extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 01:37:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add 'upnpclient' interface option

Browse Source
This commit is contained in:
Tom Eastep 2009-06-15 13:34:35 -07:00
parent b6410902a0
commit abe07c9fae
7 changed files with 48 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -770,7 +770,7 @@ sub use_input_chain($) {
# #
# We must use the interfaces's chain if the interface is associated with multiple zone nets # We must use the interfaces's chain if the interface is associated with multiple zone nets
# #
return 1 if $nets > 1; return 1 if $nets > 1 || $interfaceref->{options}{upnpclient};
# #
# Don't need it if it isn't associated with any zone # Don't need it if it isn't associated with any zone
# #

20
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -605,6 +605,8 @@ sub add_common_rules() {
} }
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
my $announced = 0;
$list = find_interfaces_by_option 'upnp'; $list = find_interfaces_by_option 'upnp';
if ( @$list ) { if ( @$list ) {
@ -612,10 +614,28 @@ sub add_common_rules() {
new_nat_chain( 'UPnP' ); new_nat_chain( 'UPnP' );
$announced = 1;
for $interface ( @$list ) { for $interface ( @$list ) {
add_rule $nat_table->{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP'; add_rule $nat_table->{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
} }
} }
$list = find_interfaces_by_option 'upnpclient';
if ( @$list ) {
progress_message2 "$doing UPnP" unless $announced;
for $interface ( @$list ) {
my $chainref = $filter_table->{input_chain $interface};
my $base = uc chain_base $interface;
my $variable = get_interface_gateway $interface;
add_command $chainref, qq(if [ -n "\$${base}_IS_UP" -a -n "$variable" ]; then);
add_command $chainref, qq( echo -A $chainref->{name} -i $interface -s $variable -p udp -j ACCEPT >&3);
add_command $chainref, qq(fi);
}
}
} }
setup_syn_flood_chains; setup_syn_flood_chains;

1
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -210,6 +210,7 @@ sub initialize( $ ) {
sourceroute => BINARY_IF_OPTION, sourceroute => BINARY_IF_OPTION,
tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST, tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
upnp => SIMPLE_IF_OPTION, upnp => SIMPLE_IF_OPTION,
upnpclient => SIMPLE_IF_OPTION,
mss => NUMERIC_IF_OPTION, mss => NUMERIC_IF_OPTION,
); );
%validhostoptions = ( %validhostoptions = (

2
Shorewall/Perl/prog.header
View File

@ -821,7 +821,7 @@ detect_dynamic_gateway() { # $1 = interface
fi fi
if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway; return 0; done) gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
fi fi
[ -n "$gateway" ] && echo $gateway [ -n "$gateway" ] && echo $gateway

2
Shorewall/changelog.txt
View File

@ -12,6 +12,8 @@ Changes in Shorewall 4.4.0-Beta2
4) Delete the 'continue' file from the Shorewall package. 4) Delete the 'continue' file from the Shorewall package.
5) Add 'upnpclient' interface option.
Changes in Shorewall 4.4.0-Beta1 Changes in Shorewall 4.4.0-Beta1
1) Correct typo in Shorewall6 two-interface sample shorewall.conf. 1) Correct typo in Shorewall6 two-interface sample shorewall.conf.

10
Shorewall/releasenotes.txt
View File

@ -130,7 +130,15 @@ None.
N E W F E A T U R E S I N 4 . 4 . 0 Beta 2 N E W F E A T U R E S I N 4 . 4 . 0 Beta 2
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
None. 1) A 'upnpclient' option has been added to
/etc/shorewall/interfaces. This option is intended for laptop users
who always run Shorewall on their system yet need to run
UPnP-enabled client apps such as Transmission (BitTorrent client).
The option causes Shorewall to detect the default gateway through
the interface and to accept UDP packets from that gateway. Note
that, like all aspects of UPnP, this is a security hole so use this
option at your own risk.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
N E W F E A T U R E S IN 4 . 4 N E W F E A T U R E S IN 4 . 4

14
manpages/shorewall-interfaces.xml
View File

@ -540,6 +540,20 @@ loc eth2 -</programlisting>
url="../UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.</para> url="../UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">upnpclient</emphasis></term>
<listitem>
<para>This option is intended for laptop users who always run
Shorewall on their system yet need to run UPnP-enabled client
apps such as Transmission (BitTorrent client). The option
causes Shorewall to detect the default gateway through the
interface and to accept UDP packets from that gateway. Note
that, like all aspects of UPnP, this is a security hole so use
this option at your own risk. </para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>