From 0649e6ad70eba06d4c729b365fefaa74bd4a4904 Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 5 Sep 2004 23:43:08 +0000 Subject: [PATCH] Verify physdev match if BRIDGING=Yes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1602 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/changelog.txt | 2 ++ Shorewall2/firewall | 11 +++++++++++ Shorewall2/releasenotes.txt | 3 ++- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 296f08c9e..0edc5ce2d 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -60,3 +60,5 @@ Changes since 2.0.3 28) Apply Richard Musil's patch. 29) Correct parsing of PROTO column in setup_tc1(). + +30) Verify Physdev match if BRIDGING=Yes diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 27191056f..64270821d 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -2503,6 +2503,10 @@ check_config() { verify_os_version + if [ -n "$BRIDGING" ]; then + [ -n "$PHYSDEV_MATCH" || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables" + fi + echo "Determining Zones..." determine_zones @@ -5187,11 +5191,13 @@ determine_capabilities() { CONNTRACK_MATCH= MULTIPORT= POLICY_MATCH= + PHYSDEV_MATCH= if qt iptables -N fooX1234 ; then qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes + qt iptables -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes qt iptables -F fooX1234 @@ -5225,6 +5231,7 @@ report_capabilities() { report_capability $CONNTRACK_MATCH "Connection Tracking Match" report_capability $PKTTYPE "Packet Type Match" report_capability $POLICY_MATCH "Policy Match" + report_capability $PHYSDEV_MATCH "Physdev Match" } # @@ -5239,6 +5246,10 @@ initialize_netfilter () { report_capabilities + if [ -n "$BRIDGING" ]; then + [ -n "$PHYSDEV_MATCH" || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables" + fi + echo "Determining Zones..." determine_zones diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 0de19c214..bb730e472 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -420,6 +420,7 @@ New Features: See the comments at the top of /etc/shorewall/accounting for details. - +13) Shorewall now verifies that your kernel and iptables have physdev + match support if BRIDGING=Yes in shorewall.conf.