extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-23 16:13:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

nets= allows multicast

Browse Source
This commit is contained in:
Tom Eastep 2009-08-28 15:17:10 -07:00
parent a62d86aca7
commit acfdc7e481
6 changed files with 30 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/Perl/Shorewall/IPAddrs.pm
View File

@ -34,10 +34,10 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( ALLIPv4 our @EXPORT = qw( ALLIPv4
ALLIPv6 ALLIPv6
IPv4_MULTICAST
IPv6_MULTICAST IPv6_MULTICAST
IPv6_LINKLOCAL IPv6_LINKLOCAL
IPv6_SITELOCAL IPv6_SITELOCAL
IPv6_LINKLOCAL
IPv6_LOOPBACK IPv6_LOOPBACK
IPv6_LINK_ALLNODES IPv6_LINK_ALLNODES
IPv6_LINK_ALLRTRS IPv6_LINK_ALLRTRS
@ -89,10 +89,10 @@ our $validate_host;
use constant { ALLIPv4 => '0.0.0.0/0' , use constant { ALLIPv4 => '0.0.0.0/0' ,
ALLIPv6 => '::/0' , ALLIPv6 => '::/0' ,
IPv4_MULTICAST => '224.0.0.0/4' ,
IPv6_MULTICAST => 'FF00::/10' , IPv6_MULTICAST => 'FF00::/10' ,
IPv6_LINKLOCAL => 'FF80::/10' , IPv6_LINKLOCAL => 'FF80::/10' ,
IPv6_SITELOCAL => 'FFC0::/10' , IPv6_SITELOCAL => 'FFC0::/10' ,
IPv6_LINKLOCAL => 'FF80::/10' ,
IPv6_LOOPBACK => '::1' , IPv6_LOOPBACK => '::1' ,
IPv6_LINK_ALLNODES => 'FF01::1' , IPv6_LINK_ALLNODES => 'FF01::1' ,
IPv6_LINK_ALLRTRS => 'FF01::2' , IPv6_LINK_ALLRTRS => 'FF01::2' ,

2
Shorewall/Perl/Shorewall/Policy.pm
View File

@ -346,7 +346,7 @@ sub policy_rules( $$$$$ ) {
my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_; my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
unless ( $target eq 'NONE' ) { unless ( $target eq 'NONE' ) {
add_rule $chainref, "-d 224.0.0.0/24 -j RETURN" if $dropmulticast && $target ne 'CONTINUE'; add_rule $chainref, "-d 224.0.0.0/24 -j RETURN" if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
add_rule $chainref, "-j $default" if $default && $default ne 'none'; add_rule $chainref, "-j $default" if $default && $default ne 'none';
log_rule $loglevel , $chainref , $target , '' if $loglevel ne ''; log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
fatal_error "Null target in policy_rules()" unless $target; fatal_error "Null target in policy_rules()" unless $target;

7
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -852,6 +852,8 @@ sub process_interface( $ ) {
$value = "+${zone}_${interface}"; $value = "+${zone}_${interface}";
$hostoptions{dynamic} = 1; $hostoptions{dynamic} = 1;
$ipsets{"${zone}_${interface}"} = 1; $ipsets{"${zone}_${interface}"} = 1;
} else {
$hostoptions{multicast} = 1;
} }
# #
# Convert into a Perl array reference # Convert into a Perl array reference
@ -887,7 +889,10 @@ sub process_interface( $ ) {
$nets = [ allip ] unless $nets; $nets = [ allip ] unless $nets;
add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref ) if $zone; if ( $zone ) {
add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref );
add_group_to_zone( $zone, $zoneref->{type}, $interface, [ IPv4_MULTICAST ], { destonly => 1 } ) if $hostoptionsref->{multicast};
}
$interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone() $interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()

2
Shorewall/changelog.txt
View File

@ -20,6 +20,8 @@ Changes in Shorewall 4.4.1
10) Change one-interface sample to IP_FORWARDING=Off. 10) Change one-interface sample to IP_FORWARDING=Off.
11) Allow multicast to non-dynamic zones with nets=.
Changes in Shorewall 4.4.0 Changes in Shorewall 4.4.0
1) Fix 'compile ... -' so that it no longer requires '-v-1' 1) Fix 'compile ... -' so that it no longer requires '-v-1'

4
Shorewall/releasenotes.txt
View File

@ -237,6 +237,10 @@ None.
the device. Similarly, a warning is issued if the sum of the RATEs the device. Similarly, a warning is issued if the sum of the RATEs
of a class's sub-classes exceeds the rate of the CLASS. of a class's sub-classes exceeds the rate of the CLASS.
4) When 'nets=<network>' or 'nets=(<nets1>,<net2>,...) is specified in
/etc/shorewall/interfaces, multicast traffic will now be sent to
the zone along with limited broadcasts.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 N E W F E A T U R E S I N 4 . 4
---------------------------------------------------------------------------- ----------------------------------------------------------------------------

17
manpages/shorewall-interfaces.xml
View File

@ -357,8 +357,21 @@ loc eth2 -</programlisting>
<para>Limit the zone named in the ZONE column to only the <para>Limit the zone named in the ZONE column to only the
listed networks. The parentheses may be omitted if only a listed networks. The parentheses may be omitted if only a
single <replaceable>net</replaceable> is given (e.g., single <replaceable>net</replaceable> is given (e.g.,
nets=192.168.1.0/24). Limited broadcast is supported on the nets=192.168.1.0/24). Limited broadcast to the zone is
interface.</para> supported. Beginning with Shorewall 4.4.1, multicast traffic
to the zone is also supported.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">nets=dynamic</emphasis></term>
<listitem>
<para>Defines the zone as <firstterm>dynamic</firstterm>.
Requires ipset match support in your iptables and kernel. See
<ulink
url="http://www.shorewall.net/Dynamic.html">http://www.shorewall.net/Dynamic.html</ulink>
for further information.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>