extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 15:43:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Complete Proxy NDP implementation

Browse Source
This commit is contained in:
Tom Eastep 2010-12-11 10:04:07 -08:00
parent c2d2a4ab65
commit 48b00d719e
8 changed files with 117 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Shorewall/Perl/Shorewall/Proxyarp.pm
View File

@ -78,6 +78,8 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
} }
unless ( $haveroute ) { unless ( $haveroute ) {
fatal_error "HAVEROUTE=No requires an INTERFACE" if $interface eq '-';
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address/32 dev $physical"; emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address/32 dev $physical";
} else { } else {
@ -123,15 +125,18 @@ sub setup_proxy_arp() {
$first_entry = 0; $first_entry = 0;
} }
fatal_error "Unknown interface ($interface)" unless known_interface $interface;
fatal_error "Unknown interface ($external)" unless known_interface $external; fatal_error "Unknown interface ($external)" unless known_interface $external;
my $physical = physical_name $interface;
my $extphy = physical_name $external;
$set{$interface} = 1;
$reset{$external} = 1 unless $set{$external}; $reset{$external} = 1 unless $set{$external};
my $extphy = physical_name $external;
my $physical = '-';
if ( $interface ne '-' ) {
fatal_error "Unknown interface ($interface)" unless known_interface $interface;
$physical = physical_name $interface;
$set{$interface} = 1;
}
setup_one_proxy_arp( $address, $interface, $physical, $external, $extphy, $haveroute, $persistent ); setup_one_proxy_arp( $address, $interface, $physical, $external, $extphy, $haveroute, $persistent );
} }

21
Shorewall/releasenotes.txt
View File

@ -58,6 +58,27 @@ Beta 1
1) Shorewall-init now handles ppp devices. 1) Shorewall-init now handles ppp devices.
2) To support proxy NDP in a manner similar to Proxy ARP, an
/etc/shorewall6/proxyndp file has been added. It should be noted
that IPv6 implements a "strong host model" whereas Linux IPv4
implements a "weak host model". In the strong model, IP addresses
are associated with interfaces; in the weak model, they are
associated with the host. This is relevant with respect to Proxy
NDP in that a multi-homed Linux IPv6 host will only respond to
neighbor discoverey requests for IPv6 addresses configured on the
interface receiving the request. So if eth0 has address
2001:470:b:227::44/128 and eth1 has address 2001:470:b:227::1/64
then in order for eth1 to respond to neighbor discovery requests
for 2001:470:b:227::44, the following entry in
/etc/shorewall6/proxyndp is required:
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
2001:470:b:227::44 - eth1 Yes
As part of this change, the INTERFACE column in
/etc/shorewall/proxyarp is now optional and is only required when
HAVEROUTE=No (the default).
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S I V. R E L E A S E 4 . 4 H I G H L I G H T S
---------------------------------------------------------------------------- ----------------------------------------------------------------------------

22
Shorewall6/install.sh
View File

@ -633,12 +633,32 @@ fi
# #
# Install the Scfilter file # Install the Scfilter file
# #
run_install $OWNERSHIP -m 0644 tcclear ${DESTDIR}/usr/share/shorewall6/configfiles/scfilter run_install $OWNERSHIP -m 0644 scfilter ${DESTDIR}/usr/share/shorewall6/configfiles/scfilter
if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/scfilter ]; then if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/scfilter ]; then
run_install $OWNERSHIP -m 0600 scfilter ${DESTDIR}/etc/shorewall6/scfilter run_install $OWNERSHIP -m 0600 scfilter ${DESTDIR}/etc/shorewall6/scfilter
echo "Scfilter file installed as ${DESTDIR}/etc/shorewall6/scfilter" echo "Scfilter file installed as ${DESTDIR}/etc/shorewall6/scfilter"
fi fi
#
# Install the Providers file
#
run_install $OWNERSHIP -m 0644 providers ${DESTDIR}/usr/share/shorewall6/configfiles/providers
if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/providers ]; then
run_install $OWNERSHIP -m 0600 providers ${DESTDIR}/etc/shorewall6/providers
echo "Providers file installed as ${DESTDIR}/etc/shorewall6/providers"
fi
#
# Install the Proxyndp file
#
run_install $OWNERSHIP -m 0644 proxyndp ${DESTDIR}/usr/share/shorewall6/configfiles/proxyndp
if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/proxyndp ]; then
run_install $OWNERSHIP -m 0600 proxyndp ${DESTDIR}/etc/shorewall6/proxyndp
echo "Proxyndp file installed as ${DESTDIR}/etc/shorewall6/proxyndp"
fi
# #
# Install the Standard Actions file # Install the Standard Actions file
# #

9
Shorewall6/proxyndp Normal file
View File

@ -0,0 +1,9 @@
#
# Shorewall version 4 - Proxyndp File
#
# For information about entries in this file, type "man shorewall6-proxyndp"
#
# See http://shorewall.net/ProxyARP.htm for additional information.
#
##################################################################################
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT

4
docs/Manpages6.xml
View File

@ -104,6 +104,10 @@
url="manpages6/shorewall6-providers.html">providers</ulink> - Define url="manpages6/shorewall6-providers.html">providers</ulink> - Define
routing tables, usually for multiple Internet links.</member> routing tables, usually for multiple Internet links.</member>
<member><ulink
url="manpages6/shorewall6-proxyndp.html">proxyndp</ulink> - Defines
Proxy NDP</member>
<member><ulink <member><ulink
url="manpages6/shorewall6-route_rules.html">route_rules</ulink> - url="manpages6/shorewall6-route_rules.html">route_rules</ulink> -
Define routing rules.</member> Define routing rules.</member>

34
docs/ProxyARP.xml
View File

@ -300,4 +300,38 @@ shorewall start</programlisting>
<para>You want the second one by Alexey Kuznetsov.</para> <para>You want the second one by Alexey Kuznetsov.</para>
</warning> </warning>
</section> </section>
<section>
<title>IPv6 - Proxy NDP</title>
<para>The IPv6 analog of Proxy ARP is Proxy NDP (Neighbor Discovery
Protocol). Begiinning with Shorewall 4.4.16, Shorewall6 supports Proxy NDP
in a manner similar to Proxy ARP support in Shorewall:</para>
<itemizedlist>
<listitem>
<para>The configuration file is /etc/shorewall6/proxyndp (see <ulink
url="manpages6/shorewall6-proxyndp.html">shorewall6-proxyndp
</ulink>(5)).</para>
</listitem>
<listitem>
<para>The ADDRESS column of that file contains an IPv6 address.</para>
</listitem>
</itemizedlist>
<para>It should be noted that IPv6 implements a "strong host model"
whereas Linux IPv4 implements a "weak host model". In the strong model, IP
addresses are associated with interfaces; in the weak model, they are
associated with the host. This is relevant with respect to Proxy NDP in
that a multi-homed Linux IPv6 host will only respond to neighbor
discoverey requests for IPv6 addresses configured on the interface
receiving the request. So if eth0 has address 2001:470:b:227::44/128 and
eth1 has address 2001:470:b:227::1/64 then in order for eth1 to respond to
neighbor discovery requests for 2001:470:b:227::44, the following entry in
/etc/shorewall6/proxyndp is required: </para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
2001:470:b:227::44 - eth1 Yes</programlisting>
</section>
</article> </article>

22
manpages/shorewall-proxyarp.xml
View File

@ -40,11 +40,14 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">INTERFACE</emphasis> - <term><emphasis role="bold">INTERFACE</emphasis> -
<emphasis>interface</emphasis></term> <emphasis>interface</emphasis> (Optional as of Shorewall
4.4.16)</term>
<listitem> <listitem>
<para>Local interface where system with the ip address in ADDRESS is <para>Local interface where system with the ip address in ADDRESS is
connected.</para> connected. This column is only required when HAVEROUTE is set to
<emphasis role="bold">No</emphasis> (<emphasis
role="bold">no</emphasis>) or is left empty.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -132,12 +135,13 @@
url="http://shorewall.net/ProxyARP.htm">http://shorewall.net/ProxyARP.htm</ulink></para> url="http://shorewall.net/ProxyARP.htm">http://shorewall.net/ProxyARP.htm</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-providers(5), shorewall-route_rules(5), shorewall-policy(5), shorewall-providers(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para> shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>

6
manpages6/shorewall6-proxyndp.xml
View File

@ -41,11 +41,13 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">INTERFACE</emphasis> - <term><emphasis role="bold">INTERFACE</emphasis> -
<emphasis>interface</emphasis></term> <emphasis>interface</emphasis> (Optional)</term>
<listitem> <listitem>
<para>Local interface where system with the ip address in ADDRESS is <para>Local interface where system with the ip address in ADDRESS is
connected.</para> connected. Only required when the HAVEROUTE column is left empty or
is set to <emphasis role="bold">no</emphasis> or <emphasis
role="bold">No</emphasis>. </para>
</listitem> </listitem>
</varlistentry> </varlistentry>