extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 23:53:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow specification of the MAC address of a gateway

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-07-06 09:54:53 -07:00
parent c72265667f
commit 2ed523101c
3 changed files with 33 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -6723,20 +6723,25 @@ sub interface_mac( $$ ) {
# #
# Record the fact that the ruleset requires MAC address of the passed gateway IP routed out of the passed interface for the passed provider number # Record the fact that the ruleset requires MAC address of the passed gateway IP routed out of the passed interface for the passed provider number
# #
sub get_interface_mac( $$$ ) { sub get_interface_mac( $$$$ ) {
my ( $ipaddr, $logical , $table ) = @_; my ( $ipaddr, $logical , $table, $mac ) = @_;
my $interface = get_physical( $logical ); my $interface = get_physical( $logical );
my $variable = interface_mac( $interface , $table ); my $variable = interface_mac( $interface , $table );
$global_variables |= NOT_RESTORE; $global_variables |= NOT_RESTORE;
if ( interface_is_optional $logical ) { if ( $mac ) {
$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n); $interfacemacs{$table} = qq($variable=$mac);
} else { } else {
$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface) if ( interface_is_optional $logical ) {
$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
} else {
$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
[ -n "\$$variable" ] || startup_error "Unable to determine the MAC address of $ipaddr through interface \\"$interface\\"" [ -n "\$$variable" ] || startup_error "Unable to determine the MAC address of $ipaddr through interface \\"$interface\\""
); );
}
} }
"\$$variable"; "\$$variable";

19
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -258,7 +258,7 @@ sub copy_and_edit_table( $$$$$ ) {
emit ''; emit '';
if ( $realm ) { if ( $realm ) {
emit ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | ${filter}while read net route; do" ) emit ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | ${filter}while read net route; do" )
} else { } else {
emit ( "\$IP -$family -o route show table $duplicate | ${filter}while read net route; do" ) emit ( "\$IP -$family -o route show table $duplicate | ${filter}while read net route; do" )
} }
@ -442,10 +442,11 @@ sub process_a_provider( $ ) {
fatal_error 'INTERFACE must be specified' if $interface eq '-'; fatal_error 'INTERFACE must be specified' if $interface eq '-';
( $interface, my $address ) = split /:/, $interface; ( $interface, my $address ) = split /:/, $interface, 2;
my $shared = 0; my $shared = 0;
my $noautosrc = 0; my $noautosrc = 0;
my $mac = '';
if ( defined $address ) { if ( defined $address ) {
validate_address $address, 0; validate_address $address, 0;
@ -469,7 +470,17 @@ sub process_a_provider( $ ) {
$gateway = get_interface_gateway $interface; $gateway = get_interface_gateway $interface;
$gatewaycase = 'detect'; $gatewaycase = 'detect';
} elsif ( $gateway && $gateway ne '-' ) { } elsif ( $gateway && $gateway ne '-' ) {
( $gateway, $mac ) = split_host_list( $gateway, 0 );
validate_address $gateway, 0; validate_address $gateway, 0;
if ( defined $mac ) {
$mac =~ tr/-/:/;
$mac =~ s/^~//;
fatal_error "Invalid MAC address ($mac)" unless $mac =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
} else {
$mac = '';
}
$gatewaycase = 'specified'; $gatewaycase = 'specified';
} else { } else {
$gatewaycase = 'none'; $gatewaycase = 'none';
@ -644,6 +655,7 @@ sub process_a_provider( $ ) {
loose => $loose , loose => $loose ,
duplicate => $duplicate , duplicate => $duplicate ,
address => $address , address => $address ,
mac => $mac ,
local => $local , local => $local ,
tproxy => $tproxy , tproxy => $tproxy ,
load => $load , load => $load ,
@ -720,6 +732,7 @@ sub add_a_provider( $$ ) {
my $loose = $providerref->{loose}; my $loose = $providerref->{loose};
my $duplicate = $providerref->{duplicate}; my $duplicate = $providerref->{duplicate};
my $address = $providerref->{address}; my $address = $providerref->{address};
my $mac = $providerref->{mac};
my $local = $providerref->{local}; my $local = $providerref->{local};
my $tproxy = $providerref->{tproxy}; my $tproxy = $providerref->{tproxy};
my $load = $providerref->{load}; my $load = $providerref->{load};
@ -733,7 +746,7 @@ sub add_a_provider( $$ ) {
my $realm = ''; my $realm = '';
if ( $shared ) { if ( $shared ) {
my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table ); my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table, $mac );
$realm = "realm $number"; $realm = "realm $number";
start_provider( $label , $table, $number, $id, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) ); start_provider( $label , $table, $number, $id, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
} elsif ( $pseudo ) { } elsif ( $pseudo ) {

8
Shorewall/manpages/shorewall-providers.xml
View File

@ -129,11 +129,15 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis <term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>mac</emphasis>]|<emphasis
role="bold">detect</emphasis>}</term> role="bold">detect</emphasis>}</term>
<listitem> <listitem>
<para>The IP address of the provider's gateway router.</para> <para>The IP address of the provider's gateway router. Beginning
with Shorewall 4.6.2, you may also specify the MAC address of the
gateway when there are multiple providers serviced through the same
interface. When the MAC is not specified, Shorewall will detect the
MAC during firewall start or restart.</para>
<para>You can enter "detect" here and Shorewall will attempt to <para>You can enter "detect" here and Shorewall will attempt to
detect the gateway automatically.</para> detect the gateway automatically.</para>