mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-20 01:37:59 +02:00
Tweak new bridge code and documentation
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6475 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
03c0e9d996
commit
4da98d2bb2
@ -73,7 +73,24 @@ Other changes in Shorewall 4.0.0 Beta 3.
|
|||||||
net eth0 - ...
|
net eth0 - ...
|
||||||
loc br0 - ...
|
loc br0 - ...
|
||||||
lan eth1
|
lan eth1
|
||||||
vpn tap0
|
vpn tap0
|
||||||
|
|
||||||
|
When using the /etc/shorewall/hosts file to define a bport4 zone,
|
||||||
|
you specify only the port name:
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
/etc/shorewall/zones:
|
||||||
|
|
||||||
|
fw firewall
|
||||||
|
net ipv4
|
||||||
|
loc ipv4
|
||||||
|
lan:loc bport
|
||||||
|
vpn:loc bport
|
||||||
|
|
||||||
|
/etc/shorewall/hosts
|
||||||
|
|
||||||
|
lan eth1:192.168.2.0/24 ...
|
||||||
|
|
||||||
Migration Considerations:
|
Migration Considerations:
|
||||||
|
|
||||||
|
|||||||
@ -1037,7 +1037,7 @@ sub do_tos( $ ) {
|
|||||||
sub match_source_dev( $ ) {
|
sub match_source_dev( $ ) {
|
||||||
my $interface = shift;
|
my $interface = shift;
|
||||||
my $interfaceref = $interfaces{$interface};
|
my $interfaceref = $interfaces{$interface};
|
||||||
if ( $interfaceref->{options}{port} ) {
|
if ( $interfaceref && $interfaceref->{options}{port} ) {
|
||||||
"-i $interfaceref->{bridge} -m physdev --physdev-in $interface ";
|
"-i $interfaceref->{bridge} -m physdev --physdev-in $interface ";
|
||||||
} else {
|
} else {
|
||||||
"-i $interface ";
|
"-i $interface ";
|
||||||
@ -1050,7 +1050,7 @@ sub match_source_dev( $ ) {
|
|||||||
sub match_dest_dev( $ ) {
|
sub match_dest_dev( $ ) {
|
||||||
my $interface = shift;
|
my $interface = shift;
|
||||||
my $interfaceref = $interfaces{$interface};
|
my $interfaceref = $interfaces{$interface};
|
||||||
if ( $interfaceref->{options}{port} ) {
|
if ( $interfaceref && $interfaceref->{options}{port} ) {
|
||||||
"-o $interfaceref->{bridge} -m physdev --physdev-out $interface ";
|
"-o $interfaceref->{bridge} -m physdev --physdev-out $interface ";
|
||||||
} else {
|
} else {
|
||||||
"-o $interface ";
|
"-o $interface ";
|
||||||
|
|||||||
@ -229,7 +229,8 @@ sub validate_interfaces_file()
|
|||||||
$zoneref->{bridge} = $interface;
|
$zoneref->{bridge} = $interface;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$interfaces{$interface}{ports}++;
|
||||||
$interfaces{$port}{bridge} = $bridge = $interface;
|
$interfaces{$port}{bridge} = $bridge = $interface;
|
||||||
$interface = $port;
|
$interface = $port;
|
||||||
} else {
|
} else {
|
||||||
@ -246,7 +247,7 @@ sub validate_interfaces_file()
|
|||||||
} else {
|
} else {
|
||||||
$interfaces{$interface}{root} = $interface;
|
$interfaces{$interface}{root} = $interface;
|
||||||
}
|
}
|
||||||
|
|
||||||
unless ( $networks eq '' || $networks eq 'detect' ) {
|
unless ( $networks eq '' || $networks eq 'detect' ) {
|
||||||
|
|
||||||
for my $address ( split /,/, $networks ) {
|
for my $address ( split /,/, $networks ) {
|
||||||
@ -339,7 +340,16 @@ sub validate_interfaces_file()
|
|||||||
for my $interface ( @ifaces ) {
|
for my $interface ( @ifaces ) {
|
||||||
my $interfaceref = $interfaces{$interface};
|
my $interfaceref = $interfaces{$interface};
|
||||||
|
|
||||||
push @interfaces, ( grep $interfaces{$_}{options}{port} && $interfaces{$_}{bridge} eq $interface, @ifaces ) if $interfaceref->{options}{bridge};
|
if ( $interfaceref->{options}{bridge} ) {
|
||||||
|
my @ports = grep $interfaces{$_}{options}{port} && $interfaces{$_}{bridge} eq $interface, @ifaces;
|
||||||
|
|
||||||
|
if ( @ports ) {
|
||||||
|
push @interfaces, @ports;
|
||||||
|
} else {
|
||||||
|
$interfaceref->{options}{routeback} = 1; #so the bridge will work properly
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
push @interfaces, $interface unless $interfaceref->{options}{port};
|
push @interfaces, $interface unless $interfaceref->{options}{port};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -356,14 +366,14 @@ sub known_interface($)
|
|||||||
return 1 if exists $interfaces{$interface};
|
return 1 if exists $interfaces{$interface};
|
||||||
|
|
||||||
for my $i ( @interfaces ) {
|
for my $i ( @interfaces ) {
|
||||||
my $val = $interfaces{$i}{root};
|
my $interfaceref = $interfaces{$i};
|
||||||
|
my $val = $interfaceref->{root};
|
||||||
next if $val eq $i;
|
next if $val eq $i;
|
||||||
my $len = length $val;
|
if ( substr( $interface, 0, length $val ) eq $val ) {
|
||||||
if ( substr( $interface, 0, $len ) eq $val ) {
|
|
||||||
#
|
#
|
||||||
# Cache this result for future reference
|
# Cache this result for future reference
|
||||||
#
|
#
|
||||||
$interfaces{$interface} = undef;
|
$interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} };
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -558,7 +558,7 @@ sub add_common_rules() {
|
|||||||
add_rule $filter_table->{$chain} , '-p udp --dport 67:68 -j ACCEPT';
|
add_rule $filter_table->{$chain} , '-p udp --dport 67:68 -j ACCEPT';
|
||||||
}
|
}
|
||||||
|
|
||||||
add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if $interfaces{$interface}{options}{routeback};
|
add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if $interfaces{$interface}{options}{bridge};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -635,7 +635,7 @@ sub add_common_rules() {
|
|||||||
mark_referenced( new_chain( 'nat', 'UPnP' ) );
|
mark_referenced( new_chain( 'nat', 'UPnP' ) );
|
||||||
|
|
||||||
for $interface ( @$list ) {
|
for $interface ( @$list ) {
|
||||||
add_rule $nat_table->{PREROUTING} , "-i $interface -j UPnP";
|
add_rule $nat_table->{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -757,7 +757,7 @@ sub setup_mac_lists( $ ) {
|
|||||||
add_rule $filter_table->{$chain} , "${source}-m state --state NEW ${policy}-j $target";
|
add_rule $filter_table->{$chain} , "${source}-m state --state NEW ${policy}-j $target";
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
add_rule $mangle_table->{PREROUTING}, "-i $interface ${source}-m state --state NEW ${policy}-j $target";
|
add_rule $mangle_table->{PREROUTING}, match_source_interface( $interface ) . "${source}-m state --state NEW ${policy}-j $target";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
|||||||
@ -233,7 +233,7 @@ sub determine_zones()
|
|||||||
} elsif ( $type =~ /^ipsec4?$/i ) {
|
} elsif ( $type =~ /^ipsec4?$/i ) {
|
||||||
$zoneref->{type} = 'ipsec4';
|
$zoneref->{type} = 'ipsec4';
|
||||||
} elsif ( $type =~ /^bport4?$/i ) {
|
} elsif ( $type =~ /^bport4?$/i ) {
|
||||||
fatal_error "Bridge Port zones must have a single parent zone" unless @parents == 1;
|
warning_message "Bridge Port zones should have a parent zone" unless @parents;
|
||||||
$zoneref->{type} = 'bport4';
|
$zoneref->{type} = 'bport4';
|
||||||
|
|
||||||
} elsif ( $type eq 'firewall' ) {
|
} elsif ( $type eq 'firewall' ) {
|
||||||
@ -363,7 +363,6 @@ sub dump_zone_contents()
|
|||||||
$entry .= " $interface:$grouplist";
|
$entry .= " $interface:$grouplist";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user