Merge Crossbeam support patch

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2149 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-24 08:33:40 +01:00 · 2005-05-20 20:12:09 +00:00 · 2005-05-20 20:12:09 +00:00 · 150547bc35
commit 150547bc35
parent 4ccedb0f10
4 changed files with 145 additions and 24 deletions
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -6,6 +6,8 @@ Changes in 2.3.2

 3) Add support for different providers.

+4) Merge patch from Juan Jesús Prieto.
+
 Changes in 2.3.1

 1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -1484,7 +1484,15 @@ deleteallchains() {
    run_iptables -X
 }

+# Create rules to accept traffic into the crossbeam backbone
 #
+addcrossbeamrules() {
+    run_iptables -A INPUT -i $CROSSBEAM_BACKBONE -j ACCEPT
+    run_iptables -A OUTPUT -o $CROSSBEAM_BACKBONE -j ACCEPT
+    run_iptables -A FORWARD -i $CROSSBEAM_BACKBONE -o $CROSSBEAM_BACKBONE -j ACCEPT
+}
+
+##
 # Source a user exit file if it exists
 #
 run_user_exit() # $1 = file name
@ -1744,24 +1752,60 @@ stop_firewall() {

    [ -n "$DISABLE_IPV6" ] && disable_ipv6_1

-    if [ -z "$ADMINISABSENTMINDED" ]; then
-	for chain in INPUT OUTPUT FORWARD; do
-	    setpolicy $chain DROP
-	done
+    if [ -z "$CROSSBEAM" ]; then
+
+       if [ -z "$ADMINISABSENTMINDED" ]; then
+           for chain in INPUT OUTPUT FORWARD; do
+               setpolicy $chain DROP
+           done
+
+           deleteallchains
+       else
+           for chain in INPUT FORWARD; do
+               setpolicy $chain DROP
+           done
+
+           setpolicy OUTPUT ACCEPT
+
+           deleteallchains
+
+           for chain in INPUT FORWARD; do
+               setcontinue $chain
+           done
+       fi

-	deleteallchains
    else
-	for chain in INPUT FORWARD; do
-	    setpolicy $chain DROP
-	done

-	setpolicy OUTPUT ACCEPT
+       if [ -z "$ADMINISABSENTMINDED" ]; then
+           for chain in INPUT OUTPUT FORWARD; do
+               setpolicy $chain ACCEPT
+           done

-	deleteallchains
+	   deleteallchains
+	   addcrossbeamrules

-	for chain in INPUT FORWARD; do
-	    setcontinue $chain
-	done
+           for chain in INPUT OUTPUT FORWARD; do
+               setpolicy $chain DROP
+           done
+
+       else
+           for chain in INPUT FORWARD; do
+               setpolicy $chain ACCEPT
+           done
+
+           setpolicy OUTPUT ACCEPT
+
+           deleteallchains
+           addcrossbeamrules
+
+           for chain in INPUT FORWARD; do
+               setcontinue $chain
+           done
+
+           for chain in INPUT FORWARD; do
+               setpolicy $chain DROP
+           done
+       fi
    fi

    hosts=
@ -1822,14 +1866,14 @@ stop_firewall() {
 clear_firewall() {
    stop_firewall

-    run_iptables -F
-
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-
    setpolicy INPUT ACCEPT
    setpolicy FORWARD ACCEPT
    setpolicy OUTPUT ACCEPT

+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+
    if qt which ip6tables; then
 	ip6tables -P INPUT   ACCEPT 2> /dev/null
 	ip6tables -P OUTPUT  ACCEPT 2> /dev/null
@ -6425,15 +6469,37 @@ initialize_netfilter () {
    exists_INPUT=Yes
    exists_OUTPUT=Yes
    exists_FORWARD=Yes
-    setpolicy INPUT DROP
-    setpolicy OUTPUT DROP
-    setpolicy FORWARD DROP
+    
+    if [ -z "$CROSSBEAM" ]; then

-    deleteallchains
+	setpolicy INPUT DROP
+	setpolicy OUTPUT DROP
+	setpolicy FORWARD DROP
+	
+	deleteallchains
+	
+	setcontinue FORWARD
+	setcontinue INPUT
+	setcontinue OUTPUT

-    setcontinue FORWARD
-    setcontinue INPUT
-    setcontinue OUTPUT
+    else
+
+	setpolicy INPUT ACCEPT
+	setpolicy OUTPUT ACCEPT
+	setpolicy FORWARD ACCEPT
+
+	deleteallchains
+	addcrossbeamrules
+
+	setcontinue FORWARD
+	setcontinue INPUT
+	setcontinue OUTPUT
+
+	setpolicy INPUT DROP
+	setpolicy OUTPUT DROP
+	setpolicy FORWARD DROP
+
+    fi

    f=$(find_file ipsets)

@ -8004,6 +8070,8 @@ do_initialize() {

    RESTOREBASE=
    TMP_DIR=
+    CROSSBEAM=
+    CROSSBEAM_BACKBONE=
    ALL_INTERFACES=
    ROUTEMARK_INTERFACES=
    ROUTEMARK=256
@ -8202,6 +8270,9 @@ do_initialize() {
    DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
    RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
    SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS) 
+    # Check if we are on a crossbeam machine
+    CROSSBEAM=$(added_param_value_no CROSSBEAM $CROSSBEAM)
+    [ -z "$CROSSBEAM_BACKBONE" ]   && CROSSBEAM_BACKBONE=eth0
    #
    # Strip the files that we use often
    #
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -318,3 +318,28 @@ New Features in version 2.4.0
 	GATEWAY		The gateway that the packet is to be forewarded
 			through.

+5) Crossbeam Support (Thanks to Juan Jesús Prieto and the folks at
+   eneotecnologia.com)
+
+
+   If Shorewall is running in a Crossbeam System
+   (www.crossbeamsystems.com) you need to activate this directive if
+   you don't want the CPM to think the system is down and send a reset
+   signal. Also Crossbeam has a backplane chassis that needs to be
+   configured in such a way that it accepts all traffic.
+
+   This change adds two new options in /etc/shorewall/shorewall.conf:
+   CROSSBEAM and CROSSBEAM_BACKBONE.
+
+   If CROSSBEAM=Yes, then during a Shorewall start, restart or clear
+   instead of setting the default policies to DROP and then activating
+   established connections, Shorewall will first set the default
+   policies to ACCEPT, activate established connections and then set
+   the default policies to DROP. After that, Shorewall starts
+   generating the rules as usual.
+
+   If CROSSBEAM=No, CROSSBEAM_BACKBONE is not used. If CROSSBEAM is set
+   to Yes, CROSSBEAM_BACKBONE indicates the device used by the
+   backbone. If not specified or if specified as empty (e.g.,
+   CROSSBEAM="") then CROSSBEAM=No is assumed.
+
--- a/Shorewall2/shorewall.conf
+++ b/Shorewall2/shorewall.conf
@ -805,6 +805,29 @@ MACLIST_TTL=

 SAVE_IPSETS=No

+#
+# CROSSBEAM SUPPORT
+#
+# If Shorewall is running in a Crossbeam System (www.crossbeamsystems.com) you need
+# to activate this directive if you don't want the CPM to think the system is down
+# and send a reset signal. Also Crossbeam has a backplane chassis that needs to be
+# configured in such a way that accepts all traffic.
+#
+# If CROSSBEAM=Yes, then during a Shorewall start, restart or clear instead of
+# setting the default policies to DROP and then activating established connections,
+# Shorewall will first set the default policies to ACCEPT, activate established
+# connections and then set the default policies to DROP. After that, Shorewall starts
+# generating the rules as usual.
+#
+# If CROSSBEAM=No, CROSSBEAM_BACKBONE is not used. If CROSSBEAM is set to Yes,
+# CROSSBEAM_BACKBONE will indicate the device used by the backbone.
+# 
+# If not specified or if specified as empty (e.g., CROSSBEAM="") then
+# CROSSBEAM=No is assumed.
+
+CROSSBEAM=No
+CROSSBEAM_BACKBONE=eth0
+
 ################################################################################
 #                       P A C K E T   D I S P O S I T I O N
 ################################################################################