On 05/18/2011 07:32 AM, Mr Dash Four wrote: > >> Please give the attached patch a try. It treats entries that begin with >> w: (or W:) as whitelist entries. >> >> If you use the ipset 'whitelist' as your whitelist, then you can place >> the following in your blacklist file: >> >> W:+whitelist >> > Thanks, I'll give it a proper go when I get back home later this > evening. There is also something new I have been testing in the past few > days, which I'll post the results on then.
Thanks. Attached is a better patch - it implements a 'whitelist' OPTION. Note that when 'whitelist' is given, the BLACKLIST_LOGLEVEL setting is ignored and the packet/connection is silently passed on to the rules/policies. Are there any opinions, one way or the other, on that behavior? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index f3dda3f..f147015 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -247,9 +247,19 @@ sub setup_blacklist() {
$options = 'src' if $options eq '-';
- my ( $to, $from ) = ( 0, 0 );
+ my ( $to, $from, $whitelist ) = ( 0, 0, 0 );
- for ( split /,/, $options ) {
+ my @options = split_list $options, 'option';
+
+ for ( @options ) {
+ $whitelist++ if $_ eq 'whitelist';
+ }
+
+ warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
+
+ my $tgt = $whitelist ? 'RETURN' : $target;
+
+ for ( @options ) {
if ( $_ =~ /^(?:from|src)$/ ) {
if ( $from++ ) {
warning_message "Duplicate 'src' ignored";
@@ -262,9 +272,9 @@ sub setup_blacklist() {
$networks,
'',
'' ,
- $target ,
+ $tgt ,
'' ,
- $target ,
+ $tgt ,
'' );
} else {
warning_message '"src" entry ignored because there are no "blacklist in" zones';
@@ -282,15 +292,15 @@ sub setup_blacklist() {
'',
$networks,
'' ,
- $target ,
+ $tgt ,
'' ,
- $target ,
+ $tgt ,
'' );
} else {
warning_message '"dst" entry ignored because there are no "blacklist out" zones';
}
}
- } else {
+ } elsif ( $_ ne 'whitelist' ) {
fatal_error "Invalid blacklist option($_)";
}
}
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
