Re: [Shorewall-devel] Shorewall 4.5.8 Beta 3

Wed, 12 Sep 2012 07:25:12 -0700 

On 09/11/2012 05:14 PM, Mr Dash Four wrote:

1)  Multiple UID/GIDs separated by commas may now be given in the
USER/GROUP column of the rules files.

That works a treat, thank you.


2)  A warning message is now issued if the 'blacklist' option is
specified for a zone (the 'blacklist' option has been deprecated
for several releases).

That doesn't seem to be working as expected - if I have "blacklist"
defined in any of my zones, and even if I do not have blacklist (but
do have blrules), blacklst/blackout chains are still created (and
they are empty!) alongside the "new" ~blacklist0/~blacklist1, which
isn't what is needed.


(Surprisingly large) patch attached.




3)  Shorewall-init now compiles the Shorewall and Shorewall6
firewall scripts if they don't exist when needed.

I'll go through this later as I need to prepare a small test case,
but looking at the init script, $PRODUCT compile is executed, which
is promising.


Thanks.

-Tom
--
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 53e4b59..7d83fa6 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -204,25 +204,24 @@ sub setup_blacklist() {
     my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
     my $orig_target = $target;
 
-    #
-    # We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
-    # for 'refresh' to work properly.
-    #
-    if ( @$zones || @$zones1 ) {
-	$chainref  = set_optflags( new_standard_chain( 'blacklst' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones;
-	$chainref1 = set_optflags( new_standard_chain( 'blackout' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones1;
-
-	if ( supplied $level ) {
-	    $target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
-	} elsif ( $audit ) {
-	    require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
-	    $target = verify_audit( $disposition );
-	}
-    }
-
   BLACKLIST:
     {
 	if ( my $fn = open_file 'blacklist' ) {
+	    #
+	    # We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
+	    # for 'refresh' to work properly.
+	    #
+	    if ( @$zones || @$zones1 ) {
+		$chainref  = set_optflags( new_standard_chain( 'blacklst' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones;
+		$chainref1 = set_optflags( new_standard_chain( 'blackout' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones1;
+
+		if ( supplied $level ) {
+		    $target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
+		} elsif ( $audit ) {
+		    require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
+		    $target = verify_audit( $disposition );
+		}
+	    }
 
 	    my $first_entry = 1;
 
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 9bf9260..94450f6 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -2373,41 +2373,42 @@ sub classic_blacklist() {
 	my $zoneref = find_zone( $zone );
 	my $simple  =  @zones <= 2 && ! $zoneref->{complex};
 
-	if ( $zoneref->{options}{in}{blacklist} ) {
-	    my $blackref = $filter_table->{blacklst};
-	    add_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , @state for firewall_zone, @vservers;
-
-	    if ( $simple ) {
-		#
-		# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
-		#
-		for my $zone1 ( @zones ) {
-		    my $ruleschain    = rules_chain( $zone, $zone1 );
-		    my $ruleschainref = $filter_table->{$ruleschain};
+	if ( my $blackref = $filter_table->{blacklst} ) {
+	    if ( $zoneref->{options}{in}{blacklist} ) {
+		add_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , @state for firewall_zone, @vservers;
 
-		    if ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) {
-			add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
+		if ( $simple ) {
+		    #
+		    # We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
+		    #
+		    for my $zone1 ( @zones ) {
+			my $ruleschain    = rules_chain( $zone, $zone1 );
+			my $ruleschainref = $filter_table->{$ruleschain};
+
+			if ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) {
+			    add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
+			}
 		    }
 		}
-	    }
 
-	    $result = 1;
-	}
+		$result = 1;
+	    }
 
-	if ( $zoneref->{options}{out}{blacklist} ) {
-	    my $blackref = $filter_table->{blackout};
-	    add_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , @state;
+	    if ( $zoneref->{options}{out}{blacklist} ) {
+		$blackref = $filter_table->{blackout};
+		add_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , @state;
 
-	    for my $zone1 ( @zones, @vservers ) {
-		my $ruleschain    = rules_chain( $zone1, $zone );
-		my $ruleschainref = $filter_table->{$ruleschain};
+		for my $zone1 ( @zones, @vservers ) {
+		    my $ruleschain    = rules_chain( $zone1, $zone );
+		    my $ruleschainref = $filter_table->{$ruleschain};
 
-		if ( ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) ) {
-		    add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
+		    if ( ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) ) {
+			add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
+		    }
 		}
-	    }
 
-	    $result = 1;
+		$result = 1;
+	    }
 	}
 
 	unless ( $simple ) {
@@ -2416,7 +2417,7 @@ sub classic_blacklist() {
 	    #
 	    my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
 
-	    add_ijump( $frwd_ref , j => $filter_table->{blacklst}, @state ) if $zoneref->{options}{in}{blacklist};
+	    add_ijump( $frwd_ref , j => $filter_table->{blacklst}, @state ) if $filter_table->{blacklst} && $zoneref->{options}{in}{blacklist};
 	}
     }
 

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Reply via email to