mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-28 02:23:20 +01:00
Merge Crossbeam support patch
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2149 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
4ccedb0f10
commit
150547bc35
@ -6,6 +6,8 @@ Changes in 2.3.2
|
||||
|
||||
3) Add support for different providers.
|
||||
|
||||
4) Merge patch from Juan Jesús Prieto.
|
||||
|
||||
Changes in 2.3.1
|
||||
|
||||
1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in
|
||||
|
@ -1484,7 +1484,15 @@ deleteallchains() {
|
||||
run_iptables -X
|
||||
}
|
||||
|
||||
# Create rules to accept traffic into the crossbeam backbone
|
||||
#
|
||||
addcrossbeamrules() {
|
||||
run_iptables -A INPUT -i $CROSSBEAM_BACKBONE -j ACCEPT
|
||||
run_iptables -A OUTPUT -o $CROSSBEAM_BACKBONE -j ACCEPT
|
||||
run_iptables -A FORWARD -i $CROSSBEAM_BACKBONE -o $CROSSBEAM_BACKBONE -j ACCEPT
|
||||
}
|
||||
|
||||
##
|
||||
# Source a user exit file if it exists
|
||||
#
|
||||
run_user_exit() # $1 = file name
|
||||
@ -1744,6 +1752,8 @@ stop_firewall() {
|
||||
|
||||
[ -n "$DISABLE_IPV6" ] && disable_ipv6_1
|
||||
|
||||
if [ -z "$CROSSBEAM" ]; then
|
||||
|
||||
if [ -z "$ADMINISABSENTMINDED" ]; then
|
||||
for chain in INPUT OUTPUT FORWARD; do
|
||||
setpolicy $chain DROP
|
||||
@ -1764,6 +1774,40 @@ stop_firewall() {
|
||||
done
|
||||
fi
|
||||
|
||||
else
|
||||
|
||||
if [ -z "$ADMINISABSENTMINDED" ]; then
|
||||
for chain in INPUT OUTPUT FORWARD; do
|
||||
setpolicy $chain ACCEPT
|
||||
done
|
||||
|
||||
deleteallchains
|
||||
addcrossbeamrules
|
||||
|
||||
for chain in INPUT OUTPUT FORWARD; do
|
||||
setpolicy $chain DROP
|
||||
done
|
||||
|
||||
else
|
||||
for chain in INPUT FORWARD; do
|
||||
setpolicy $chain ACCEPT
|
||||
done
|
||||
|
||||
setpolicy OUTPUT ACCEPT
|
||||
|
||||
deleteallchains
|
||||
addcrossbeamrules
|
||||
|
||||
for chain in INPUT FORWARD; do
|
||||
setcontinue $chain
|
||||
done
|
||||
|
||||
for chain in INPUT FORWARD; do
|
||||
setpolicy $chain DROP
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
hosts=
|
||||
|
||||
[ -f $TMP_DIR/routestopped ] || strip_file routestopped
|
||||
@ -1822,14 +1866,14 @@ stop_firewall() {
|
||||
clear_firewall() {
|
||||
stop_firewall
|
||||
|
||||
run_iptables -F
|
||||
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
setpolicy INPUT ACCEPT
|
||||
setpolicy FORWARD ACCEPT
|
||||
setpolicy OUTPUT ACCEPT
|
||||
|
||||
run_iptables -F
|
||||
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
if qt which ip6tables; then
|
||||
ip6tables -P INPUT ACCEPT 2> /dev/null
|
||||
ip6tables -P OUTPUT ACCEPT 2> /dev/null
|
||||
@ -6425,6 +6469,9 @@ initialize_netfilter () {
|
||||
exists_INPUT=Yes
|
||||
exists_OUTPUT=Yes
|
||||
exists_FORWARD=Yes
|
||||
|
||||
if [ -z "$CROSSBEAM" ]; then
|
||||
|
||||
setpolicy INPUT DROP
|
||||
setpolicy OUTPUT DROP
|
||||
setpolicy FORWARD DROP
|
||||
@ -6435,6 +6482,25 @@ initialize_netfilter () {
|
||||
setcontinue INPUT
|
||||
setcontinue OUTPUT
|
||||
|
||||
else
|
||||
|
||||
setpolicy INPUT ACCEPT
|
||||
setpolicy OUTPUT ACCEPT
|
||||
setpolicy FORWARD ACCEPT
|
||||
|
||||
deleteallchains
|
||||
addcrossbeamrules
|
||||
|
||||
setcontinue FORWARD
|
||||
setcontinue INPUT
|
||||
setcontinue OUTPUT
|
||||
|
||||
setpolicy INPUT DROP
|
||||
setpolicy OUTPUT DROP
|
||||
setpolicy FORWARD DROP
|
||||
|
||||
fi
|
||||
|
||||
f=$(find_file ipsets)
|
||||
|
||||
if [ -f $f ]; then
|
||||
@ -8004,6 +8070,8 @@ do_initialize() {
|
||||
|
||||
RESTOREBASE=
|
||||
TMP_DIR=
|
||||
CROSSBEAM=
|
||||
CROSSBEAM_BACKBONE=
|
||||
ALL_INTERFACES=
|
||||
ROUTEMARK_INTERFACES=
|
||||
ROUTEMARK=256
|
||||
@ -8202,6 +8270,9 @@ do_initialize() {
|
||||
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
|
||||
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
|
||||
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
|
||||
# Check if we are on a crossbeam machine
|
||||
CROSSBEAM=$(added_param_value_no CROSSBEAM $CROSSBEAM)
|
||||
[ -z "$CROSSBEAM_BACKBONE" ] && CROSSBEAM_BACKBONE=eth0
|
||||
#
|
||||
# Strip the files that we use often
|
||||
#
|
||||
|
@ -318,3 +318,28 @@ New Features in version 2.4.0
|
||||
GATEWAY The gateway that the packet is to be forewarded
|
||||
through.
|
||||
|
||||
5) Crossbeam Support (Thanks to Juan Jesús Prieto and the folks at
|
||||
eneotecnologia.com)
|
||||
|
||||
|
||||
If Shorewall is running in a Crossbeam System
|
||||
(www.crossbeamsystems.com) you need to activate this directive if
|
||||
you don't want the CPM to think the system is down and send a reset
|
||||
signal. Also Crossbeam has a backplane chassis that needs to be
|
||||
configured in such a way that it accepts all traffic.
|
||||
|
||||
This change adds two new options in /etc/shorewall/shorewall.conf:
|
||||
CROSSBEAM and CROSSBEAM_BACKBONE.
|
||||
|
||||
If CROSSBEAM=Yes, then during a Shorewall start, restart or clear
|
||||
instead of setting the default policies to DROP and then activating
|
||||
established connections, Shorewall will first set the default
|
||||
policies to ACCEPT, activate established connections and then set
|
||||
the default policies to DROP. After that, Shorewall starts
|
||||
generating the rules as usual.
|
||||
|
||||
If CROSSBEAM=No, CROSSBEAM_BACKBONE is not used. If CROSSBEAM is set
|
||||
to Yes, CROSSBEAM_BACKBONE indicates the device used by the
|
||||
backbone. If not specified or if specified as empty (e.g.,
|
||||
CROSSBEAM="") then CROSSBEAM=No is assumed.
|
||||
|
||||
|
@ -805,6 +805,29 @@ MACLIST_TTL=
|
||||
|
||||
SAVE_IPSETS=No
|
||||
|
||||
#
|
||||
# CROSSBEAM SUPPORT
|
||||
#
|
||||
# If Shorewall is running in a Crossbeam System (www.crossbeamsystems.com) you need
|
||||
# to activate this directive if you don't want the CPM to think the system is down
|
||||
# and send a reset signal. Also Crossbeam has a backplane chassis that needs to be
|
||||
# configured in such a way that accepts all traffic.
|
||||
#
|
||||
# If CROSSBEAM=Yes, then during a Shorewall start, restart or clear instead of
|
||||
# setting the default policies to DROP and then activating established connections,
|
||||
# Shorewall will first set the default policies to ACCEPT, activate established
|
||||
# connections and then set the default policies to DROP. After that, Shorewall starts
|
||||
# generating the rules as usual.
|
||||
#
|
||||
# If CROSSBEAM=No, CROSSBEAM_BACKBONE is not used. If CROSSBEAM is set to Yes,
|
||||
# CROSSBEAM_BACKBONE will indicate the device used by the backbone.
|
||||
#
|
||||
# If not specified or if specified as empty (e.g., CROSSBEAM="") then
|
||||
# CROSSBEAM=No is assumed.
|
||||
|
||||
CROSSBEAM=No
|
||||
CROSSBEAM_BACKBONE=eth0
|
||||
|
||||
################################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
################################################################################
|
||||
|
Loading…
Reference in New Issue
Block a user