diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 2734d7fcb..6facf29cd 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -837,7 +837,7 @@ sub compiler { # # Process the rules file. # - process_rules( $update ); + process_rules(); # # Process the conntrack file # diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 534e06181..a036ff138 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -3349,77 +3349,12 @@ sub intrazone_allowed( $$ ) { $zoneref->{complex} && $filter_table->{rules_chain( $zone, $zone )}{policy} ne 'NONE'; } -# -# Add jumps to the blacklst and blackout chains -# -sub classic_blacklist() { - my $fw = firewall_zone; - my @zones = off_firewall_zones; - my @vservers = vserver_zones; - my @state = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : (); - my $result; - - for my $zone ( @zones ) { - my $zoneref = find_zone( $zone ); - my $simple = @zones <= 2 && ! $zoneref->{complex}; - - if ( my $blackref = $filter_table->{blacklst} ) { - if ( $zoneref->{options}{in}{blacklist} ) { - add_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , @state for firewall_zone, @vservers; - - if ( $simple ) { - # - # We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains - # - for my $zone1 ( @zones ) { - my $ruleschain = rules_chain( $zone, $zone1 ); - my $ruleschainref = $filter_table->{$ruleschain}; - - if ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) { - add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state ); - } - } - } - - $result = 1; - } - - if ( $zoneref->{options}{out}{blacklist} ) { - $blackref = $filter_table->{blackout}; - add_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , @state; - - for my $zone1 ( @zones, @vservers ) { - my $ruleschain = rules_chain( $zone1, $zone ); - my $ruleschainref = $filter_table->{$ruleschain}; - - if ( ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) ) { - add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state ); - } - } - - $result = 1; - } - } - - unless ( $simple ) { - # - # Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain - # - my $frwd_ref = new_standard_chain zone_forward_chain( $zone ); - - add_ijump( $frwd_ref , j => $filter_table->{blacklst}, @state ) if $filter_table->{blacklst} && $zoneref->{options}{in}{blacklist}; - } - } - - $result; -} - # # Process the BLRules and Rules Files # -sub process_rules( $ ) { - my $convert = shift; +sub process_rules() { my $blrules = 0; + my @zones = off_firewall_zones; # # Populate the state table # @@ -3434,9 +3369,19 @@ sub process_rules( $ ) { INVALID_SECTION, 'INVALID', UNTRACKED_SECTION, 'UNTRACKED' ); # - # Generate jumps to the classic blacklist chains + # Create zone-forwarding chains if required # - $blrules = classic_blacklist unless $convert; + for my $zone ( @zones ) { + my $zoneref = find_zone( $zone ); + my $simple = @zones <= 2 && ! $zoneref->{complex}; + + unless ( @zones <= 2 && ! $zoneref->{complex} ) { + # + # Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain + # + new_standard_chain zone_forward_chain( $zone ); + } + } # # Process the blrules file #