mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-22 15:43:30 +01:00
DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8563 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
c2ee4eb2ba
commit
af3aa96964
@ -6,6 +6,8 @@ Changes in 4.2.0-Beta2
|
||||
|
||||
3) HELPER column in tcrules.
|
||||
|
||||
4) De-implement DYNAMIC_ZONES=Yes in Shorewall-perl.
|
||||
|
||||
Changes in 4.2.0-Beta1
|
||||
|
||||
1) Fix handling of firewall marks.
|
||||
|
||||
@ -75,6 +75,9 @@ Migration Issues.
|
||||
Note that there is a new 'Rfc1918' macro that acts on addresses
|
||||
reserved by RFC 1918.
|
||||
|
||||
7) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl. Use
|
||||
ipset-based zones instead.
|
||||
|
||||
Problems Corrected in Shorewall 4.2.0 Beta 2
|
||||
|
||||
1) When 'norfc1918' was specified on an interface with an RFC 1918 IP
|
||||
@ -118,7 +121,9 @@ Other Changes in Shoreall 4.2.0 Beta 2.
|
||||
column names one of the Netfilter protocol 'helper' module sets
|
||||
(ftp, sip, amanda, etc).
|
||||
|
||||
See http://www.shorewall.net/traffic_shaping.htm for an example.
|
||||
See http://www.shorewall.net/traffic_shaping.htm for an example.
|
||||
|
||||
3) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl.
|
||||
|
||||
None.
|
||||
|
||||
|
||||
@ -589,16 +589,12 @@ sub chain_base($) {
|
||||
$chain;
|
||||
}
|
||||
|
||||
sub chain_base_cond($) {
|
||||
$config{DYNAMIC_ZONES} ? chain_base($_[0]) : $_[0];
|
||||
}
|
||||
|
||||
#
|
||||
# Forward Chain for an interface
|
||||
#
|
||||
sub forward_chain($)
|
||||
{
|
||||
chain_base_cond($_[0]) . '_fwd';
|
||||
chain_base($_[0]) . '_fwd';
|
||||
}
|
||||
|
||||
#
|
||||
@ -625,7 +621,7 @@ sub use_forward_chain($) {
|
||||
#
|
||||
sub input_chain($)
|
||||
{
|
||||
chain_base_cond($_[0]) . '_in';
|
||||
chain_base($_[0]) . '_in';
|
||||
}
|
||||
|
||||
#
|
||||
@ -669,7 +665,7 @@ sub use_input_chain($) {
|
||||
#
|
||||
sub output_chain($)
|
||||
{
|
||||
chain_base_cond($_[0]) . '_out';
|
||||
chain_base_($_[0]) . '_out';
|
||||
}
|
||||
|
||||
#
|
||||
@ -713,7 +709,7 @@ sub use_output_chain($) {
|
||||
#
|
||||
sub masq_chain($)
|
||||
{
|
||||
chain_base_cond($_[0]) . '_masq';
|
||||
chain_base($_[0]) . '_masq';
|
||||
}
|
||||
|
||||
#
|
||||
@ -728,12 +724,12 @@ sub syn_flood_chain ( $ ) {
|
||||
#
|
||||
sub mac_chain( $ )
|
||||
{
|
||||
chain_base_cond($_[0]) . '_mac';
|
||||
chain_base($_[0]) . '_mac';
|
||||
}
|
||||
|
||||
sub macrecent_target($)
|
||||
{
|
||||
$config{MACLIST_TTL} ? chain_base_cond($_[0]) . '_rec' : 'RETURN';
|
||||
$config{MACLIST_TTL} ? chain_base($_[0]) . '_rec' : 'RETURN';
|
||||
}
|
||||
|
||||
#
|
||||
@ -741,22 +737,22 @@ sub macrecent_target($)
|
||||
#
|
||||
sub dynamic_fwd( $ )
|
||||
{
|
||||
chain_base_cond($_[0]) . '_dynf';
|
||||
chain_base($_[0]) . '_dynf';
|
||||
}
|
||||
|
||||
sub dynamic_in( $ )
|
||||
{
|
||||
chain_base_cond($_[0]) . '_dyni';
|
||||
chain_base($_[0]) . '_dyni';
|
||||
}
|
||||
|
||||
sub dynamic_out( $ ) # $1 = interface
|
||||
{
|
||||
chain_base_cond($_[0]) . '_dyno';
|
||||
chain_base($_[0]) . '_dyno';
|
||||
}
|
||||
|
||||
sub dynamic_chains( $ ) #$1 = interface
|
||||
{
|
||||
my $c = chain_base_cond($_[0]);
|
||||
my $c = chain_base($_[0]);
|
||||
|
||||
( $c . '_dyni' , $c . '_dynf' , $c . '_dyno' );
|
||||
}
|
||||
@ -771,7 +767,7 @@ sub zone_dynamic_chain( $ ) # $1 = zone
|
||||
#
|
||||
sub dnat_chain( $ )
|
||||
{
|
||||
chain_base_cond($_[0]) . '_dnat';
|
||||
chain_base($_[0]) . '_dnat';
|
||||
}
|
||||
|
||||
#
|
||||
@ -779,7 +775,7 @@ sub dnat_chain( $ )
|
||||
#
|
||||
sub snat_chain( $ )
|
||||
{
|
||||
chain_base_cond($_[0]) . '_snat';
|
||||
chain_base($_[0]) . '_snat';
|
||||
}
|
||||
|
||||
#
|
||||
@ -787,7 +783,7 @@ sub snat_chain( $ )
|
||||
#
|
||||
sub ecn_chain( $ )
|
||||
{
|
||||
chain_base_cond($_[0]) . '_ecn';
|
||||
chain_base($_[0]) . '_ecn';
|
||||
}
|
||||
|
||||
#
|
||||
@ -795,7 +791,7 @@ sub ecn_chain( $ )
|
||||
#
|
||||
sub first_chains( $ ) #$1 = interface
|
||||
{
|
||||
my $c = chain_base_cond($_[0]);
|
||||
my $c = chain_base($_[0]);
|
||||
|
||||
( $c . '_fwd', $c . '_in' );
|
||||
}
|
||||
|
||||
@ -1870,7 +1870,7 @@ sub get_configuration( $ ) {
|
||||
default_yes_no 'DISABLE_IPV6' , '';
|
||||
default_yes_no 'DYNAMIC_ZONES' , '';
|
||||
|
||||
fatal_error "DYNAMIC_ZONES=Yes is incompatible with the -e option" if $config{DYNAMIC_ZONES} && $export;
|
||||
fatal_error "DYNAMIC_ZONES=Yes is not supported by Shorewall-perl $global{VERSION}" if $config{DYNAMIC_ZONES};
|
||||
|
||||
default_yes_no 'BRIDGING' , '';
|
||||
|
||||
|
||||
@ -638,20 +638,6 @@ sub add_common_rules() {
|
||||
}
|
||||
}
|
||||
|
||||
if ( $config{DYNAMIC_ZONES} ) {
|
||||
for $interface ( all_interfaces ) {
|
||||
for $chain ( dynamic_chains $interface ) {
|
||||
new_standard_chain $chain;
|
||||
}
|
||||
|
||||
new_nat_chain( $chain = dynamic_in($interface) );
|
||||
|
||||
add_rule $filter_table->{input_chain $interface}, '-j ' . dynamic_in $interface;
|
||||
add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
|
||||
add_rule $filter_table->{output_chain $interface}, '-j ' . dynamic_out $interface;
|
||||
}
|
||||
}
|
||||
|
||||
$list = find_interfaces_by_option 'upnp';
|
||||
|
||||
if ( @$list ) {
|
||||
@ -1573,10 +1559,6 @@ sub generate_matrix() {
|
||||
my $type = $zoneref->{type};
|
||||
my $source_ref = ( $zoneref->{hosts}{ipsec4} ) || {};
|
||||
|
||||
if ( $config{DYNAMIC_ZONES} ) {
|
||||
create_zone_dyn_chain $zone, $frwd_ref if ( scalar keys %$source_ref ) || ( $type eq 'ipsec4' );
|
||||
}
|
||||
|
||||
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
|
||||
my $sourcechainref;
|
||||
my $interfacematch = '';
|
||||
@ -1625,11 +1607,6 @@ sub generate_matrix() {
|
||||
insert_exclusions $dnatref, $exclusions if $dnatref->{referenced};
|
||||
}
|
||||
|
||||
if ( $config{DYNAMIC_ZONES} ) {
|
||||
push @rule_chains , [ firewall_zone , $zone , $chain1 ] if $chain1;
|
||||
push @rule_chains , [ $zone , firewall_zone , $chain2 ];
|
||||
}
|
||||
|
||||
if ( $nested ) {
|
||||
#
|
||||
# This is a sub-zone. We need to determine if
|
||||
@ -1831,8 +1808,6 @@ sub generate_matrix() {
|
||||
|
||||
next unless $chain; # CONTINUE policy with no rules
|
||||
|
||||
push @rule_chains, [ $zone , $zone1 , $chain ] if $config{DYNAMIC_ZONES};
|
||||
|
||||
my $num_ifaces = 0;
|
||||
|
||||
if ( $zone eq $zone1 ) {
|
||||
@ -1952,13 +1927,6 @@ sub generate_matrix() {
|
||||
|
||||
addnatjump 'PREROUTING' , 'nat_in' , '';
|
||||
addnatjump 'POSTROUTING' , 'nat_out' , '';
|
||||
|
||||
if ( $config{DYNAMIC_ZONES} ) {
|
||||
for my $interface ( @interfaces ) {
|
||||
addnatjump 'PREROUTING' , dynamic_in( $interface ), match_source_dev( $interface );
|
||||
}
|
||||
}
|
||||
|
||||
addnatjump 'PREROUTING', 'dnat', '';
|
||||
|
||||
for my $interface ( @interfaces ) {
|
||||
|
||||
@ -403,7 +403,11 @@ ipsec net 0.0.0.0/0</programlisting>
|
||||
zones and add and delete remote endpoints dynamically using
|
||||
/sbin/shorewall. With Shorewall 2.0.2 Beta 1 and later versions, this
|
||||
capability must be enabled by setting DYNAMIC_ZONES=Yes in <ulink
|
||||
url="manpages/shorewall.conf.html">shorewall.conf</ulink>.</para>
|
||||
url="manpages/shorewall.conf.html">shorewall.conf</ulink>.<important>
|
||||
<para>DYNAMIC_ZONES=Yes is not supported by Shorewall-perl 4.2.0 or
|
||||
later versions. Use <ulink url="ipsets.html#Dynamic">dynamic zones
|
||||
defined by ipsets</ulink> instead.</para>
|
||||
</important></para>
|
||||
|
||||
<para>In /etc/shorewall/zones:</para>
|
||||
|
||||
|
||||
@ -482,6 +482,9 @@
|
||||
role="bold">yes</emphasis>, enables dynamic zones. DYNAMIC_ZONES=Yes
|
||||
is not allowed in configurations that will run under Shorewall
|
||||
Lite.</para>
|
||||
|
||||
<para>DYNAMIC_ZONES=Yes is not supported by Shorewall-perl 4.2.0 and
|
||||
later.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user