extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 23:53:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8563 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-06-13 02:56:51 +00:00
parent c2ee4eb2ba
commit af3aa96964
7 changed files with 31 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-common/changelog.txt
View File

@ -6,6 +6,8 @@ Changes in 4.2.0-Beta2
3) HELPER column in tcrules. 3) HELPER column in tcrules.
4) De-implement DYNAMIC_ZONES=Yes in Shorewall-perl.
Changes in 4.2.0-Beta1 Changes in 4.2.0-Beta1
1) Fix handling of firewall marks. 1) Fix handling of firewall marks.

5
Shorewall-common/releasenotes.txt
View File

@ -75,6 +75,9 @@ Migration Issues.
Note that there is a new 'Rfc1918' macro that acts on addresses Note that there is a new 'Rfc1918' macro that acts on addresses
reserved by RFC 1918. reserved by RFC 1918.
7) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl. Use
ipset-based zones instead.
Problems Corrected in Shorewall 4.2.0 Beta 2 Problems Corrected in Shorewall 4.2.0 Beta 2
1) When 'norfc1918' was specified on an interface with an RFC 1918 IP 1) When 'norfc1918' was specified on an interface with an RFC 1918 IP
@ -120,6 +123,8 @@ Other Changes in Shoreall 4.2.0 Beta 2.
See http://www.shorewall.net/traffic_shaping.htm for an example. See http://www.shorewall.net/traffic_shaping.htm for an example.
3) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl.
None. None.
New Features in Shorewall 4.2. New Features in Shorewall 4.2.

32
Shorewall-perl/Shorewall/Chains.pm
View File

@ -589,16 +589,12 @@ sub chain_base($) {
$chain; $chain;
} }
sub chain_base_cond($) {
$config{DYNAMIC_ZONES} ? chain_base($_[0]) : $_[0];
}
# #
# Forward Chain for an interface # Forward Chain for an interface
# #
sub forward_chain($) sub forward_chain($)
{ {
chain_base_cond($_[0]) . '_fwd'; chain_base($_[0]) . '_fwd';
} }
# #
@ -625,7 +621,7 @@ sub use_forward_chain($) {
# #
sub input_chain($) sub input_chain($)
{ {
chain_base_cond($_[0]) . '_in'; chain_base($_[0]) . '_in';
} }
# #
@ -669,7 +665,7 @@ sub use_input_chain($) {
# #
sub output_chain($) sub output_chain($)
{ {
chain_base_cond($_[0]) . '_out'; chain_base_($_[0]) . '_out';
} }
# #
@ -713,7 +709,7 @@ sub use_output_chain($) {
# #
sub masq_chain($) sub masq_chain($)
{ {
chain_base_cond($_[0]) . '_masq'; chain_base($_[0]) . '_masq';
} }
# #
@ -728,12 +724,12 @@ sub syn_flood_chain ( $ ) {
# #
sub mac_chain( $ ) sub mac_chain( $ )
{ {
chain_base_cond($_[0]) . '_mac'; chain_base($_[0]) . '_mac';
} }
sub macrecent_target($) sub macrecent_target($)
{ {
$config{MACLIST_TTL} ? chain_base_cond($_[0]) . '_rec' : 'RETURN'; $config{MACLIST_TTL} ? chain_base($_[0]) . '_rec' : 'RETURN';
} }
# #
@ -741,22 +737,22 @@ sub macrecent_target($)
# #
sub dynamic_fwd( $ ) sub dynamic_fwd( $ )
{ {
chain_base_cond($_[0]) . '_dynf'; chain_base($_[0]) . '_dynf';
} }
sub dynamic_in( $ ) sub dynamic_in( $ )
{ {
chain_base_cond($_[0]) . '_dyni'; chain_base($_[0]) . '_dyni';
} }
sub dynamic_out( $ ) # $1 = interface sub dynamic_out( $ ) # $1 = interface
{ {
chain_base_cond($_[0]) . '_dyno'; chain_base($_[0]) . '_dyno';
} }
sub dynamic_chains( $ ) #$1 = interface sub dynamic_chains( $ ) #$1 = interface
{ {
my $c = chain_base_cond($_[0]); my $c = chain_base($_[0]);
( $c . '_dyni' , $c . '_dynf' , $c . '_dyno' ); ( $c . '_dyni' , $c . '_dynf' , $c . '_dyno' );
} }
@ -771,7 +767,7 @@ sub zone_dynamic_chain( $ ) # $1 = zone
# #
sub dnat_chain( $ ) sub dnat_chain( $ )
{ {
chain_base_cond($_[0]) . '_dnat'; chain_base($_[0]) . '_dnat';
} }
# #
@ -779,7 +775,7 @@ sub dnat_chain( $ )
# #
sub snat_chain( $ ) sub snat_chain( $ )
{ {
chain_base_cond($_[0]) . '_snat'; chain_base($_[0]) . '_snat';
} }
# #
@ -787,7 +783,7 @@ sub snat_chain( $ )
# #
sub ecn_chain( $ ) sub ecn_chain( $ )
{ {
chain_base_cond($_[0]) . '_ecn'; chain_base($_[0]) . '_ecn';
} }
# #
@ -795,7 +791,7 @@ sub ecn_chain( $ )
# #
sub first_chains( $ ) #$1 = interface sub first_chains( $ ) #$1 = interface
{ {
my $c = chain_base_cond($_[0]); my $c = chain_base($_[0]);
( $c . '_fwd', $c . '_in' ); ( $c . '_fwd', $c . '_in' );
} }

2
Shorewall-perl/Shorewall/Config.pm
View File

@ -1870,7 +1870,7 @@ sub get_configuration( $ ) {
default_yes_no 'DISABLE_IPV6' , ''; default_yes_no 'DISABLE_IPV6' , '';
default_yes_no 'DYNAMIC_ZONES' , ''; default_yes_no 'DYNAMIC_ZONES' , '';
fatal_error "DYNAMIC_ZONES=Yes is incompatible with the -e option" if $config{DYNAMIC_ZONES} && $export; fatal_error "DYNAMIC_ZONES=Yes is not supported by Shorewall-perl $global{VERSION}" if $config{DYNAMIC_ZONES};
default_yes_no 'BRIDGING' , ''; default_yes_no 'BRIDGING' , '';

32
Shorewall-perl/Shorewall/Rules.pm
View File

@ -638,20 +638,6 @@ sub add_common_rules() {
} }
} }
if ( $config{DYNAMIC_ZONES} ) {
for $interface ( all_interfaces ) {
for $chain ( dynamic_chains $interface ) {
new_standard_chain $chain;
}
new_nat_chain( $chain = dynamic_in($interface) );
add_rule $filter_table->{input_chain $interface}, '-j ' . dynamic_in $interface;
add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
add_rule $filter_table->{output_chain $interface}, '-j ' . dynamic_out $interface;
}
}
$list = find_interfaces_by_option 'upnp'; $list = find_interfaces_by_option 'upnp';
if ( @$list ) { if ( @$list ) {
@ -1573,10 +1559,6 @@ sub generate_matrix() {
my $type = $zoneref->{type}; my $type = $zoneref->{type};
my $source_ref = ( $zoneref->{hosts}{ipsec4} ) || {}; my $source_ref = ( $zoneref->{hosts}{ipsec4} ) || {};
if ( $config{DYNAMIC_ZONES} ) {
create_zone_dyn_chain $zone, $frwd_ref if ( scalar keys %$source_ref ) || ( $type eq 'ipsec4' );
}
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) { for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
my $sourcechainref; my $sourcechainref;
my $interfacematch = ''; my $interfacematch = '';
@ -1625,11 +1607,6 @@ sub generate_matrix() {
insert_exclusions $dnatref, $exclusions if $dnatref->{referenced}; insert_exclusions $dnatref, $exclusions if $dnatref->{referenced};
} }
if ( $config{DYNAMIC_ZONES} ) {
push @rule_chains , [ firewall_zone , $zone , $chain1 ] if $chain1;
push @rule_chains , [ $zone , firewall_zone , $chain2 ];
}
if ( $nested ) { if ( $nested ) {
# #
# This is a sub-zone. We need to determine if # This is a sub-zone. We need to determine if
@ -1831,8 +1808,6 @@ sub generate_matrix() {
next unless $chain; # CONTINUE policy with no rules next unless $chain; # CONTINUE policy with no rules
push @rule_chains, [ $zone , $zone1 , $chain ] if $config{DYNAMIC_ZONES};
my $num_ifaces = 0; my $num_ifaces = 0;
if ( $zone eq $zone1 ) { if ( $zone eq $zone1 ) {
@ -1952,13 +1927,6 @@ sub generate_matrix() {
addnatjump 'PREROUTING' , 'nat_in' , ''; addnatjump 'PREROUTING' , 'nat_in' , '';
addnatjump 'POSTROUTING' , 'nat_out' , ''; addnatjump 'POSTROUTING' , 'nat_out' , '';
if ( $config{DYNAMIC_ZONES} ) {
for my $interface ( @interfaces ) {
addnatjump 'PREROUTING' , dynamic_in( $interface ), match_source_dev( $interface );
}
}
addnatjump 'PREROUTING', 'dnat', ''; addnatjump 'PREROUTING', 'dnat', '';
for my $interface ( @interfaces ) { for my $interface ( @interfaces ) {

6
docs/IPSEC.xml
View File

@ -403,7 +403,11 @@ ipsec net 0.0.0.0/0</programlisting>
zones and add and delete remote endpoints dynamically using zones and add and delete remote endpoints dynamically using
/sbin/shorewall. With Shorewall 2.0.2 Beta 1 and later versions, this /sbin/shorewall. With Shorewall 2.0.2 Beta 1 and later versions, this
capability must be enabled by setting DYNAMIC_ZONES=Yes in <ulink capability must be enabled by setting DYNAMIC_ZONES=Yes in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>.</para> url="manpages/shorewall.conf.html">shorewall.conf</ulink>.<important>
<para>DYNAMIC_ZONES=Yes is not supported by Shorewall-perl 4.2.0 or
later versions. Use <ulink url="ipsets.html#Dynamic">dynamic zones
defined by ipsets</ulink> instead.</para>
</important></para>
<para>In /etc/shorewall/zones:</para> <para>In /etc/shorewall/zones:</para>

3
manpages/shorewall.conf.xml
View File

@ -482,6 +482,9 @@
role="bold">yes</emphasis>, enables dynamic zones. DYNAMIC_ZONES=Yes role="bold">yes</emphasis>, enables dynamic zones. DYNAMIC_ZONES=Yes
is not allowed in configurations that will run under Shorewall is not allowed in configurations that will run under Shorewall
Lite.</para> Lite.</para>
<para>DYNAMIC_ZONES=Yes is not supported by Shorewall-perl 4.2.0 and
later.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>