mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-15 10:08:43 +01:00
Tweak new bridge code and documentation
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6475 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
03c0e9d996
commit
4da98d2bb2
@ -73,7 +73,24 @@ Other changes in Shorewall 4.0.0 Beta 3.
|
||||
net eth0 - ...
|
||||
loc br0 - ...
|
||||
lan eth1
|
||||
vpn tap0
|
||||
vpn tap0
|
||||
|
||||
When using the /etc/shorewall/hosts file to define a bport4 zone,
|
||||
you specify only the port name:
|
||||
|
||||
Example:
|
||||
|
||||
/etc/shorewall/zones:
|
||||
|
||||
fw firewall
|
||||
net ipv4
|
||||
loc ipv4
|
||||
lan:loc bport
|
||||
vpn:loc bport
|
||||
|
||||
/etc/shorewall/hosts
|
||||
|
||||
lan eth1:192.168.2.0/24 ...
|
||||
|
||||
Migration Considerations:
|
||||
|
||||
|
||||
@ -1037,7 +1037,7 @@ sub do_tos( $ ) {
|
||||
sub match_source_dev( $ ) {
|
||||
my $interface = shift;
|
||||
my $interfaceref = $interfaces{$interface};
|
||||
if ( $interfaceref->{options}{port} ) {
|
||||
if ( $interfaceref && $interfaceref->{options}{port} ) {
|
||||
"-i $interfaceref->{bridge} -m physdev --physdev-in $interface ";
|
||||
} else {
|
||||
"-i $interface ";
|
||||
@ -1050,7 +1050,7 @@ sub match_source_dev( $ ) {
|
||||
sub match_dest_dev( $ ) {
|
||||
my $interface = shift;
|
||||
my $interfaceref = $interfaces{$interface};
|
||||
if ( $interfaceref->{options}{port} ) {
|
||||
if ( $interfaceref && $interfaceref->{options}{port} ) {
|
||||
"-o $interfaceref->{bridge} -m physdev --physdev-out $interface ";
|
||||
} else {
|
||||
"-o $interface ";
|
||||
|
||||
@ -229,7 +229,8 @@ sub validate_interfaces_file()
|
||||
$zoneref->{bridge} = $interface;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
$interfaces{$interface}{ports}++;
|
||||
$interfaces{$port}{bridge} = $bridge = $interface;
|
||||
$interface = $port;
|
||||
} else {
|
||||
@ -246,7 +247,7 @@ sub validate_interfaces_file()
|
||||
} else {
|
||||
$interfaces{$interface}{root} = $interface;
|
||||
}
|
||||
|
||||
|
||||
unless ( $networks eq '' || $networks eq 'detect' ) {
|
||||
|
||||
for my $address ( split /,/, $networks ) {
|
||||
@ -339,7 +340,16 @@ sub validate_interfaces_file()
|
||||
for my $interface ( @ifaces ) {
|
||||
my $interfaceref = $interfaces{$interface};
|
||||
|
||||
push @interfaces, ( grep $interfaces{$_}{options}{port} && $interfaces{$_}{bridge} eq $interface, @ifaces ) if $interfaceref->{options}{bridge};
|
||||
if ( $interfaceref->{options}{bridge} ) {
|
||||
my @ports = grep $interfaces{$_}{options}{port} && $interfaces{$_}{bridge} eq $interface, @ifaces;
|
||||
|
||||
if ( @ports ) {
|
||||
push @interfaces, @ports;
|
||||
} else {
|
||||
$interfaceref->{options}{routeback} = 1; #so the bridge will work properly
|
||||
}
|
||||
}
|
||||
|
||||
push @interfaces, $interface unless $interfaceref->{options}{port};
|
||||
}
|
||||
}
|
||||
@ -356,14 +366,14 @@ sub known_interface($)
|
||||
return 1 if exists $interfaces{$interface};
|
||||
|
||||
for my $i ( @interfaces ) {
|
||||
my $val = $interfaces{$i}{root};
|
||||
my $interfaceref = $interfaces{$i};
|
||||
my $val = $interfaceref->{root};
|
||||
next if $val eq $i;
|
||||
my $len = length $val;
|
||||
if ( substr( $interface, 0, $len ) eq $val ) {
|
||||
if ( substr( $interface, 0, length $val ) eq $val ) {
|
||||
#
|
||||
# Cache this result for future reference
|
||||
#
|
||||
$interfaces{$interface} = undef;
|
||||
$interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} };
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
@ -558,7 +558,7 @@ sub add_common_rules() {
|
||||
add_rule $filter_table->{$chain} , '-p udp --dport 67:68 -j ACCEPT';
|
||||
}
|
||||
|
||||
add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if $interfaces{$interface}{options}{routeback};
|
||||
add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if $interfaces{$interface}{options}{bridge};
|
||||
}
|
||||
}
|
||||
|
||||
@ -635,7 +635,7 @@ sub add_common_rules() {
|
||||
mark_referenced( new_chain( 'nat', 'UPnP' ) );
|
||||
|
||||
for $interface ( @$list ) {
|
||||
add_rule $nat_table->{PREROUTING} , "-i $interface -j UPnP";
|
||||
add_rule $nat_table->{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
|
||||
}
|
||||
}
|
||||
|
||||
@ -757,7 +757,7 @@ sub setup_mac_lists( $ ) {
|
||||
add_rule $filter_table->{$chain} , "${source}-m state --state NEW ${policy}-j $target";
|
||||
}
|
||||
} else {
|
||||
add_rule $mangle_table->{PREROUTING}, "-i $interface ${source}-m state --state NEW ${policy}-j $target";
|
||||
add_rule $mangle_table->{PREROUTING}, match_source_interface( $interface ) . "${source}-m state --state NEW ${policy}-j $target";
|
||||
}
|
||||
}
|
||||
} else {
|
||||
|
||||
@ -233,7 +233,7 @@ sub determine_zones()
|
||||
} elsif ( $type =~ /^ipsec4?$/i ) {
|
||||
$zoneref->{type} = 'ipsec4';
|
||||
} elsif ( $type =~ /^bport4?$/i ) {
|
||||
fatal_error "Bridge Port zones must have a single parent zone" unless @parents == 1;
|
||||
warning_message "Bridge Port zones should have a parent zone" unless @parents;
|
||||
$zoneref->{type} = 'bport4';
|
||||
|
||||
} elsif ( $type eq 'firewall' ) {
|
||||
@ -363,7 +363,6 @@ sub dump_zone_contents()
|
||||
$entry .= " $interface:$grouplist";
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user