign an empty value then packets from blacklisted hosts are not
|
||||
logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in
|
||||
the BLACKLIST section of <ulink
|
||||
the <ulink url="???">shorewall-blrules</ulink> (5) file or in the
|
||||
BLACKLIST section of <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink> (5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -360,8 +361,9 @@
|
||||
<listitem>
|
||||
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||
role="bold">yes</emphasis>, blacklists are only consulted for new
|
||||
connections. That includes entries in the BLACKLIST section of
|
||||
<ulink url="shorewall-rules.html">shorewall-rules</ulink>
|
||||
connections. That includes entries in the <ulink
|
||||
url="???">shorewall-blrules</ulink> (5) file and in the BLACKLIST
|
||||
section of <ulink url="shorewall-rules.html">shorewall-rules</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
|
||||
|
@ -628,12 +628,10 @@
|
||||
|
||||
<arg choice="plain"><option>update</option></arg>
|
||||
|
||||
<arg><option>-e</option></arg>
|
||||
<arg><option>-b</option></arg>
|
||||
|
||||
<arg><option>-d</option></arg>
|
||||
|
||||
<arg><option>-p</option></arg>
|
||||
|
||||
<arg><option>-r</option></arg>
|
||||
|
||||
<arg><option>-T</option></arg>
|
||||
@ -1564,6 +1562,17 @@
|
||||
<filename>shorewall.conf</filename> file to be annotated with
|
||||
documentation.</para>
|
||||
|
||||
<para>The <option>-b</option> option was added in Shorewall 4.4.26
|
||||
and causes legacy blacklisting rules (<ulink
|
||||
url="shorewall-blacklist.html">shorewall-blacklist</ulink> (5) ) to
|
||||
be converted to entries in the blrules file (<ulink
|
||||
url="shorewall-blrules.html">shorewall-blrules</ulink> (5) ). The
|
||||
blacklist keyword is removed from <ulink
|
||||
url="shorewall-zones.html">shorewall-zones</ulink> (5), <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink> (5) and
|
||||
<ulink url="shorewall-hosts.html">shorewall-hosts</ulink> (5). The
|
||||
unmodified files are saved with a .bak suffix.</para>
|
||||
|
||||
<para>For a description of the other options, see the <emphasis
|
||||
role="bold">check</emphasis> command above.</para>
|
||||
</listitem>
|
||||
|
@ -262,8 +262,9 @@
|
||||
be dropped or REJECT if the packets are to be replied with an ICMP
|
||||
port unreachable reply or a TCP RST (tcp only). If you do not assign
|
||||
a value or if you assign an empty value then DROP is assumed. The
|
||||
BLACKLIST_DISPOSITION setting has no effect on entries in the
|
||||
BLACKLIST section of <ulink
|
||||
BLACKLIST_DISPOSITION setting has no effect on entries in the <ulink
|
||||
url="???">shorewall-blrules</ulink> (5) file or in the BLACKLIST
|
||||
section of <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -279,7 +280,8 @@
|
||||
BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you
|
||||
assign an empty value then packets from blacklisted hosts are not
|
||||
logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in
|
||||
the BLACKLIST section of <ulink
|
||||
the <ulink url="???">shorewall-blrules</ulink> (5) file and in the
|
||||
BLACKLIST section of <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@ -291,9 +293,10 @@
|
||||
<listitem>
|
||||
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||
role="bold">yes</emphasis>, blacklists are only consulted for new
|
||||
connections. This includes entries in the BLACKLIST section of
|
||||
<ulink url="shorewall6-rules.html">shorewall6-rules</ulink>
|
||||
(5).</para>
|
||||
connections. This includes entries in the <ulink
|
||||
url="???">shorewall-blrules</ulink> (5) file and in the BLACKLIST
|
||||
section of <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
|
||||
|
||||
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
|
||||
role="bold">no</emphasis>, blacklists are consulted for every packet
|
||||
|
@ -529,12 +529,10 @@
|
||||
|
||||
<arg choice="plain"><option>update</option></arg>
|
||||
|
||||
<arg><option>-e</option></arg>
|
||||
<arg><option>-b</option></arg>
|
||||
|
||||
<arg><option>-d</option></arg>
|
||||
|
||||
<arg><option>-p</option></arg>
|
||||
|
||||
<arg><option>-r</option></arg>
|
||||
|
||||
<arg><option>-T</option></arg>
|
||||
@ -1373,6 +1371,17 @@
|
||||
<filename>shorewall6.conf</filename> file to be annotated with
|
||||
documentation.</para>
|
||||
|
||||
<para>The <option>-b</option> option was added in Shorewall 4.4.26
|
||||
and causes legacy blacklisting rules (<ulink
|
||||
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink> (5) )
|
||||
to be converted to entries in the blrules file (<ulink
|
||||
url="shorewall6-blrules.html">shorewall6-blrules</ulink> (5) ). The
|
||||
blacklist keyword is removed from <ulink
|
||||
url="shorewall6-zones.html">shorewall6-zones</ulink> (5), <ulink
|
||||
url="shorewall6-interfaces.html">shorewall-interfaces</ulink> (5)
|
||||
and <ulink url="shorewall6-hosts.html">shorewall6-hosts</ulink> (5).
|
||||
The unmodified files are saved with a .bak suffix.</para>
|
||||
|
||||
<para>For a description of the other options, see the <emphasis
|
||||
role="bold">check</emphasis> command above.</para>
|
||||
</listitem>
|
||||
@ -1404,8 +1413,8 @@
|
||||
|
||||
<para>shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-route_rules(5),
|
||||
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5),
|
||||
shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
||||
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
||||
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
|
||||
|
Loading…
Reference in New Issue
Block a user