Add 'physical' interface option for bridge ports

2024-11-08 00:34:04 +01:00 · 2009-11-06 08:07:13 -08:00 · 2009-11-06 08:07:13 -08:00 · 7014bd3ea0
commit 7014bd3ea0
parent 89bdcf9a3d
5 changed files with 89 additions and 6 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -1727,7 +1727,6 @@ sub match_source_dev( $ ) {
    my $interfaceref =  known_interface( $interface );
    my $physical     = $interfaceref->{physical};
    if ( $interfaceref && $interfaceref->{options}{port} ) {
-	$interface =~ s/\++/+/;
 	"-i $interfaceref->{bridge} -m physdev --physdev-in $physical ";
    } else {
 	"-i $physical ";
@ -1744,7 +1743,6 @@ sub match_dest_dev( $ ) {
    my $physical     = $interfaceref->{physical};
    if ( $interfaceref && $interfaceref->{options}{port} ) {
 	if ( $capabilities{PHYSDEV_BRIDGE} ) {
-	    $interface =~ s/\++/+/;
 	    "-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $physical ";
 	} else {
 	    "-o $interfaceref->{bridge} -m physdev --physdev-out $physical ";
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@ -144,6 +144,7 @@ our %reservedName = ( all => 1,
 #                                     bridge      => <bridge>
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                     number      => <ordinal position in the interfaces file>
+#                                     physical    => <physical interface name>
 #                                   }
 #                 }
 #
--- a/docs/bridge-Shorewall-perl.xml
+++ b/docs/bridge-Shorewall-perl.xml
@ -619,6 +619,60 @@ br0             192.168.1.0/24  routeback
    firewall rules.</para>
  </section>

+  <section id="Multiple">
+    <title>Multiple Bridges with Wildcard Ports</title>
+
+    <para>It is sometimes required to configure multiple bridges on a single
+    firewall/gateway. The following seemingly valid configuration results in a
+    compile-time error</para>
+
+    <simplelist>
+      <member>ERROR: Duplicate Interface Name (p+)</member>
+    </simplelist>
+
+    <para><filename>/etc/shorewall/zones</filename>:</para>
+
+    <programlisting>       #ZONE            TYPE    
+       fw               firewall
+       world            ipv4
+       z1:world         bport4
+       z2:world         bport4</programlisting>
+
+    <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+    <programlisting>       #ZONE            INTERFACE       BROADCAST       OPTIONS
+       world            br0             -               bridge
+       world            br1             -               bridge
+       z1               br0:p+
+       z2               br1:p+</programlisting>
+
+    <para>The reason is that the Shorewall implementation requires each bridge
+    port to have a unique name. The <option>physical</option> interface option
+    was added in Shorewall 4.4.4 to work around this problem. The above
+    configuration may be defined using the following in
+    <filename>/etc/shorewall/interfaces</filename>: </para>
+
+    <programlisting>       #ZONE            INTERFACE       BROADCAST       OPTIONS
+       world            br0             -               bridge
+       world            br1             -               bridge
+       z1               br0:x+          -               physical=p+
+       z2               br1:y+          -               physical=p+</programlisting>
+
+    <para>In this configuration, 'x+' is the logical name for ports p+ on
+    bridge br0 while 'y+' is the logical name for ports p+ on bridge
+    br1.</para>
+
+    <para>If you need to refer to a particular port on br1 (for example
+    p1023), you write it as y1023; Shorewall will translate that name to p1023
+    when needed.</para>
+
+    <para>Example from /etc/shorewall/rules:</para>
+
+    <programlisting>       #ACTION    SOURCE    DEST       PROTO    DEST
+       #                                        PORT(S)
+       REJECT     z1:x1023  z1:x1024   tcp      1234</programlisting>
+  </section>
+
  <section id="bridge-router">
    <title>Combination Router/Bridge</title>

--- a/manpages/shorewall-interfaces.xml
+++ b/manpages/shorewall-interfaces.xml
@ -123,7 +123,7 @@ loc     eth2            -</programlisting>
          <para>If you use the special value <emphasis
          role="bold">detect</emphasis>, Shorewall will detect the broadcast
          address(es) for you if your iptables and kernel include Address Type
-          Match support. </para>
+          Match support.</para>

          <para>If your iptables and/or kernel lack Address Type Match support
          then you may list the broadcast address(es) for the network(s) to
@ -188,7 +188,8 @@ loc     eth2            -</programlisting>

                <para>2 - reply only if the target IP address is local address
                configured on the incoming interface and the sender's IP
-                address is part from same subnet on this interface's address</para>
+                address is part from same subnet on this interface's
+                address</para>

                <para>3 - do not reply for local addresses configured with
                scope host, only resolutions for global and link</para>
@ -290,7 +291,8 @@ loc     eth2            -</programlisting>
                role="bold">logmartians</emphasis>. Even if you do not specify
                the <option>routefilter</option> option, it is a good idea to
                specify <option>logmartians</option> because your distribution
-                may have enabled route filtering without you knowing it.</para>
+                may have enabled route filtering without you knowing
+                it.</para>

                <para>Only those interfaces with the
                <option>logmartians</option> option will have their setting
@ -433,6 +435,21 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term>physical=<emphasis
+              role="bold"><emphasis>name</emphasis></emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.4. This option may only be used
+                when defining a bridge port (:port appeared in the INTERFACE
+                column). When specified, the port name in the INTERFACE column
+                is a logical name that refers to the name given in this
+                option. It is useful when you want to specify the same
+                wildcard port name on two or more bridges. See <ulink
+                url="http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term>

--- a/manpages6/shorewall6-interfaces.xml
+++ b/manpages6/shorewall6-interfaces.xml
@ -172,8 +172,21 @@ loc     eth2            -</programlisting>
                    cannot be obtained.</para>
                  </listitem>
                </itemizedlist>
+              </listitem>
+            </varlistentry>

-                <para></para>
+            <varlistentry>
+              <term>physical=<emphasis
+              role="bold"><emphasis>name</emphasis></emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.4. This option may only be used
+                when defining a bridge port (:port appeared in the INTERFACE
+                column). When specified, the port name in the INTERFACE column
+                is a logical name that refers to the name given in this
+                option. It is useful when you want to specify the same
+                wildcard port name on two or more bridges. See <ulink
+                url="http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
              </listitem>
            </varlistentry>