extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-05-30 14:38:53 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add 'physical' interface option for bridge ports

Browse Source
This commit is contained in:
Tom Eastep 2009-11-06 08:07:13 -08:00
parent 89bdcf9a3d
commit 7014bd3ea0
5 changed files with 89 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -1727,7 +1727,6 @@ sub match_source_dev( $ ) {
my $interfaceref = known_interface( $interface ); my $interfaceref = known_interface( $interface );
my $physical = $interfaceref->{physical}; my $physical = $interfaceref->{physical};
if ( $interfaceref && $interfaceref->{options}{port} ) { if ( $interfaceref && $interfaceref->{options}{port} ) {
$interface =~ s/\++/+/;
"-i $interfaceref->{bridge} -m physdev --physdev-in $physical "; "-i $interfaceref->{bridge} -m physdev --physdev-in $physical ";
} else { } else {
"-i $physical "; "-i $physical ";
@ -1744,7 +1743,6 @@ sub match_dest_dev( $ ) {
my $physical = $interfaceref->{physical}; my $physical = $interfaceref->{physical};
if ( $interfaceref && $interfaceref->{options}{port} ) { if ( $interfaceref && $interfaceref->{options}{port} ) {
if ( $capabilities{PHYSDEV_BRIDGE} ) { if ( $capabilities{PHYSDEV_BRIDGE} ) {
$interface =~ s/\++/+/;
"-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $physical "; "-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $physical ";
} else { } else {
"-o $interfaceref->{bridge} -m physdev --physdev-out $physical "; "-o $interfaceref->{bridge} -m physdev --physdev-out $physical ";

1
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -144,6 +144,7 @@ our %reservedName = ( all => 1,
# bridge => <bridge> # bridge => <bridge>
# broadcasts => 'none', 'detect' or [ <addr1>, <addr2>, ... ] # broadcasts => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
# number => <ordinal position in the interfaces file> # number => <ordinal position in the interfaces file>
# physical => <physical interface name>
# } # }
# } # }
# #

54
docs/bridge-Shorewall-perl.xml
View File

@ -619,6 +619,60 @@ br0 192.168.1.0/24 routeback
firewall rules.</para> firewall rules.</para>
</section> </section>
<section id="Multiple">
<title>Multiple Bridges with Wildcard Ports</title>
<para>It is sometimes required to configure multiple bridges on a single
firewall/gateway. The following seemingly valid configuration results in a
compile-time error</para>
<simplelist>
<member>ERROR: Duplicate Interface Name (p+)</member>
</simplelist>
<para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting> #ZONE TYPE
fw firewall
world ipv4
z1:world bport4
z2:world bport4</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
world br0 - bridge
world br1 - bridge
z1 br0:p+
z2 br1:p+</programlisting>
<para>The reason is that the Shorewall implementation requires each bridge
port to have a unique name. The <option>physical</option> interface option
was added in Shorewall 4.4.4 to work around this problem. The above
configuration may be defined using the following in
<filename>/etc/shorewall/interfaces</filename>: </para>
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
world br0 - bridge
world br1 - bridge
z1 br0:x+ - physical=p+
z2 br1:y+ - physical=p+</programlisting>
<para>In this configuration, 'x+' is the logical name for ports p+ on
bridge br0 while 'y+' is the logical name for ports p+ on bridge
br1.</para>
<para>If you need to refer to a particular port on br1 (for example
p1023), you write it as y1023; Shorewall will translate that name to p1023
when needed.</para>
<para>Example from /etc/shorewall/rules:</para>
<programlisting> #ACTION SOURCE DEST PROTO DEST
# PORT(S)
REJECT z1:x1023 z1:x1024 tcp 1234</programlisting>
</section>
<section id="bridge-router"> <section id="bridge-router">
<title>Combination Router/Bridge</title> <title>Combination Router/Bridge</title>

23
manpages/shorewall-interfaces.xml
View File

@ -123,7 +123,7 @@ loc eth2 -</programlisting>
<para>If you use the special value <emphasis <para>If you use the special value <emphasis
role="bold">detect</emphasis>, Shorewall will detect the broadcast role="bold">detect</emphasis>, Shorewall will detect the broadcast
address(es) for you if your iptables and kernel include Address Type address(es) for you if your iptables and kernel include Address Type
Match support. </para> Match support.</para>
<para>If your iptables and/or kernel lack Address Type Match support <para>If your iptables and/or kernel lack Address Type Match support
then you may list the broadcast address(es) for the network(s) to then you may list the broadcast address(es) for the network(s) to
@ -188,7 +188,8 @@ loc eth2 -</programlisting>
<para>2 - reply only if the target IP address is local address <para>2 - reply only if the target IP address is local address
configured on the incoming interface and the sender's IP configured on the incoming interface and the sender's IP
address is part from same subnet on this interface's address</para> address is part from same subnet on this interface's
address</para>
<para>3 - do not reply for local addresses configured with <para>3 - do not reply for local addresses configured with
scope host, only resolutions for global and link</para> scope host, only resolutions for global and link</para>
@ -290,7 +291,8 @@ loc eth2 -</programlisting>
role="bold">logmartians</emphasis>. Even if you do not specify role="bold">logmartians</emphasis>. Even if you do not specify
the <option>routefilter</option> option, it is a good idea to the <option>routefilter</option> option, it is a good idea to
specify <option>logmartians</option> because your distribution specify <option>logmartians</option> because your distribution
may have enabled route filtering without you knowing it.</para> may have enabled route filtering without you knowing
it.</para>
<para>Only those interfaces with the <para>Only those interfaces with the
<option>logmartians</option> option will have their setting <option>logmartians</option> option will have their setting
@ -433,6 +435,21 @@ loc eth2 -</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>physical=<emphasis
role="bold"><emphasis>name</emphasis></emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.4. This option may only be used
when defining a bridge port (:port appeared in the INTERFACE
column). When specified, the port name in the INTERFACE column
is a logical name that refers to the name given in this
option. It is useful when you want to specify the same
wildcard port name on two or more bridges. See <ulink
url="http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term> <term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term>

15
manpages6/shorewall6-interfaces.xml
View File

@ -172,8 +172,21 @@ loc eth2 -</programlisting>
cannot be obtained.</para> cannot be obtained.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</listitem>
</varlistentry>
<para></para> <varlistentry>
<term>physical=<emphasis
role="bold"><emphasis>name</emphasis></emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.4. This option may only be used
when defining a bridge port (:port appeared in the INTERFACE
column). When specified, the port name in the INTERFACE column
is a logical name that refers to the name given in this
option. It is useful when you want to specify the same
wildcard port name on two or more bridges. See <ulink
url="http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>