mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-22 07:33:43 +01:00
Complete Proxy NDP implementation
This commit is contained in:
Tom Eastep
parent
c2d2a4ab65
commit
48b00d719e
@ -78,6 +78,8 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
|
||||
}
|
||||
|
||||
unless ( $haveroute ) {
|
||||
fatal_error "HAVEROUTE=No requires an INTERFACE" if $interface eq '-';
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address/32 dev $physical";
|
||||
} else {
|
||||
@ -123,15 +125,18 @@ sub setup_proxy_arp() {
|
||||
$first_entry = 0;
|
||||
}
|
||||
|
||||
fatal_error "Unknown interface ($interface)" unless known_interface $interface;
|
||||
fatal_error "Unknown interface ($external)" unless known_interface $external;
|
||||
|
||||
my $physical = physical_name $interface;
|
||||
my $extphy = physical_name $external;
|
||||
|
||||
$set{$interface} = 1;
|
||||
$reset{$external} = 1 unless $set{$external};
|
||||
|
||||
my $extphy = physical_name $external;
|
||||
my $physical = '-';
|
||||
|
||||
if ( $interface ne '-' ) {
|
||||
fatal_error "Unknown interface ($interface)" unless known_interface $interface;
|
||||
$physical = physical_name $interface;
|
||||
$set{$interface} = 1;
|
||||
}
|
||||
|
||||
setup_one_proxy_arp( $address, $interface, $physical, $external, $extphy, $haveroute, $persistent );
|
||||
}
|
||||
|
||||
|
||||
@ -58,6 +58,27 @@ Beta 1
|
||||
|
||||
1) Shorewall-init now handles ppp devices.
|
||||
|
||||
2) To support proxy NDP in a manner similar to Proxy ARP, an
|
||||
/etc/shorewall6/proxyndp file has been added. It should be noted
|
||||
that IPv6 implements a "strong host model" whereas Linux IPv4
|
||||
implements a "weak host model". In the strong model, IP addresses
|
||||
are associated with interfaces; in the weak model, they are
|
||||
associated with the host. This is relevant with respect to Proxy
|
||||
NDP in that a multi-homed Linux IPv6 host will only respond to
|
||||
neighbor discoverey requests for IPv6 addresses configured on the
|
||||
interface receiving the request. So if eth0 has address
|
||||
2001:470:b:227::44/128 and eth1 has address 2001:470:b:227::1/64
|
||||
then in order for eth1 to respond to neighbor discovery requests
|
||||
for 2001:470:b:227::44, the following entry in
|
||||
/etc/shorewall6/proxyndp is required:
|
||||
|
||||
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||
2001:470:b:227::44 - eth1 Yes
|
||||
|
||||
As part of this change, the INTERFACE column in
|
||||
/etc/shorewall/proxyarp is now optional and is only required when
|
||||
HAVEROUTE=No (the default).
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
I V. R E L E A S E 4 . 4 H I G H L I G H T S
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
@ -633,12 +633,32 @@ fi
|
||||
#
|
||||
# Install the Scfilter file
|
||||
#
|
||||
run_install $OWNERSHIP -m 0644 tcclear ${DESTDIR}/usr/share/shorewall6/configfiles/scfilter
|
||||
run_install $OWNERSHIP -m 0644 scfilter ${DESTDIR}/usr/share/shorewall6/configfiles/scfilter
|
||||
|
||||
if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/scfilter ]; then
|
||||
run_install $OWNERSHIP -m 0600 scfilter ${DESTDIR}/etc/shorewall6/scfilter
|
||||
echo "Scfilter file installed as ${DESTDIR}/etc/shorewall6/scfilter"
|
||||
fi
|
||||
|
||||
#
|
||||
# Install the Providers file
|
||||
#
|
||||
run_install $OWNERSHIP -m 0644 providers ${DESTDIR}/usr/share/shorewall6/configfiles/providers
|
||||
|
||||
if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/providers ]; then
|
||||
run_install $OWNERSHIP -m 0600 providers ${DESTDIR}/etc/shorewall6/providers
|
||||
echo "Providers file installed as ${DESTDIR}/etc/shorewall6/providers"
|
||||
fi
|
||||
#
|
||||
# Install the Proxyndp file
|
||||
#
|
||||
run_install $OWNERSHIP -m 0644 proxyndp ${DESTDIR}/usr/share/shorewall6/configfiles/proxyndp
|
||||
|
||||
if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/proxyndp ]; then
|
||||
run_install $OWNERSHIP -m 0600 proxyndp ${DESTDIR}/etc/shorewall6/proxyndp
|
||||
echo "Proxyndp file installed as ${DESTDIR}/etc/shorewall6/proxyndp"
|
||||
fi
|
||||
|
||||
#
|
||||
# Install the Standard Actions file
|
||||
#
|
||||
|
||||
9
Shorewall6/proxyndp
Normal file
9
Shorewall6/proxyndp
Normal file
@ -0,0 +1,9 @@
|
||||
#
|
||||
# Shorewall version 4 - Proxyndp File
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall6-proxyndp"
|
||||
#
|
||||
# See http://shorewall.net/ProxyARP.htm for additional information.
|
||||
#
|
||||
##################################################################################
|
||||
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||
@ -104,6 +104,10 @@
|
||||
url="manpages6/shorewall6-providers.html">providers</ulink> - Define
|
||||
routing tables, usually for multiple Internet links.</member>
|
||||
|
||||
<member><ulink
|
||||
url="manpages6/shorewall6-proxyndp.html">proxyndp</ulink> - Defines
|
||||
Proxy NDP</member>
|
||||
|
||||
<member><ulink
|
||||
url="manpages6/shorewall6-route_rules.html">route_rules</ulink> -
|
||||
Define routing rules.</member>
|
||||
|
||||
@ -300,4 +300,38 @@ shorewall start</programlisting>
|
||||
<para>You want the second one by Alexey Kuznetsov.</para>
|
||||
</warning>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>IPv6 - Proxy NDP</title>
|
||||
|
||||
<para>The IPv6 analog of Proxy ARP is Proxy NDP (Neighbor Discovery
|
||||
Protocol). Begiinning with Shorewall 4.4.16, Shorewall6 supports Proxy NDP
|
||||
in a manner similar to Proxy ARP support in Shorewall:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The configuration file is /etc/shorewall6/proxyndp (see <ulink
|
||||
url="manpages6/shorewall6-proxyndp.html">shorewall6-proxyndp
|
||||
</ulink>(5)).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The ADDRESS column of that file contains an IPv6 address.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>It should be noted that IPv6 implements a "strong host model"
|
||||
whereas Linux IPv4 implements a "weak host model". In the strong model, IP
|
||||
addresses are associated with interfaces; in the weak model, they are
|
||||
associated with the host. This is relevant with respect to Proxy NDP in
|
||||
that a multi-homed Linux IPv6 host will only respond to neighbor
|
||||
discoverey requests for IPv6 addresses configured on the interface
|
||||
receiving the request. So if eth0 has address 2001:470:b:227::44/128 and
|
||||
eth1 has address 2001:470:b:227::1/64 then in order for eth1 to respond to
|
||||
neighbor discovery requests for 2001:470:b:227::44, the following entry in
|
||||
/etc/shorewall6/proxyndp is required: </para>
|
||||
|
||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||
2001:470:b:227::44 - eth1 Yes</programlisting>
|
||||
</section>
|
||||
</article>
|
||||
|
||||
@ -40,11 +40,14 @@
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">INTERFACE</emphasis> -
|
||||
<emphasis>interface</emphasis></term>
|
||||
<emphasis>interface</emphasis> (Optional as of Shorewall
|
||||
4.4.16)</term>
|
||||
|
||||
<listitem>
|
||||
<para>Local interface where system with the ip address in ADDRESS is
|
||||
connected.</para>
|
||||
connected. This column is only required when HAVEROUTE is set to
|
||||
<emphasis role="bold">No</emphasis> (<emphasis
|
||||
role="bold">no</emphasis>) or is left empty.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -132,12 +135,13 @@
|
||||
url="http://shorewall.net/ProxyARP.htm">http://shorewall.net/ProxyARP.htm</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
|
||||
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
|
||||
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
|
||||
shorewall-providers(5), shorewall-route_rules(5),
|
||||
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
|
||||
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
|
||||
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
|
||||
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
||||
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
|
||||
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
|
||||
shorewall-policy(5), shorewall-providers(5), shorewall-route_rules(5),
|
||||
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
|
||||
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
|
||||
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
|
||||
shorewall-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
||||
@ -41,11 +41,13 @@
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">INTERFACE</emphasis> -
|
||||
<emphasis>interface</emphasis></term>
|
||||
<emphasis>interface</emphasis> (Optional)</term>
|
||||
|
||||
<listitem>
|
||||
<para>Local interface where system with the ip address in ADDRESS is
|
||||
connected.</para>
|
||||
connected. Only required when the HAVEROUTE column is left empty or
|
||||
is set to <emphasis role="bold">no</emphasis> or <emphasis
|
||||
role="bold">No</emphasis>. </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user