1
0

Replace BLACKLISTNEWONLY with BLACKLIST

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
2013-01-30 08:00:47 -08:00
parent 75fb164234
commit fc73c3934b
16 changed files with 110 additions and 24 deletions
Shorewall
Perl
Samples
Universal
one-interface
three-interfaces
two-interfaces
configfiles
manpages
Shorewall6
Samples6
Universal
one-interface
three-interfaces
two-interfaces
configfiles
manpages

@ -3871,6 +3871,8 @@ sub state_imatch( $ ) {
unless ( $state eq 'ALL' ) { unless ( $state eq 'ALL' ) {
have_capability 'CONNTRACK_MATCH' ? ( conntrack => "--ctstate $state" ) : ( state => "--state $state" ); have_capability 'CONNTRACK_MATCH' ? ( conntrack => "--ctstate $state" ) : ( state => "--state $state" );
} else {
();
} }
} }

@ -545,13 +545,16 @@ our %deprecated = ( LOGRATE => '' ,
LOGBURST => '' , LOGBURST => '' ,
EXPORTPARAMS => 'no', EXPORTPARAMS => 'no',
WIDE_TC_MARKS => 'no', WIDE_TC_MARKS => 'no',
HIGH_ROUTE_MARKS => 'no' HIGH_ROUTE_MARKS => 'no',
BLACKLISTNEWONLY => 'yes',
); );
# #
# Deprecated options that are eliminated via update # Deprecated options that are eliminated via update
# #
our %converted = ( WIDE_TC_MARKS => 1, our %converted = ( WIDE_TC_MARKS => 1,
HIGH_ROUTE_MARKS => 1 ); HIGH_ROUTE_MARKS => 1,
BLACKLISTNEWONLY => 1,
);
# #
# Variables involved in ?IF, ?ELSE ?ENDIF processing # Variables involved in ?IF, ?ELSE ?ENDIF processing
# #
@ -722,6 +725,7 @@ sub initialize( $;$$) {
DETECT_DNAT_IPADDRS => undef, DETECT_DNAT_IPADDRS => undef,
MUTEX_TIMEOUT => undef, MUTEX_TIMEOUT => undef,
ADMINISABSENTMINDED => undef, ADMINISABSENTMINDED => undef,
BLACKLIST => undef,
BLACKLISTNEWONLY => undef, BLACKLISTNEWONLY => undef,
DELAYBLACKLISTLOAD => undef, DELAYBLACKLISTLOAD => undef,
MODULE_SUFFIX => undef, MODULE_SUFFIX => undef,
@ -5079,7 +5083,6 @@ sub get_configuration( $$$$ ) {
} }
default_yes_no 'ADMINISABSENTMINDED' , ''; default_yes_no 'ADMINISABSENTMINDED' , '';
default_yes_no 'BLACKLISTNEWONLY' , '';
default_yes_no 'DISABLE_IPV6' , ''; default_yes_no 'DISABLE_IPV6' , '';
unsupported_yes_no_warning 'DYNAMIC_ZONES'; unsupported_yes_no_warning 'DYNAMIC_ZONES';
@ -5098,8 +5101,48 @@ sub get_configuration( $$$$ ) {
default_yes_no 'FASTACCEPT' , ''; default_yes_no 'FASTACCEPT' , '';
if ( supplied( $val = $config{BLACKLIST} ) ) {
my %states;
if ( $val eq 'ALL' ) {
$globals{BLACKLIST_STATES} = 'ALL';
} else {
for ( split_list $val, 'BLACKLIST' ) {
fatal_error "Invalid BLACKLIST state ($_)" unless /^(?:NEW|RELATED|ESTABLISHED|INVALID|UNTRACKED)$/;
fatal_error "Duplicate BLACKLIST state($_)" if $states{$_};
$states{$_} = 1;
}
fatal_error "ESTABLISHED state may not be specified when FASTACCEPT=Yes" if $config{FASTACCEPT} && $states{ESTABLISHED};
require_capability 'RAW_TABLE', 'UNTRACKED state', 's' if $states{UNTRACKED};
#
# Place the states in a predictable order
#
my @states;
for ( qw( NEW ESTABLISHED RELATED INVALID UNTRACKED ) ) {
push @states, $_ if $states{$_};
}
$globals{BLACKLIST_STATES} = join ',', @states;
}
} elsif ( supplied $config{BLACKLISTNEWONLY} ) {
default_yes_no 'BLACKLISTNEWONLY' , '';
fatal_error "BLACKLISTNEWONLY=No may not be specified with FASTACCEPT=Yes" if $config{FASTACCEPT} && ! $config{BLACKLISTNEWONLY}; fatal_error "BLACKLISTNEWONLY=No may not be specified with FASTACCEPT=Yes" if $config{FASTACCEPT} && ! $config{BLACKLISTNEWONLY};
if ( have_capability 'RAW_TABLE' ) {
$globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED';
} else {
$globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID' : 'NEW,ESTABLISHED,INVALID';
}
} else {
if ( have_capability 'RAW_TABLE' ) {
$globals{BLACKLIST_STATES} = $config{FASTACCEPT} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED';
} else {
$globals{BLACKLIST_STATES} = $config{FASTACCEPT} ? 'NEW,INVALID' : 'NEW,INVALID,ESTABLISHED';
}
}
default_yes_no 'IMPLICIT_CONTINUE' , ''; default_yes_no 'IMPLICIT_CONTINUE' , '';
default_yes_no 'HIGH_ROUTE_MARKS' , ''; default_yes_no 'HIGH_ROUTE_MARKS' , '';
default_yes_no 'TC_EXPERT' , ''; default_yes_no 'TC_EXPERT' , '';

@ -764,7 +764,7 @@ sub add_common_rules ( $ ) {
my $chain; my $chain;
my $dynamicref; my $dynamicref;
my @state = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : (); my @state = state_imatch( $globals{BLACKLIST_STATES} );
my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED'; my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
my $level = $config{BLACKLIST_LOGLEVEL}; my $level = $config{BLACKLIST_LOGLEVEL};
my $rejectref = $filter_table->{reject}; my $rejectref = $filter_table->{reject};

@ -2384,14 +2384,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
$auxref = new_chain 'filter', $auxchain; $auxref = new_chain 'filter', $auxchain;
if ( $blacklist ) { if ( $blacklist ) {
if ( $config{BLACKLISTNEWONLY} ) { @state = state_imatch( $globals{BLACKLIST_STATES} );
if ( have_capability 'RAW_TABLE' ) {
@state = state_imatch( 'NEW,INVALID,UNTRACKED' );
} else {
@state = state_imatch( 'NEW,INVALID' );
}
}
$auxref->{blacklistsection} = 1; $auxref->{blacklistsection} = 1;
} elsif ( $section == INVALID_SECTION ) { } elsif ( $section == INVALID_SECTION ) {
@state = state_imatch( 'INVALID' ); @state = state_imatch( 'INVALID' );

@ -128,7 +128,7 @@ AUTOHELPERS=Yes
AUTOMAKE=No AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No CLAMPMSS=No

@ -139,7 +139,7 @@ AUTOHELPERS=Yes
AUTOMAKE=No AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No CLAMPMSS=No

@ -137,7 +137,7 @@ AUTOHELPERS=Yes
AUTOMAKE=No AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=Yes CLAMPMSS=Yes

@ -140,7 +140,7 @@ AUTOHELPERS=Yes
AUTOMAKE=No AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=Yes CLAMPMSS=Yes

@ -128,7 +128,7 @@ AUTOHELPERS=Yes
AUTOMAKE=No AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No CLAMPMSS=No

@ -372,6 +372,28 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">BLACKLIST=</emphasis>[{<emphasis
role="bold">ALL</emphasis>|<emphasis
role="bold"><replaceable>state</replaceable>[,...]</emphasis>}]</term>
<listitem>
<para>where state is one of NEW, ESTABLISHED, RELATED, INVALID,or
UNTRACKED.</para>
<para>Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY
option below. Specifies the connection tracking states that are to
be subject to blacklist screening. If neither BLACKLIST nor
BLACKLISTNEWONLY are specified then the states subject to
blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED.</para>
<para>ALL sends all packets through the blacklist chains.</para>
<para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
is specified.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">BLACKLIST_DISPOSITION=</emphasis>[<emphasis role="bold">BLACKLIST_DISPOSITION=</emphasis>[<emphasis
@ -422,6 +444,9 @@
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem> <listitem>
<para>Deprecated in Shorewall 4.5.13 in favor of BLACKLIST
above.</para>
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis <para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, blacklists are only consulted for new role="bold">yes</emphasis>, blacklists are only consulted for new
connections and for packets in the INVALID connection state (such as connections and for packets in the INVALID connection state (such as

@ -121,7 +121,7 @@ AUTOHELPERS=Yes
AUTOMAKE=No AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No CLAMPMSS=No

@ -121,7 +121,7 @@ AUTOHELPERS=Yes
AUTOMAKE=No AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No CLAMPMSS=No

@ -121,7 +121,7 @@ AUTOHELPERS=Yes
AUTOMAKE=No AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No CLAMPMSS=No

@ -121,7 +121,7 @@ AUTOHELPERS=Yes
AUTOMAKE=No AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No CLAMPMSS=No

@ -121,7 +121,7 @@ AUTOHELPERS=Yes
AUTOMAKE=No AUTOMAKE=No
BLACKLISTNEWONLY=Yes BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No CLAMPMSS=No

@ -309,6 +309,26 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">BLACKLIST=</emphasis>[{<emphasis
role="bold">ALL</emphasis>|<emphasis
role="bold"><replaceable>state</replaceable>[,...]</emphasis>}]</term>
<listitem>
<para>where state is one of NEW, ESTABLISHED, RELATED, INVALID,or
UNTRACKED.</para>
<para>Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY
option below. Specifies the connection tracking states that are to
be subject to blacklist screening. If neither BLACKLIST nor
BLACKLISTNEWONLY are specified then the states subject to
blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED.</para>
<para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
is specified.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">BLACKLIST_DISPOSITION=</emphasis>[<emphasis role="bold">BLACKLIST_DISPOSITION=</emphasis>[<emphasis
@ -354,6 +374,9 @@
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem> <listitem>
<para>Deprecated in Shorewall 4.5.13 in favor of BLACKLIST
above.</para>
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis <para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, blacklists are only consulted for new role="bold">yes</emphasis>, blacklists are only consulted for new
connections, for packets in the INVALID connection state (such as a connections, for packets in the INVALID connection state (such as a