Enable "maclist"

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9021 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-13 16:38:55 +00:00
parent 5caaf813d0
commit 4bc7d60f36
6 changed files with 76 additions and 58 deletions

View File

@ -1,3 +1,9 @@
Changes in Shorewall 4.3.3
1) Removed 'ecn'.
2) Enabled 'maclist'.
Changes in Shorewall 4.3.2 Changes in Shorewall 4.3.2
1) Added 'dhcp' option. 1) Added 'dhcp' option.

View File

@ -1,4 +1,4 @@
Shorewall 4.3.2 Shorewall 4.3.3
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
R E L E A S E 4 . 3 H I G H L I G H T S R E L E A S E 4 . 3 H I G H L I G H T S
@ -12,32 +12,22 @@ Shorewall 4.3.2
- Perl 5.10 if you wish to use DNS names in your IPv6 config files. - Perl 5.10 if you wish to use DNS names in your IPv6 config files.
In that case you will also have to install Perl Socket6 support. In that case you will also have to install Perl Socket6 support.
Problems Corrected in 4.3.2 Problems Corrected in 4.3.3
1) Typos in the macro.AllowICMPs file have been corrected. None.
2) IP_FORWARDING is now correctly recognized by Shorewall-perl. Other changes in 4.3.3
3) A bug in processing of the routestopped file has been fixed. This 1) In as much as ip6tables doesn't support the ECN target, the 'ecn'
bug also affected IPv4 configurations. file has been removed and its processing disabled.
Other changes in 4.3.2 2) The 'maclist' option is now supported in /etc/shorewall6/interfaces
and in /etc/shorewall6/hosts.
1) The 'dhcp' option has been added to accomodate IPv6 DHCP (UDP ports MAC verification is not performed on the following IPv6 traffic:
546 and 547).
2) The 'allowBcast' and 'dropBcast' builtin actions have been added to a) Multicast.
Shorewall6. Respectively, they accept or silently drop packets with b) Source or destination is a link-level address (ff80::/10).
an anycast or multicast destination address.
3) The nosmurfs option has been added to
/etc/shorewall8/interfaces. The option drops incoming packets with
a source address that is an anycast or multicast addreess.
4) Multi-ISP is now enabled in Shorewall6.
5) When running the 'ip' utility, Shorewall now unconditionally
specifies the address family (-4 or -6).
Migration Issues. Migration Issues.

View File

@ -987,18 +987,22 @@ sub compiler {
# TOS # TOS
# #
process_tos; process_tos;
#
# ECN if ( $family == F_IPV4 ) {
# #
setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED}; # ECN
# #
# Setup Masquerading/SNAT setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
# #
setup_masq; # Setup Masquerading/SNAT
#
setup_masq;
}
# #
# MACLIST Filtration # MACLIST Filtration
# #
setup_mac_lists 1 if $family == F_IPV4; setup_mac_lists 1;
# #
# Process the rules file. # Process the rules file.
# #
@ -1015,7 +1019,7 @@ sub compiler {
# #
# MACLIST Filtration again # MACLIST Filtration again
# #
setup_mac_lists 2 if $family == F_IPV4; setup_mac_lists 2;
# #
# Apply Policies # Apply Policies
# #

View File

@ -725,8 +725,20 @@ sub setup_mac_lists( $ ) {
for my $interface ( @maclist_interfaces ) { for my $interface ( @maclist_interfaces ) {
my $chainref = new_chain $table , mac_chain $interface; my $chainref = new_chain $table , mac_chain $interface;
add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN' if ( $family == F_IPV4 ) {
if ( $table eq 'mangle' ) && get_interface_option( $interface, 'dhcp' ); add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN'
if $table eq 'mangle' && get_interface_option( $interface, 'dhcp');
} else {
#
# Accept any packet with a link-level source or destination address
#
add_rule $chainref , '-s ff80::/10 -j RETURN';
add_rule $chainref , '-d ff80::/10 -j RETURN';
#
# Accept Multicast
#
add_rule $chainref , '-d ff00::/10 -j RETURN';
}
if ( $ttl ) { if ( $ttl ) {
my $chain1ref = new_chain $table, macrecent_target $interface; my $chain1ref = new_chain $table, macrecent_target $interface;
@ -806,26 +818,27 @@ sub setup_mac_lists( $ ) {
} }
} }
} else { } else {
for my $interface ( @maclist_interfaces ) { if ( $family == F_IPV4 ) {
my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; for my $interface ( @maclist_interfaces ) {
my $chain = $chainref->{name}; my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
my $chain = $chainref->{name};
if ( $level ne '' || $disposition ne 'ACCEPT' ) { if ( $level ne '' || $disposition ne 'ACCEPT' ) {
my $variable = get_interface_addresses source_port_to_bridge( $interface ); my $variable = get_interface_addresses source_port_to_bridge( $interface );
if ( $capabilities{ADDRTYPE} ) { if ( $capabilities{ADDRTYPE} ) {
add_commands( $chainref, add_commands( $chainref,
"for address in $variable; do", "for address in $variable; do",
" echo \"-A $chainref->{name} -s \$address -m addrtype --dst-type BROADCAST -j RETURN\" >&3", " echo \"-A $chainref->{name} -s \$address -m addrtype --dst-type BROADCAST -j RETURN\" >&3",
" echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3", " echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3",
'done' ); 'done' );
} else { } else {
my $bridge = source_port_to_bridge( $interface ); my $bridge = source_port_to_bridge( $interface );
my $bridgeref = find_interface( $bridge ); my $bridgeref = find_interface( $bridge );
add_commands( $chainref,
"for address in $variable; do" );
add_commands( $chainref,
"for address in $variable; do" );
if ( $family == F_IPV4 ) {
if ( $bridgeref->{broadcasts} ) { if ( $bridgeref->{broadcasts} ) {
for my $address ( @{$bridgeref->{broadcasts}}, '255.255.255.255' ) { for my $address ( @{$bridgeref->{broadcasts}}, '255.255.255.255' ) {
add_commands( $chainref , add_commands( $chainref ,
@ -841,13 +854,6 @@ sub setup_mac_lists( $ ) {
} }
add_commands( $chainref, " echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3" ); add_commands( $chainref, " echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3" );
} else {
my $variable1 = get_interface_bcasts $bridge;
add_commands( $chainref,
" for address1 in $variable1; do" ,
" echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3",
" done" );
} }
add_command( $chainref, 'done' ); add_command( $chainref, 'done' );

View File

@ -628,6 +628,7 @@ sub validate_interfaces_file( $ )
%validoptions = ( blacklist => SIMPLE_IF_OPTION, %validoptions = ( blacklist => SIMPLE_IF_OPTION,
bridge => SIMPLE_IF_OPTION, bridge => SIMPLE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION, dhcp => SIMPLE_IF_OPTION,
maclist => SIMPLE_IF_OPTION,
nosmurfs => SIMPLE_IF_OPTION, nosmurfs => SIMPLE_IF_OPTION,
optional => SIMPLE_IF_OPTION, optional => SIMPLE_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY, routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY,
@ -983,6 +984,7 @@ sub validate_hosts_file()
} else { } else {
%validoptions = ( %validoptions = (
blacklist => 1, blacklist => 1,
maclist => 1,
routeback => 1, routeback => 1,
tcpflags => 1, tcpflags => 1,
); );

10
Shorewall6/maclist Normal file
View File

@ -0,0 +1,10 @@
#
# Shorewall version 4 - Maclist file
#
# For information about entries in this file, type "man shorewall-maclist"
#
# For additional information, see http://shorewall.net/MAC_Validation.html
#
###############################################################################
#DISPOSITION INTERFACE MAC IP ADDRESSES (Optional)
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE