forked from extern/shorewall_code
Drop support for the 'blacklist' file.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
65baa7e3b8
commit
f4620606b3
@ -201,146 +201,6 @@ sub add_rule_pair( $$$$ ) {
|
||||
add_jump( $chainref , $target, 0, $predicate );
|
||||
}
|
||||
|
||||
sub setup_blacklist() {
|
||||
|
||||
my $zones = find_zones_by_option 'blacklist', 'in';
|
||||
my $zones1 = find_zones_by_option 'blacklist', 'out';
|
||||
my $chainref;
|
||||
my $chainref1;
|
||||
my ( $level, $disposition ) = @config{'BLACKLIST_LOG_LEVEL', 'BLACKLIST_DISPOSITION' };
|
||||
my $audit = $disposition =~ /^A_/;
|
||||
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
|
||||
my $orig_target = $target;
|
||||
|
||||
BLACKLIST:
|
||||
{
|
||||
if ( my $fn = open_file 'blacklist' ) {
|
||||
#
|
||||
# We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
|
||||
# for 'refresh' to work properly.
|
||||
#
|
||||
if ( @$zones || @$zones1 ) {
|
||||
$chainref = set_optflags( new_standard_chain( 'blacklst' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones;
|
||||
$chainref1 = set_optflags( new_standard_chain( 'blackout' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones1;
|
||||
|
||||
if ( supplied $level ) {
|
||||
$target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
|
||||
} elsif ( $audit ) {
|
||||
require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
|
||||
$target = verify_audit( $disposition );
|
||||
}
|
||||
}
|
||||
|
||||
my $first_entry = 1;
|
||||
|
||||
first_entry "$doing $fn...";
|
||||
|
||||
while ( read_a_line ( NORMAL_READ ) ) {
|
||||
|
||||
if ( $first_entry ) {
|
||||
unless ( @$zones || @$zones1 ) {
|
||||
warning_message qq(The entries in $fn have been ignored because there are no 'blacklist' zones);
|
||||
close_file;
|
||||
last BLACKLIST;
|
||||
}
|
||||
|
||||
$first_entry = 0;
|
||||
}
|
||||
|
||||
my ( $networks, $protocol, $ports, $options ) = split_line( 'blacklist file',
|
||||
{ networks => 0, proto => 1, port => 2, options => 3 } );
|
||||
|
||||
if ( $options eq '-' ) {
|
||||
$options = 'src';
|
||||
} elsif ( $options eq 'audit' ) {
|
||||
$options = 'audit,src';
|
||||
}
|
||||
|
||||
my ( $to, $from, $whitelist, $auditone ) = ( 0, 0, 0, 0 );
|
||||
|
||||
my @options = split_list $options, 'option';
|
||||
|
||||
for ( @options ) {
|
||||
$whitelist++ if $_ eq 'whitelist';
|
||||
$auditone++ if $_ eq 'audit';
|
||||
}
|
||||
|
||||
warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
|
||||
|
||||
my $tgt = $whitelist ? 'RETURN' : $target;
|
||||
|
||||
if ( $auditone ) {
|
||||
fatal_error "'audit' not allowed in whitelist entries" if $whitelist;
|
||||
|
||||
if ( $audit ) {
|
||||
warning_message "Superfluous 'audit' option ignored";
|
||||
} else {
|
||||
warning_message "Duplicate 'audit' option ignored" if $auditone > 1;
|
||||
|
||||
|
||||
|
||||
$tgt = verify_audit( 'A_' . $target, $orig_target, $target );
|
||||
}
|
||||
}
|
||||
|
||||
for ( @options ) {
|
||||
if ( $_ =~ /^(?:src|from)$/ ) {
|
||||
if ( $from++ ) {
|
||||
warning_message "Duplicate 'src' ignored";
|
||||
} else {
|
||||
if ( @$zones ) {
|
||||
expand_rule(
|
||||
$chainref ,
|
||||
NO_RESTRICT ,
|
||||
'' ,
|
||||
do_proto( $protocol , $ports, '' ) ,
|
||||
$networks,
|
||||
'',
|
||||
'' ,
|
||||
$tgt ,
|
||||
'' ,
|
||||
$tgt ,
|
||||
'' );
|
||||
} else {
|
||||
warning_message '"src" entry ignored because there are no "blacklist in" zones';
|
||||
}
|
||||
}
|
||||
} elsif ( $_ =~ /^(?:dst|to)$/ ) {
|
||||
if ( $to++ ) {
|
||||
warning_message "Duplicate 'dst' ignored";
|
||||
} else {
|
||||
if ( @$zones1 ) {
|
||||
expand_rule(
|
||||
$chainref1 ,
|
||||
NO_RESTRICT ,
|
||||
'' ,
|
||||
do_proto( $protocol , $ports, '' ) ,
|
||||
'',
|
||||
$networks,
|
||||
'' ,
|
||||
$tgt ,
|
||||
'' ,
|
||||
$tgt ,
|
||||
'' );
|
||||
} else {
|
||||
warning_message '"dst" entry ignored because there are no "blacklist out" zones';
|
||||
}
|
||||
}
|
||||
} else {
|
||||
fatal_error "Invalid blacklist option($_)" unless $_ eq 'whitelist' || $_ eq 'audit';
|
||||
}
|
||||
}
|
||||
|
||||
progress_message " \"$currentline\" added to blacklist";
|
||||
}
|
||||
|
||||
warning_message q(There are interfaces or zones with the 'blacklist' option but the 'blacklist' file is empty) if $first_entry && @$zones;
|
||||
} elsif ( @$zones || @$zones1 ) {
|
||||
warning_message q(There are interfaces or zones with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Remove instances of 'blacklist' from the passed file.
|
||||
#
|
||||
@ -947,8 +807,6 @@ sub add_common_rules ( $$ ) {
|
||||
|
||||
if ( $upgrade_blacklist ) {
|
||||
exit 0 unless convert_blacklist || $upgrade_tcrules;
|
||||
} else {
|
||||
setup_blacklist;
|
||||
}
|
||||
|
||||
$list = find_hosts_by_option 'nosmurfs';
|
||||
|
||||
Loading…
Reference in New Issue
Block a user