nets= allows multicast

2024-11-23 08:03:11 +01:00 · 2009-08-28 15:17:10 -07:00 · 2009-08-28 15:17:10 -07:00 · acfdc7e481
commit acfdc7e481
parent a62d86aca7
6 changed files with 30 additions and 6 deletions
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@ -34,10 +34,10 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( ALLIPv4
                  ALLIPv6
+	          IPv4_MULTICAST
 	          IPv6_MULTICAST
 	          IPv6_LINKLOCAL
 	          IPv6_SITELOCAL
-	          IPv6_LINKLOCAL
 	          IPv6_LOOPBACK
 	          IPv6_LINK_ALLNODES
 	          IPv6_LINK_ALLRTRS
@ -89,10 +89,10 @@ our $validate_host;

 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
+	       IPv4_MULTICAST      => '224.0.0.0/4' ,
 	       IPv6_MULTICAST      => 'FF00::/10' ,
 	       IPv6_LINKLOCAL      => 'FF80::/10' ,
 	       IPv6_SITELOCAL      => 'FFC0::/10' ,
-	       IPv6_LINKLOCAL      => 'FF80::/10' ,
 	       IPv6_LOOPBACK       => '::1' ,
 	       IPv6_LINK_ALLNODES  => 'FF01::1' ,
 	       IPv6_LINK_ALLRTRS   => 'FF01::2' ,
--- a/Shorewall/Perl/Shorewall/Policy.pm
+++ b/Shorewall/Perl/Shorewall/Policy.pm
@ -346,7 +346,7 @@ sub policy_rules( $$$$$ ) {
    my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;

    unless ( $target eq 'NONE' ) {
-	add_rule $chainref, "-d 224.0.0.0/24 -j RETURN" if $dropmulticast && $target ne 'CONTINUE';
+	add_rule $chainref, "-d 224.0.0.0/24 -j RETURN" if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
 	add_rule $chainref, "-j $default" if $default && $default ne 'none';
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@ -852,6 +852,8 @@ sub process_interface( $ ) {
 		    $value = "+${zone}_${interface}";
 		    $hostoptions{dynamic} = 1;
 		    $ipsets{"${zone}_${interface}"} = 1;
+		} else {
+		    $hostoptions{multicast} = 1;
 		}
 		#
 		# Convert into a Perl array reference
@ -887,7 +889,10 @@ sub process_interface( $ ) {

    $nets = [ allip ] unless $nets;

-    add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref ) if $zone;
+    if ( $zone ) {
+	add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref );
+	add_group_to_zone( $zone, $zoneref->{type}, $interface, [ IPv4_MULTICAST ], { destonly => 1 } ) if $hostoptionsref->{multicast};
+    } 

    $interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()

--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -20,6 +20,8 @@ Changes in Shorewall 4.4.1

 10) Change one-interface sample to IP_FORWARDING=Off.

+11) Allow multicast to non-dynamic zones with nets=.
+
 Changes in Shorewall 4.4.0

 1)  Fix 'compile ... -' so that it no longer requires '-v-1'
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -237,6 +237,10 @@ None.
    the device. Similarly, a warning is issued if the sum of the RATEs
    of a class's sub-classes exceeds the rate of the CLASS.

+4)  When 'nets=<network>' or 'nets=(<nets1>,<net2>,...) is specified in
+    /etc/shorewall/interfaces, multicast traffic will now be sent to
+    the zone along with limited broadcasts.
+
 ----------------------------------------------------------------------------
                 N E W   F E A T U R E S   I N   4 . 4
 ----------------------------------------------------------------------------
--- a/manpages/shorewall-interfaces.xml
+++ b/manpages/shorewall-interfaces.xml
@ -357,8 +357,21 @@ loc     eth2            -</programlisting>
                <para>Limit the zone named in the ZONE column to only the
                listed networks. The parentheses may be omitted if only a
                single <replaceable>net</replaceable> is given (e.g.,
-                nets=192.168.1.0/24). Limited broadcast is supported on the
-                interface.</para>
+                nets=192.168.1.0/24). Limited broadcast to the zone is
+                supported. Beginning with Shorewall 4.4.1, multicast traffic
+                to the zone is also supported.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">nets=dynamic</emphasis></term>
+
+              <listitem>
+                <para>Defines the zone as <firstterm>dynamic</firstterm>.
+                Requires ipset match support in your iptables and kernel. See
+                <ulink
+                url="http://www.shorewall.net/Dynamic.html">http://www.shorewall.net/Dynamic.html</ulink>
+                for further information.</para>
              </listitem>
            </varlistentry>