diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index f3dda3f2e..f14701529 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -247,9 +247,19 @@ sub setup_blacklist() {
$options = 'src' if $options eq '-';
- my ( $to, $from ) = ( 0, 0 );
+ my ( $to, $from, $whitelist ) = ( 0, 0, 0 );
- for ( split /,/, $options ) {
+ my @options = split_list $options, 'option';
+
+ for ( @options ) {
+ $whitelist++ if $_ eq 'whitelist';
+ }
+
+ warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
+
+ my $tgt = $whitelist ? 'RETURN' : $target;
+
+ for ( @options ) {
if ( $_ =~ /^(?:from|src)$/ ) {
if ( $from++ ) {
warning_message "Duplicate 'src' ignored";
@@ -262,9 +272,9 @@ sub setup_blacklist() {
$networks,
'',
'' ,
- $target ,
+ $tgt ,
'' ,
- $target ,
+ $tgt ,
'' );
} else {
warning_message '"src" entry ignored because there are no "blacklist in" zones';
@@ -282,15 +292,15 @@ sub setup_blacklist() {
'',
$networks,
'' ,
- $target ,
+ $tgt ,
'' ,
- $target ,
+ $tgt ,
'' );
} else {
warning_message '"dst" entry ignored because there are no "blacklist out" zones';
}
}
- } else {
+ } elsif ( $_ ne 'whitelist' ) {
fatal_error "Invalid blacklist option($_)";
}
}
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 7c6ba705f..7d53e7790 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -8,6 +8,8 @@ Changes in Shorewall 4.4.20 Beta 2
4) Implemented NFLOG accounting action.
+5) Implement 'whitelist' option.
+
Changes in Shorewall 4.4.20 Beta 1
1) Apply Togan's patch for installation flexibility.
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index f75eface1..0aaacf425 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -51,7 +51,12 @@ All bug fixes from 4.4.19.1 - 4.4.19.4.
3) An NFLOG 'ACTION' has been added to the accounting file to allow
sending matching packets (or the leading part of them) to backend
- accounting daemons via a netlink socket.
+ accounting daemons via a netlink socket.
+
+4) A 'whitelist' option has been added to the blacklist file. When
+ 'whitelist' is specified, packets/connections matching the entry
+ are not matched against the entries which follow. No logging of
+ whitelisted packets/connections is performed.
----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S
diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml
index dc12edcfb..c8e2126d1 100644
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -124,7 +124,7 @@
Blacklisting
+ url="blacklisting_support.htm">Blacklisting/Whitelisting
Masquerading
@@ -265,8 +265,8 @@
Port
Forwarding
- White List
- Creation
+ White
+ List Creation
diff --git a/docs/blacklisting_support.xml b/docs/blacklisting_support.xml
index 0ef13ac94..ca761f5da 100644
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -5,7 +5,7 @@
- Shorewall Blacklisting Support
+ Shorewall Blacklisting/Whitelisting Support
@@ -22,6 +22,8 @@
2010
+ 2011
+
Thomas M. Eastep
@@ -66,10 +68,10 @@
- Only the source address is checked against
- the blacklists. Blacklists only stop blacklisted hosts from
- connecting to you — they do not stop you or your users from connecting
- to blacklisted hosts .
+ By default, only the source address is
+ checked against the blacklists. Blacklists only stop
+ blacklisted hosts from connecting to you — they do not stop you or your
+ users from connecting to blacklisted hosts .
@@ -106,36 +108,31 @@
You specify whether you want packets from blacklisted hosts
dropped or rejected using the BLACKLIST_DISPOSITION setting in /etc/shorewall/shorewall.conf.
+ url="manpages/shorewall.conf.html">shorewall.conf(5).
You specify whether you want packets from blacklisted hosts
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
in /etc/shorewall/shorewall.conf.
+ url="manpages/shorewall.conf.html">shorewall.conf(5).
You list the IP addresses/subnets that you wish to blacklist in
/etc/shorewall/blacklist.
- You may also specify PROTOCOL and Port numbers/Service names in the
- blacklist file.
+ url="manpages/shorewall-blacklist.html">shorewall-blacklist
+ (5). You may also specify PROTOCOL and Port numbers/Service names in
+ the blacklist file.
You specify the interfaces whose incoming packets you want
checked against the blacklist using the blacklist
option in /etc/shorewall/interfaces.
-
-
-
- The black list is refreshed from
- /etc/shorewall/blacklist by the shorewall
- refresh
command.
+ url="manpages/shorewall-interfaces.html">shorewall-interfaces(5)
+ (shorewall-zones(5)
+ in Shorewall 4.4.12 and later).
@@ -176,6 +173,19 @@ ipset -B Blacklist 206.124.146.177 -b SMTP
This will blacklist SMTP traffic from host 206.124.146.177.
+
+ Static Whitelisting
+
+ Beginning with Shorewall 4.4.20, you can create
+ whitelist entries in the blacklist file.
+ Connections/packets matching a whitelist entry are not matched against the
+ entries in the blacklist file that follow. Whitelist entries are created
+ using the whitelist option (OPTIONS
+ column). See shorewall-blacklist
+ (5).
+
+
Dynamic Blacklisting
diff --git a/manpages/shorewall-blacklist.xml b/manpages/shorewall-blacklist.xml
index 89512525f..b455cc00c 100644
--- a/manpages/shorewall-blacklist.xml
+++ b/manpages/shorewall-blacklist.xml
@@ -78,7 +78,7 @@
OPTIONS (Optional - Added in 4.4.12) -
- {-|{dst|src}[,...]}
+ {-|{dst|src|whitelist}[,...]}
If specified, indicates whether traffic
@@ -122,6 +122,12 @@
+
+ In Shorewall 4.4.20, the whitelist option was added. When whitelist is specified, packets/connections
+ that match the entry are not matched against the remaining entries
+ in the file.
diff --git a/manpages6/shorewall6-blacklist.xml b/manpages6/shorewall6-blacklist.xml
index 421fad3fc..ac8a79ca5 100644
--- a/manpages6/shorewall6-blacklist.xml
+++ b/manpages6/shorewall6-blacklist.xml
@@ -78,7 +78,7 @@
OPTIONS (Optional - Added in 4.4.12) -
- {-|{dst|src}[,...]}
+ {-|{dst|src|whitelist}[,...]}
If specified, indicates whether traffic
@@ -122,6 +122,12 @@
+
+ In Shorewall 4.4.20, the whitelist option was added. When whitelist is specified, packets/connections
+ that match the entry are not matched against the remaining entries
+ in the file.