mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-23 16:13:18 +01:00
Fix 'add' and 'delete' with bridging
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1776 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
335766fc0b
commit
43583a9eb4
@ -152,3 +152,5 @@ Changes since 2.0.3
|
|||||||
73) Fixed some bugs in Tuomas's patch.
|
73) Fixed some bugs in Tuomas's patch.
|
||||||
|
|
||||||
74) Correct bug in "shorewall add"
|
74) Correct bug in "shorewall add"
|
||||||
|
|
||||||
|
75) Correct bridge handling in "shorewall add" and "shorewall delete"
|
||||||
|
@ -181,6 +181,17 @@ run_iptables2() {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Quietly run iptables
|
||||||
|
#
|
||||||
|
qt_iptables() {
|
||||||
|
|
||||||
|
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||||
|
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||||
|
|
||||||
|
qt $IPTABLES $@
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Run ip and if an error occurs, stop the firewall and quit
|
# Run ip and if an error occurs, stop the firewall and quit
|
||||||
#
|
#
|
||||||
@ -1756,9 +1767,14 @@ setup_ipsec() {
|
|||||||
set_mss1() # $1 = chain, $2 = MSS
|
set_mss1() # $1 = chain, $2 = MSS
|
||||||
{
|
{
|
||||||
eval local policy=\$${1}_policy
|
eval local policy=\$${1}_policy
|
||||||
if [ "$policy" != NONE -a "$COMMAND" != add ]; then
|
|
||||||
|
if [ "$policy" != NONE ]; then
|
||||||
|
case $COMMAND in
|
||||||
|
start|restart)
|
||||||
ensurechain $1
|
ensurechain $1
|
||||||
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2
|
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2
|
||||||
|
;;
|
||||||
|
esac
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
@ -6622,6 +6638,9 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
|
|
||||||
do_iptables() # $@ = command
|
do_iptables() # $@ = command
|
||||||
{
|
{
|
||||||
|
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||||
|
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||||
|
|
||||||
if ! $IPTABLES $@ ; then
|
if ! $IPTABLES $@ ; then
|
||||||
startup_error "Can't add $1 to zone $2"
|
startup_error "Can't add $1 to zone $2"
|
||||||
fi
|
fi
|
||||||
@ -6630,7 +6649,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
#
|
#
|
||||||
# Isolate interface and host parts
|
# Isolate interface and host parts
|
||||||
#
|
#
|
||||||
interface=${1%:*}
|
interface=${1%%:*}
|
||||||
host=${1#*:}
|
host=${1#*:}
|
||||||
|
|
||||||
[ -z "$host" ] && host="0.0.0.0/0"
|
[ -z "$host" ] && host="0.0.0.0/0"
|
||||||
@ -6735,7 +6754,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
while read z1 z2 chain; do
|
while read z1 z2 chain; do
|
||||||
if [ "$z1" = "$zone" ]; then
|
if [ "$z1" = "$zone" ]; then
|
||||||
if [ "$z2" = "$FW" ]; then
|
if [ "$z2" = "$FW" ]; then
|
||||||
do_iptables -A $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
|
do_iptables -A $(dynamic_in $interface) $(match_source_hosts $host) $policyin -j $chain
|
||||||
else
|
else
|
||||||
source_chain=$(dynamic_fwd $interface)
|
source_chain=$(dynamic_fwd $interface)
|
||||||
eval dest_hosts=\"\$${z2}_hosts\"
|
eval dest_hosts=\"\$${z2}_hosts\"
|
||||||
@ -6745,7 +6764,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
hosts=${h#*:}
|
hosts=${h#*:}
|
||||||
|
|
||||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||||
do_iptables -A $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
|
do_iptables -A $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
@ -6754,7 +6773,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
#
|
#
|
||||||
# Add a rule to the dynamic out chain for the interface
|
# Add a rule to the dynamic out chain for the interface
|
||||||
#
|
#
|
||||||
do_iptables -A $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
|
do_iptables -A $(dynamic_out $interface) $(match_dest_hosts $host) $policyout -j $chain
|
||||||
else
|
else
|
||||||
eval source_hosts=\"\$${z1}_hosts\"
|
eval source_hosts=\"\$${z1}_hosts\"
|
||||||
|
|
||||||
@ -6763,7 +6782,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
hosts=${h#*:}
|
hosts=${h#*:}
|
||||||
|
|
||||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||||
do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
|
do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $policyout -j $chain
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
@ -6809,7 +6828,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
#
|
#
|
||||||
# Isolate interface and host parts
|
# Isolate interface and host parts
|
||||||
#
|
#
|
||||||
interface=${1%:*}
|
interface=${1%%:*}
|
||||||
host=${1#*:}
|
host=${1#*:}
|
||||||
|
|
||||||
[ -z "$host" ] && host="0.0.0.0/0"
|
[ -z "$host" ] && host="0.0.0.0/0"
|
||||||
@ -6878,14 +6897,14 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
#
|
#
|
||||||
# Delete any nat table entries for the host(s)
|
# Delete any nat table entries for the host(s)
|
||||||
#
|
#
|
||||||
qt $IPTABLES -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat
|
qt_iptables -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat
|
||||||
#
|
#
|
||||||
# Delete rules rules the input chains for the passed interface
|
# Delete rules rules the input chains for the passed interface
|
||||||
#
|
#
|
||||||
while read z1 z2 chain; do
|
while read z1 z2 chain; do
|
||||||
if [ "$z1" = "$zone" ]; then
|
if [ "$z1" = "$zone" ]; then
|
||||||
if [ "$z2" = "$FW" ]; then
|
if [ "$z2" = "$FW" ]; then
|
||||||
qt $IPTABLES -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
|
qt_iptables -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
|
||||||
else
|
else
|
||||||
source_chain=$(dynamic_fwd $interface)
|
source_chain=$(dynamic_fwd $interface)
|
||||||
eval dest_hosts=\"\$${z2}_hosts\"
|
eval dest_hosts=\"\$${z2}_hosts\"
|
||||||
@ -6895,13 +6914,13 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
hosts=${h#*:}
|
hosts=${h#*:}
|
||||||
|
|
||||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||||
qt $IPTABLES -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
|
qt_iptables -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
elif [ "$z2" = "$zone" ]; then
|
elif [ "$z2" = "$zone" ]; then
|
||||||
if [ "$z1" = "$FW" ]; then
|
if [ "$z1" = "$FW" ]; then
|
||||||
qt $IPTABLES -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
|
qt_iptables -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
|
||||||
else
|
else
|
||||||
eval source_hosts=\"\$${z1}_hosts\"
|
eval source_hosts=\"\$${z1}_hosts\"
|
||||||
|
|
||||||
@ -6910,7 +6929,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
|||||||
hosts=${h#*:}
|
hosts=${h#*:}
|
||||||
|
|
||||||
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
|
||||||
qt $IPTABLES -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
|
qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
Shorewall 2.2.0-Beta6
|
Shorewall 2.2.0-Beta7
|
||||||
|
|
||||||
----------------------------------------------------------------------
|
----------------------------------------------------------------------
|
||||||
Problems Corrected since 2.0.3
|
Problems Corrected since 2.0.3
|
||||||
@ -141,6 +141,19 @@ Problems corrected since 2.2.0 Beta 5:
|
|||||||
2) A 'chain already exists' error occurs on "shorewall add" if you are
|
2) A 'chain already exists' error occurs on "shorewall add" if you are
|
||||||
using the 'mss' option in the ipsec file.
|
using the 'mss' option in the ipsec file.
|
||||||
|
|
||||||
|
Problems corrected since 2.2.0 Beta 6:
|
||||||
|
|
||||||
|
1) The "shorewall add" and "shorewall delete" commands now work in a
|
||||||
|
bridged environment. The syntax is:
|
||||||
|
|
||||||
|
shorewall add <interface>[:<port>]:<address> <zone>
|
||||||
|
shorewall delete <interface>[:<port>]:<address> <zone>
|
||||||
|
|
||||||
|
Examples:
|
||||||
|
|
||||||
|
shorewall add br0:eth2:192.168.1.3 OK
|
||||||
|
shorewall delete br0:eth2:192.168.1.3 OK
|
||||||
|
|
||||||
-----------------------------------------------------------------------
|
-----------------------------------------------------------------------
|
||||||
Issues when migrating from Shorewall 2.0 to Shorewall 2.1:
|
Issues when migrating from Shorewall 2.0 to Shorewall 2.1:
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user