Fix 'add' and 'delete' with bridging

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1776 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-11-27 16:12:14 +00:00
parent 335766fc0b
commit 43583a9eb4
3 changed files with 49 additions and 15 deletions

View File

@ -152,3 +152,5 @@ Changes since 2.0.3
73) Fixed some bugs in Tuomas's patch. 73) Fixed some bugs in Tuomas's patch.
74) Correct bug in "shorewall add" 74) Correct bug in "shorewall add"
75) Correct bridge handling in "shorewall add" and "shorewall delete"

View File

@ -181,6 +181,17 @@ run_iptables2() {
} }
#
# Quietly run iptables
#
qt_iptables() {
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
qt $IPTABLES $@
}
# #
# Run ip and if an error occurs, stop the firewall and quit # Run ip and if an error occurs, stop the firewall and quit
# #
@ -1756,9 +1767,14 @@ setup_ipsec() {
set_mss1() # $1 = chain, $2 = MSS set_mss1() # $1 = chain, $2 = MSS
{ {
eval local policy=\$${1}_policy eval local policy=\$${1}_policy
if [ "$policy" != NONE -a "$COMMAND" != add ]; then
if [ "$policy" != NONE ]; then
case $COMMAND in
start|restart)
ensurechain $1 ensurechain $1
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2 run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2
;;
esac
fi fi
} }
# #
@ -6622,6 +6638,9 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
do_iptables() # $@ = command do_iptables() # $@ = command
{ {
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
if ! $IPTABLES $@ ; then if ! $IPTABLES $@ ; then
startup_error "Can't add $1 to zone $2" startup_error "Can't add $1 to zone $2"
fi fi
@ -6630,7 +6649,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
# #
# Isolate interface and host parts # Isolate interface and host parts
# #
interface=${1%:*} interface=${1%%:*}
host=${1#*:} host=${1#*:}
[ -z "$host" ] && host="0.0.0.0/0" [ -z "$host" ] && host="0.0.0.0/0"
@ -6735,7 +6754,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
while read z1 z2 chain; do while read z1 z2 chain; do
if [ "$z1" = "$zone" ]; then if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then if [ "$z2" = "$FW" ]; then
do_iptables -A $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain do_iptables -A $(dynamic_in $interface) $(match_source_hosts $host) $policyin -j $chain
else else
source_chain=$(dynamic_fwd $interface) source_chain=$(dynamic_fwd $interface)
eval dest_hosts=\"\$${z2}_hosts\" eval dest_hosts=\"\$${z2}_hosts\"
@ -6745,7 +6764,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:} hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
do_iptables -A $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain do_iptables -A $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
fi fi
done done
fi fi
@ -6754,7 +6773,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
# #
# Add a rule to the dynamic out chain for the interface # Add a rule to the dynamic out chain for the interface
# #
do_iptables -A $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain do_iptables -A $(dynamic_out $interface) $(match_dest_hosts $host) $policyout -j $chain
else else
eval source_hosts=\"\$${z1}_hosts\" eval source_hosts=\"\$${z1}_hosts\"
@ -6763,7 +6782,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:} hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $policyout -j $chain
fi fi
done done
fi fi
@ -6809,7 +6828,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
# #
# Isolate interface and host parts # Isolate interface and host parts
# #
interface=${1%:*} interface=${1%%:*}
host=${1#*:} host=${1#*:}
[ -z "$host" ] && host="0.0.0.0/0" [ -z "$host" ] && host="0.0.0.0/0"
@ -6878,14 +6897,14 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
# #
# Delete any nat table entries for the host(s) # Delete any nat table entries for the host(s)
# #
qt $IPTABLES -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat qt_iptables -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat
# #
# Delete rules rules the input chains for the passed interface # Delete rules rules the input chains for the passed interface
# #
while read z1 z2 chain; do while read z1 z2 chain; do
if [ "$z1" = "$zone" ]; then if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then if [ "$z2" = "$FW" ]; then
qt $IPTABLES -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain qt_iptables -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
else else
source_chain=$(dynamic_fwd $interface) source_chain=$(dynamic_fwd $interface)
eval dest_hosts=\"\$${z2}_hosts\" eval dest_hosts=\"\$${z2}_hosts\"
@ -6895,13 +6914,13 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:} hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt $IPTABLES -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain qt_iptables -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
fi fi
done done
fi fi
elif [ "$z2" = "$zone" ]; then elif [ "$z2" = "$zone" ]; then
if [ "$z1" = "$FW" ]; then if [ "$z1" = "$FW" ]; then
qt $IPTABLES -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain qt_iptables -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
else else
eval source_hosts=\"\$${z1}_hosts\" eval source_hosts=\"\$${z1}_hosts\"
@ -6910,7 +6929,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
hosts=${h#*:} hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt $IPTABLES -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
fi fi
done done
fi fi

View File

@ -1,4 +1,4 @@
Shorewall 2.2.0-Beta6 Shorewall 2.2.0-Beta7
---------------------------------------------------------------------- ----------------------------------------------------------------------
Problems Corrected since 2.0.3 Problems Corrected since 2.0.3
@ -141,6 +141,19 @@ Problems corrected since 2.2.0 Beta 5:
2) A 'chain already exists' error occurs on "shorewall add" if you are 2) A 'chain already exists' error occurs on "shorewall add" if you are
using the 'mss' option in the ipsec file. using the 'mss' option in the ipsec file.
Problems corrected since 2.2.0 Beta 6:
1) The "shorewall add" and "shorewall delete" commands now work in a
bridged environment. The syntax is:
shorewall add <interface>[:<port>]:<address> <zone>
shorewall delete <interface>[:<port>]:<address> <zone>
Examples:
shorewall add br0:eth2:192.168.1.3 OK
shorewall delete br0:eth2:192.168.1.3 OK
----------------------------------------------------------------------- -----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0 to Shorewall 2.1: Issues when migrating from Shorewall 2.0 to Shorewall 2.1: