DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8563 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-06-13 02:56:51 +00:00
parent c2ee4eb2ba
commit af3aa96964
7 changed files with 31 additions and 53 deletions

View File

@ -6,6 +6,8 @@ Changes in 4.2.0-Beta2
3) HELPER column in tcrules.
4) De-implement DYNAMIC_ZONES=Yes in Shorewall-perl.
Changes in 4.2.0-Beta1
1) Fix handling of firewall marks.

View File

@ -75,6 +75,9 @@ Migration Issues.
Note that there is a new 'Rfc1918' macro that acts on addresses
reserved by RFC 1918.
7) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl. Use
ipset-based zones instead.
Problems Corrected in Shorewall 4.2.0 Beta 2
1) When 'norfc1918' was specified on an interface with an RFC 1918 IP
@ -118,7 +121,9 @@ Other Changes in Shoreall 4.2.0 Beta 2.
column names one of the Netfilter protocol 'helper' module sets
(ftp, sip, amanda, etc).
See http://www.shorewall.net/traffic_shaping.htm for an example.
See http://www.shorewall.net/traffic_shaping.htm for an example.
3) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl.
None.

View File

@ -589,16 +589,12 @@ sub chain_base($) {
$chain;
}
sub chain_base_cond($) {
$config{DYNAMIC_ZONES} ? chain_base($_[0]) : $_[0];
}
#
# Forward Chain for an interface
#
sub forward_chain($)
{
chain_base_cond($_[0]) . '_fwd';
chain_base($_[0]) . '_fwd';
}
#
@ -625,7 +621,7 @@ sub use_forward_chain($) {
#
sub input_chain($)
{
chain_base_cond($_[0]) . '_in';
chain_base($_[0]) . '_in';
}
#
@ -669,7 +665,7 @@ sub use_input_chain($) {
#
sub output_chain($)
{
chain_base_cond($_[0]) . '_out';
chain_base_($_[0]) . '_out';
}
#
@ -713,7 +709,7 @@ sub use_output_chain($) {
#
sub masq_chain($)
{
chain_base_cond($_[0]) . '_masq';
chain_base($_[0]) . '_masq';
}
#
@ -728,12 +724,12 @@ sub syn_flood_chain ( $ ) {
#
sub mac_chain( $ )
{
chain_base_cond($_[0]) . '_mac';
chain_base($_[0]) . '_mac';
}
sub macrecent_target($)
{
$config{MACLIST_TTL} ? chain_base_cond($_[0]) . '_rec' : 'RETURN';
$config{MACLIST_TTL} ? chain_base($_[0]) . '_rec' : 'RETURN';
}
#
@ -741,22 +737,22 @@ sub macrecent_target($)
#
sub dynamic_fwd( $ )
{
chain_base_cond($_[0]) . '_dynf';
chain_base($_[0]) . '_dynf';
}
sub dynamic_in( $ )
{
chain_base_cond($_[0]) . '_dyni';
chain_base($_[0]) . '_dyni';
}
sub dynamic_out( $ ) # $1 = interface
{
chain_base_cond($_[0]) . '_dyno';
chain_base($_[0]) . '_dyno';
}
sub dynamic_chains( $ ) #$1 = interface
{
my $c = chain_base_cond($_[0]);
my $c = chain_base($_[0]);
( $c . '_dyni' , $c . '_dynf' , $c . '_dyno' );
}
@ -771,7 +767,7 @@ sub zone_dynamic_chain( $ ) # $1 = zone
#
sub dnat_chain( $ )
{
chain_base_cond($_[0]) . '_dnat';
chain_base($_[0]) . '_dnat';
}
#
@ -779,7 +775,7 @@ sub dnat_chain( $ )
#
sub snat_chain( $ )
{
chain_base_cond($_[0]) . '_snat';
chain_base($_[0]) . '_snat';
}
#
@ -787,7 +783,7 @@ sub snat_chain( $ )
#
sub ecn_chain( $ )
{
chain_base_cond($_[0]) . '_ecn';
chain_base($_[0]) . '_ecn';
}
#
@ -795,7 +791,7 @@ sub ecn_chain( $ )
#
sub first_chains( $ ) #$1 = interface
{
my $c = chain_base_cond($_[0]);
my $c = chain_base($_[0]);
( $c . '_fwd', $c . '_in' );
}

View File

@ -1870,7 +1870,7 @@ sub get_configuration( $ ) {
default_yes_no 'DISABLE_IPV6' , '';
default_yes_no 'DYNAMIC_ZONES' , '';
fatal_error "DYNAMIC_ZONES=Yes is incompatible with the -e option" if $config{DYNAMIC_ZONES} && $export;
fatal_error "DYNAMIC_ZONES=Yes is not supported by Shorewall-perl $global{VERSION}" if $config{DYNAMIC_ZONES};
default_yes_no 'BRIDGING' , '';

View File

@ -638,20 +638,6 @@ sub add_common_rules() {
}
}
if ( $config{DYNAMIC_ZONES} ) {
for $interface ( all_interfaces ) {
for $chain ( dynamic_chains $interface ) {
new_standard_chain $chain;
}
new_nat_chain( $chain = dynamic_in($interface) );
add_rule $filter_table->{input_chain $interface}, '-j ' . dynamic_in $interface;
add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
add_rule $filter_table->{output_chain $interface}, '-j ' . dynamic_out $interface;
}
}
$list = find_interfaces_by_option 'upnp';
if ( @$list ) {
@ -1573,10 +1559,6 @@ sub generate_matrix() {
my $type = $zoneref->{type};
my $source_ref = ( $zoneref->{hosts}{ipsec4} ) || {};
if ( $config{DYNAMIC_ZONES} ) {
create_zone_dyn_chain $zone, $frwd_ref if ( scalar keys %$source_ref ) || ( $type eq 'ipsec4' );
}
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
my $sourcechainref;
my $interfacematch = '';
@ -1625,11 +1607,6 @@ sub generate_matrix() {
insert_exclusions $dnatref, $exclusions if $dnatref->{referenced};
}
if ( $config{DYNAMIC_ZONES} ) {
push @rule_chains , [ firewall_zone , $zone , $chain1 ] if $chain1;
push @rule_chains , [ $zone , firewall_zone , $chain2 ];
}
if ( $nested ) {
#
# This is a sub-zone. We need to determine if
@ -1831,8 +1808,6 @@ sub generate_matrix() {
next unless $chain; # CONTINUE policy with no rules
push @rule_chains, [ $zone , $zone1 , $chain ] if $config{DYNAMIC_ZONES};
my $num_ifaces = 0;
if ( $zone eq $zone1 ) {
@ -1952,13 +1927,6 @@ sub generate_matrix() {
addnatjump 'PREROUTING' , 'nat_in' , '';
addnatjump 'POSTROUTING' , 'nat_out' , '';
if ( $config{DYNAMIC_ZONES} ) {
for my $interface ( @interfaces ) {
addnatjump 'PREROUTING' , dynamic_in( $interface ), match_source_dev( $interface );
}
}
addnatjump 'PREROUTING', 'dnat', '';
for my $interface ( @interfaces ) {

View File

@ -403,7 +403,11 @@ ipsec net 0.0.0.0/0</programlisting>
zones and add and delete remote endpoints dynamically using
/sbin/shorewall. With Shorewall 2.0.2 Beta 1 and later versions, this
capability must be enabled by setting DYNAMIC_ZONES=Yes in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>.</para>
url="manpages/shorewall.conf.html">shorewall.conf</ulink>.<important>
<para>DYNAMIC_ZONES=Yes is not supported by Shorewall-perl 4.2.0 or
later versions. Use <ulink url="ipsets.html#Dynamic">dynamic zones
defined by ipsets</ulink> instead.</para>
</important></para>
<para>In /etc/shorewall/zones:</para>

View File

@ -482,6 +482,9 @@
role="bold">yes</emphasis>, enables dynamic zones. DYNAMIC_ZONES=Yes
is not allowed in configurations that will run under Shorewall
Lite.</para>
<para>DYNAMIC_ZONES=Yes is not supported by Shorewall-perl 4.2.0 and
later.</para>
</listitem>
</varlistentry>