extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-24 08:33:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge Crossbeam support patch

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2149 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-05-20 20:12:09 +00:00
parent 4ccedb0f10
commit 150547bc35
4 changed files with 145 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall2/changelog.txt
View File

@ -6,6 +6,8 @@ Changes in 2.3.2
3) Add support for different providers. 3) Add support for different providers.
4) Merge patch from Juan Jesús Prieto.
Changes in 2.3.1 Changes in 2.3.1
1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in 1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in

119
Shorewall2/firewall
View File

@ -1484,7 +1484,15 @@ deleteallchains() {
run_iptables -X run_iptables -X
} }
# Create rules to accept traffic into the crossbeam backbone
# #
addcrossbeamrules() {
run_iptables -A INPUT -i $CROSSBEAM_BACKBONE -j ACCEPT
run_iptables -A OUTPUT -o $CROSSBEAM_BACKBONE -j ACCEPT
run_iptables -A FORWARD -i $CROSSBEAM_BACKBONE -o $CROSSBEAM_BACKBONE -j ACCEPT
}
##
# Source a user exit file if it exists # Source a user exit file if it exists
# #
run_user_exit() # $1 = file name run_user_exit() # $1 = file name
@ -1744,24 +1752,60 @@ stop_firewall() {
[ -n "$DISABLE_IPV6" ] && disable_ipv6_1 [ -n "$DISABLE_IPV6" ] && disable_ipv6_1
if [ -z "$ADMINISABSENTMINDED" ]; then if [ -z "$CROSSBEAM" ]; then
for chain in INPUT OUTPUT FORWARD; do
setpolicy $chain DROP if [ -z "$ADMINISABSENTMINDED" ]; then
done for chain in INPUT OUTPUT FORWARD; do
setpolicy $chain DROP
done
deleteallchains
else
for chain in INPUT FORWARD; do
setpolicy $chain DROP
done
setpolicy OUTPUT ACCEPT
deleteallchains
for chain in INPUT FORWARD; do
setcontinue $chain
done
fi
deleteallchains
else else
for chain in INPUT FORWARD; do
setpolicy $chain DROP
done
setpolicy OUTPUT ACCEPT if [ -z "$ADMINISABSENTMINDED" ]; then
for chain in INPUT OUTPUT FORWARD; do
setpolicy $chain ACCEPT
done
deleteallchains deleteallchains
addcrossbeamrules
for chain in INPUT FORWARD; do for chain in INPUT OUTPUT FORWARD; do
setcontinue $chain setpolicy $chain DROP
done done
else
for chain in INPUT FORWARD; do
setpolicy $chain ACCEPT
done
setpolicy OUTPUT ACCEPT
deleteallchains
addcrossbeamrules
for chain in INPUT FORWARD; do
setcontinue $chain
done
for chain in INPUT FORWARD; do
setpolicy $chain DROP
done
fi
fi fi
hosts= hosts=
@ -1822,14 +1866,14 @@ stop_firewall() {
clear_firewall() { clear_firewall() {
stop_firewall stop_firewall
run_iptables -F
echo 1 > /proc/sys/net/ipv4/ip_forward
setpolicy INPUT ACCEPT setpolicy INPUT ACCEPT
setpolicy FORWARD ACCEPT setpolicy FORWARD ACCEPT
setpolicy OUTPUT ACCEPT setpolicy OUTPUT ACCEPT
run_iptables -F
echo 1 > /proc/sys/net/ipv4/ip_forward
if qt which ip6tables; then if qt which ip6tables; then
ip6tables -P INPUT ACCEPT 2> /dev/null ip6tables -P INPUT ACCEPT 2> /dev/null
ip6tables -P OUTPUT ACCEPT 2> /dev/null ip6tables -P OUTPUT ACCEPT 2> /dev/null
@ -6425,15 +6469,37 @@ initialize_netfilter () {
exists_INPUT=Yes exists_INPUT=Yes
exists_OUTPUT=Yes exists_OUTPUT=Yes
exists_FORWARD=Yes exists_FORWARD=Yes
setpolicy INPUT DROP
setpolicy OUTPUT DROP if [ -z "$CROSSBEAM" ]; then
setpolicy FORWARD DROP
deleteallchains setpolicy INPUT DROP
setpolicy OUTPUT DROP
setpolicy FORWARD DROP
deleteallchains
setcontinue FORWARD
setcontinue INPUT
setcontinue OUTPUT
setcontinue FORWARD else
setcontinue INPUT
setcontinue OUTPUT setpolicy INPUT ACCEPT
setpolicy OUTPUT ACCEPT
setpolicy FORWARD ACCEPT
deleteallchains
addcrossbeamrules
setcontinue FORWARD
setcontinue INPUT
setcontinue OUTPUT
setpolicy INPUT DROP
setpolicy OUTPUT DROP
setpolicy FORWARD DROP
fi
f=$(find_file ipsets) f=$(find_file ipsets)
@ -8004,6 +8070,8 @@ do_initialize() {
RESTOREBASE= RESTOREBASE=
TMP_DIR= TMP_DIR=
CROSSBEAM=
CROSSBEAM_BACKBONE=
ALL_INTERFACES= ALL_INTERFACES=
ROUTEMARK_INTERFACES= ROUTEMARK_INTERFACES=
ROUTEMARK=256 ROUTEMARK=256
@ -8202,6 +8270,9 @@ do_initialize() {
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID) DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT) RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
# Check if we are on a crossbeam machine
CROSSBEAM=$(added_param_value_no CROSSBEAM $CROSSBEAM)
[ -z "$CROSSBEAM_BACKBONE" ] && CROSSBEAM_BACKBONE=eth0
# #
# Strip the files that we use often # Strip the files that we use often
# #

25
Shorewall2/releasenotes.txt
View File

@ -318,3 +318,28 @@ New Features in version 2.4.0
GATEWAY The gateway that the packet is to be forewarded GATEWAY The gateway that the packet is to be forewarded
through. through.
5) Crossbeam Support (Thanks to Juan Jesús Prieto and the folks at
eneotecnologia.com)
If Shorewall is running in a Crossbeam System
(www.crossbeamsystems.com) you need to activate this directive if
you don't want the CPM to think the system is down and send a reset
signal. Also Crossbeam has a backplane chassis that needs to be
configured in such a way that it accepts all traffic.
This change adds two new options in /etc/shorewall/shorewall.conf:
CROSSBEAM and CROSSBEAM_BACKBONE.
If CROSSBEAM=Yes, then during a Shorewall start, restart or clear
instead of setting the default policies to DROP and then activating
established connections, Shorewall will first set the default
policies to ACCEPT, activate established connections and then set
the default policies to DROP. After that, Shorewall starts
generating the rules as usual.
If CROSSBEAM=No, CROSSBEAM_BACKBONE is not used. If CROSSBEAM is set
to Yes, CROSSBEAM_BACKBONE indicates the device used by the
backbone. If not specified or if specified as empty (e.g.,
CROSSBEAM="") then CROSSBEAM=No is assumed.

23
Shorewall2/shorewall.conf
View File

@ -805,6 +805,29 @@ MACLIST_TTL=
SAVE_IPSETS=No SAVE_IPSETS=No
#
# CROSSBEAM SUPPORT
#
# If Shorewall is running in a Crossbeam System (www.crossbeamsystems.com) you need
# to activate this directive if you don't want the CPM to think the system is down
# and send a reset signal. Also Crossbeam has a backplane chassis that needs to be
# configured in such a way that accepts all traffic.
#
# If CROSSBEAM=Yes, then during a Shorewall start, restart or clear instead of
# setting the default policies to DROP and then activating established connections,
# Shorewall will first set the default policies to ACCEPT, activate established
# connections and then set the default policies to DROP. After that, Shorewall starts
# generating the rules as usual.
#
# If CROSSBEAM=No, CROSSBEAM_BACKBONE is not used. If CROSSBEAM is set to Yes,
# CROSSBEAM_BACKBONE will indicate the device used by the backbone.
#
# If not specified or if specified as empty (e.g., CROSSBEAM="") then
# CROSSBEAM=No is assumed.
CROSSBEAM=No
CROSSBEAM_BACKBONE=eth0
################################################################################ ################################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
################################################################################ ################################################################################