From 150547bc354c9a2e3ca6abeac7cbb75580068010 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Fri, 20 May 2005 20:12:09 +0000
Subject: [PATCH] Merge Crossbeam support patch

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2149 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall2/changelog.txt    |   2 +
 Shorewall2/firewall         | 119 ++++++++++++++++++++++++++++--------
 Shorewall2/releasenotes.txt |  25 ++++++++
 Shorewall2/shorewall.conf   |  23 +++++++
 4 files changed, 145 insertions(+), 24 deletions(-)

diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt
index efd3b843e..28a13c7e9 100644
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@@ -6,6 +6,8 @@ Changes in 2.3.2
 
 3) Add support for different providers.
 
+4) Merge patch from Juan Jesús Prieto.
+
 Changes in 2.3.1
 
 1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in
diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index 79b0ef5f8..ea887d958 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -1484,7 +1484,15 @@ deleteallchains() {
     run_iptables -X
 }
 
+# Create rules to accept traffic into the crossbeam backbone
 #
+addcrossbeamrules() {
+    run_iptables -A INPUT -i $CROSSBEAM_BACKBONE -j ACCEPT
+    run_iptables -A OUTPUT -o $CROSSBEAM_BACKBONE -j ACCEPT
+    run_iptables -A FORWARD -i $CROSSBEAM_BACKBONE -o $CROSSBEAM_BACKBONE -j ACCEPT
+}
+
+##
 # Source a user exit file if it exists
 #
 run_user_exit() # $1 = file name
@@ -1744,24 +1752,60 @@ stop_firewall() {
 
     [ -n "$DISABLE_IPV6" ] && disable_ipv6_1
 
-    if [ -z "$ADMINISABSENTMINDED" ]; then
-	for chain in INPUT OUTPUT FORWARD; do
-	    setpolicy $chain DROP
-	done
+    if [ -z "$CROSSBEAM" ]; then
+
+       if [ -z "$ADMINISABSENTMINDED" ]; then
+           for chain in INPUT OUTPUT FORWARD; do
+               setpolicy $chain DROP
+           done
+
+           deleteallchains
+       else
+           for chain in INPUT FORWARD; do
+               setpolicy $chain DROP
+           done
+
+           setpolicy OUTPUT ACCEPT
+
+           deleteallchains
+
+           for chain in INPUT FORWARD; do
+               setcontinue $chain
+           done
+       fi
 
-	deleteallchains
     else
-	for chain in INPUT FORWARD; do
-	    setpolicy $chain DROP
-	done
 
-	setpolicy OUTPUT ACCEPT
+       if [ -z "$ADMINISABSENTMINDED" ]; then
+           for chain in INPUT OUTPUT FORWARD; do
+               setpolicy $chain ACCEPT
+           done
 
-	deleteallchains
+	   deleteallchains
+	   addcrossbeamrules
 
-	for chain in INPUT FORWARD; do
-	    setcontinue $chain
-	done
+           for chain in INPUT OUTPUT FORWARD; do
+               setpolicy $chain DROP
+           done
+
+       else
+           for chain in INPUT FORWARD; do
+               setpolicy $chain ACCEPT
+           done
+
+           setpolicy OUTPUT ACCEPT
+
+           deleteallchains
+           addcrossbeamrules
+
+           for chain in INPUT FORWARD; do
+               setcontinue $chain
+           done
+
+           for chain in INPUT FORWARD; do
+               setpolicy $chain DROP
+           done
+       fi
     fi
 
     hosts=
@@ -1822,14 +1866,14 @@ stop_firewall() {
 clear_firewall() {
     stop_firewall
 
-    run_iptables -F
-
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-
     setpolicy INPUT ACCEPT
     setpolicy FORWARD ACCEPT
     setpolicy OUTPUT ACCEPT
 
+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+
     if qt which ip6tables; then
 	ip6tables -P INPUT   ACCEPT 2> /dev/null
 	ip6tables -P OUTPUT  ACCEPT 2> /dev/null
@@ -6425,15 +6469,37 @@ initialize_netfilter () {
     exists_INPUT=Yes
     exists_OUTPUT=Yes
     exists_FORWARD=Yes
-    setpolicy INPUT DROP
-    setpolicy OUTPUT DROP
-    setpolicy FORWARD DROP
+    
+    if [ -z "$CROSSBEAM" ]; then
 
-    deleteallchains
+	setpolicy INPUT DROP
+	setpolicy OUTPUT DROP
+	setpolicy FORWARD DROP
+	
+	deleteallchains
+	
+	setcontinue FORWARD
+	setcontinue INPUT
+	setcontinue OUTPUT
 
-    setcontinue FORWARD
-    setcontinue INPUT
-    setcontinue OUTPUT
+    else
+
+	setpolicy INPUT ACCEPT
+	setpolicy OUTPUT ACCEPT
+	setpolicy FORWARD ACCEPT
+
+	deleteallchains
+	addcrossbeamrules
+
+	setcontinue FORWARD
+	setcontinue INPUT
+	setcontinue OUTPUT
+
+	setpolicy INPUT DROP
+	setpolicy OUTPUT DROP
+	setpolicy FORWARD DROP
+
+    fi
 
     f=$(find_file ipsets)
 
@@ -8004,6 +8070,8 @@ do_initialize() {
 
     RESTOREBASE=
     TMP_DIR=
+    CROSSBEAM=
+    CROSSBEAM_BACKBONE=
     ALL_INTERFACES=
     ROUTEMARK_INTERFACES=
     ROUTEMARK=256
@@ -8202,6 +8270,9 @@ do_initialize() {
     DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
     RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
     SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) 
+    # Check if we are on a crossbeam machine
+    CROSSBEAM=$(added_param_value_no CROSSBEAM $CROSSBEAM)
+    [ -z "$CROSSBEAM_BACKBONE" ]   && CROSSBEAM_BACKBONE=eth0
     #
     # Strip the files that we use often
     #
diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt
index def1ca5e5..70b366acb 100755
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@@ -318,3 +318,28 @@ New Features in version 2.4.0
 	GATEWAY		The gateway that the packet is to be forewarded
 			through.
 
+5) Crossbeam Support (Thanks to Juan Jesús Prieto and the folks at
+   eneotecnologia.com)
+
+
+   If Shorewall is running in a Crossbeam System
+   (www.crossbeamsystems.com) you need to activate this directive if
+   you don't want the CPM to think the system is down and send a reset
+   signal. Also Crossbeam has a backplane chassis that needs to be
+   configured in such a way that it accepts all traffic.
+
+   This change adds two new options in /etc/shorewall/shorewall.conf:
+   CROSSBEAM and CROSSBEAM_BACKBONE.
+
+   If CROSSBEAM=Yes, then during a Shorewall start, restart or clear
+   instead of setting the default policies to DROP and then activating
+   established connections, Shorewall will first set the default
+   policies to ACCEPT, activate established connections and then set
+   the default policies to DROP. After that, Shorewall starts
+   generating the rules as usual.
+
+   If CROSSBEAM=No, CROSSBEAM_BACKBONE is not used. If CROSSBEAM is set
+   to Yes, CROSSBEAM_BACKBONE indicates the device used by the
+   backbone. If not specified or if specified as empty (e.g.,
+   CROSSBEAM="") then CROSSBEAM=No is assumed.
+
diff --git a/Shorewall2/shorewall.conf b/Shorewall2/shorewall.conf
index 373987538..bd83fd91c 100755
--- a/Shorewall2/shorewall.conf
+++ b/Shorewall2/shorewall.conf
@@ -805,6 +805,29 @@ MACLIST_TTL=
 
 SAVE_IPSETS=No
 
+#
+# CROSSBEAM SUPPORT
+#
+# If Shorewall is running in a Crossbeam System (www.crossbeamsystems.com) you need
+# to activate this directive if you don't want the CPM to think the system is down
+# and send a reset signal. Also Crossbeam has a backplane chassis that needs to be
+# configured in such a way that accepts all traffic.
+#
+# If CROSSBEAM=Yes, then during a Shorewall start, restart or clear instead of
+# setting the default policies to DROP and then activating established connections,
+# Shorewall will first set the default policies to ACCEPT, activate established
+# connections and then set the default policies to DROP. After that, Shorewall starts
+# generating the rules as usual.
+#
+# If CROSSBEAM=No, CROSSBEAM_BACKBONE is not used. If CROSSBEAM is set to Yes,
+# CROSSBEAM_BACKBONE will indicate the device used by the backbone.
+# 
+# If not specified or if specified as empty (e.g., CROSSBEAM="") then
+# CROSSBEAM=No is assumed.
+
+CROSSBEAM=No
+CROSSBEAM_BACKBONE=eth0
+
 ################################################################################
 #                       P A C K E T   D I S P O S I T I O N
 ################################################################################