Merge Crossbeam support patch

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2149 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-05-20 20:12:09 +00:00
parent 4ccedb0f10
commit 150547bc35
4 changed files with 145 additions and 24 deletions

View File

@ -6,6 +6,8 @@ Changes in 2.3.2
3) Add support for different providers.
4) Merge patch from Juan Jesús Prieto.
Changes in 2.3.1
1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in

View File

@ -1484,7 +1484,15 @@ deleteallchains() {
run_iptables -X
}
# Create rules to accept traffic into the crossbeam backbone
#
addcrossbeamrules() {
run_iptables -A INPUT -i $CROSSBEAM_BACKBONE -j ACCEPT
run_iptables -A OUTPUT -o $CROSSBEAM_BACKBONE -j ACCEPT
run_iptables -A FORWARD -i $CROSSBEAM_BACKBONE -o $CROSSBEAM_BACKBONE -j ACCEPT
}
##
# Source a user exit file if it exists
#
run_user_exit() # $1 = file name
@ -1744,6 +1752,8 @@ stop_firewall() {
[ -n "$DISABLE_IPV6" ] && disable_ipv6_1
if [ -z "$CROSSBEAM" ]; then
if [ -z "$ADMINISABSENTMINDED" ]; then
for chain in INPUT OUTPUT FORWARD; do
setpolicy $chain DROP
@ -1764,6 +1774,40 @@ stop_firewall() {
done
fi
else
if [ -z "$ADMINISABSENTMINDED" ]; then
for chain in INPUT OUTPUT FORWARD; do
setpolicy $chain ACCEPT
done
deleteallchains
addcrossbeamrules
for chain in INPUT OUTPUT FORWARD; do
setpolicy $chain DROP
done
else
for chain in INPUT FORWARD; do
setpolicy $chain ACCEPT
done
setpolicy OUTPUT ACCEPT
deleteallchains
addcrossbeamrules
for chain in INPUT FORWARD; do
setcontinue $chain
done
for chain in INPUT FORWARD; do
setpolicy $chain DROP
done
fi
fi
hosts=
[ -f $TMP_DIR/routestopped ] || strip_file routestopped
@ -1822,14 +1866,14 @@ stop_firewall() {
clear_firewall() {
stop_firewall
run_iptables -F
echo 1 > /proc/sys/net/ipv4/ip_forward
setpolicy INPUT ACCEPT
setpolicy FORWARD ACCEPT
setpolicy OUTPUT ACCEPT
run_iptables -F
echo 1 > /proc/sys/net/ipv4/ip_forward
if qt which ip6tables; then
ip6tables -P INPUT ACCEPT 2> /dev/null
ip6tables -P OUTPUT ACCEPT 2> /dev/null
@ -6425,6 +6469,9 @@ initialize_netfilter () {
exists_INPUT=Yes
exists_OUTPUT=Yes
exists_FORWARD=Yes
if [ -z "$CROSSBEAM" ]; then
setpolicy INPUT DROP
setpolicy OUTPUT DROP
setpolicy FORWARD DROP
@ -6435,6 +6482,25 @@ initialize_netfilter () {
setcontinue INPUT
setcontinue OUTPUT
else
setpolicy INPUT ACCEPT
setpolicy OUTPUT ACCEPT
setpolicy FORWARD ACCEPT
deleteallchains
addcrossbeamrules
setcontinue FORWARD
setcontinue INPUT
setcontinue OUTPUT
setpolicy INPUT DROP
setpolicy OUTPUT DROP
setpolicy FORWARD DROP
fi
f=$(find_file ipsets)
if [ -f $f ]; then
@ -8004,6 +8070,8 @@ do_initialize() {
RESTOREBASE=
TMP_DIR=
CROSSBEAM=
CROSSBEAM_BACKBONE=
ALL_INTERFACES=
ROUTEMARK_INTERFACES=
ROUTEMARK=256
@ -8202,6 +8270,9 @@ do_initialize() {
DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
# Check if we are on a crossbeam machine
CROSSBEAM=$(added_param_value_no CROSSBEAM $CROSSBEAM)
[ -z "$CROSSBEAM_BACKBONE" ] && CROSSBEAM_BACKBONE=eth0
#
# Strip the files that we use often
#

View File

@ -318,3 +318,28 @@ New Features in version 2.4.0
GATEWAY The gateway that the packet is to be forewarded
through.
5) Crossbeam Support (Thanks to Juan Jesús Prieto and the folks at
eneotecnologia.com)
If Shorewall is running in a Crossbeam System
(www.crossbeamsystems.com) you need to activate this directive if
you don't want the CPM to think the system is down and send a reset
signal. Also Crossbeam has a backplane chassis that needs to be
configured in such a way that it accepts all traffic.
This change adds two new options in /etc/shorewall/shorewall.conf:
CROSSBEAM and CROSSBEAM_BACKBONE.
If CROSSBEAM=Yes, then during a Shorewall start, restart or clear
instead of setting the default policies to DROP and then activating
established connections, Shorewall will first set the default
policies to ACCEPT, activate established connections and then set
the default policies to DROP. After that, Shorewall starts
generating the rules as usual.
If CROSSBEAM=No, CROSSBEAM_BACKBONE is not used. If CROSSBEAM is set
to Yes, CROSSBEAM_BACKBONE indicates the device used by the
backbone. If not specified or if specified as empty (e.g.,
CROSSBEAM="") then CROSSBEAM=No is assumed.

View File

@ -805,6 +805,29 @@ MACLIST_TTL=
SAVE_IPSETS=No
#
# CROSSBEAM SUPPORT
#
# If Shorewall is running in a Crossbeam System (www.crossbeamsystems.com) you need
# to activate this directive if you don't want the CPM to think the system is down
# and send a reset signal. Also Crossbeam has a backplane chassis that needs to be
# configured in such a way that accepts all traffic.
#
# If CROSSBEAM=Yes, then during a Shorewall start, restart or clear instead of
# setting the default policies to DROP and then activating established connections,
# Shorewall will first set the default policies to ACCEPT, activate established
# connections and then set the default policies to DROP. After that, Shorewall starts
# generating the rules as usual.
#
# If CROSSBEAM=No, CROSSBEAM_BACKBONE is not used. If CROSSBEAM is set to Yes,
# CROSSBEAM_BACKBONE will indicate the device used by the backbone.
#
# If not specified or if specified as empty (e.g., CROSSBEAM="") then
# CROSSBEAM=No is assumed.
CROSSBEAM=No
CROSSBEAM_BACKBONE=eth0
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################