extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-19 17:28:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8563 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-06-13 02:56:51 +00:00
parent c2ee4eb2ba
commit af3aa96964
7 changed files with 31 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-common/changelog.txt
View File

@ -6,6 +6,8 @@ Changes in 4.2.0-Beta2
3) HELPER column in tcrules. 3) HELPER column in tcrules.
4) De-implement DYNAMIC_ZONES=Yes in Shorewall-perl.
Changes in 4.2.0-Beta1 Changes in 4.2.0-Beta1
1) Fix handling of firewall marks. 1) Fix handling of firewall marks.

7
Shorewall-common/releasenotes.txt
View File

@ -75,6 +75,9 @@ Migration Issues.
Note that there is a new 'Rfc1918' macro that acts on addresses Note that there is a new 'Rfc1918' macro that acts on addresses
reserved by RFC 1918. reserved by RFC 1918.
7) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl. Use
ipset-based zones instead.
Problems Corrected in Shorewall 4.2.0 Beta 2 Problems Corrected in Shorewall 4.2.0 Beta 2
1) When 'norfc1918' was specified on an interface with an RFC 1918 IP 1) When 'norfc1918' was specified on an interface with an RFC 1918 IP
@ -118,7 +121,9 @@ Other Changes in Shoreall 4.2.0 Beta 2.
column names one of the Netfilter protocol 'helper' module sets column names one of the Netfilter protocol 'helper' module sets
(ftp, sip, amanda, etc). (ftp, sip, amanda, etc).
See http://www.shorewall.net/traffic_shaping.htm for an example. See http://www.shorewall.net/traffic_shaping.htm for an example.
3) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl.
None. None.

32
Shorewall-perl/Shorewall/Chains.pm
View File

@ -589,16 +589,12 @@ sub chain_base($) {
$chain; $chain;
} }
sub chain_base_cond($) {
$config{DYNAMIC_ZONES} ? chain_base($_[0]) : $_[0];
}
# #
# Forward Chain for an interface # Forward Chain for an interface
# #
sub forward_chain($) sub forward_chain($)
{ {
chain_base_cond($_[0]) . '_fwd'; chain_base($_[0]) . '_fwd';
} }
# #
@ -625,7 +621,7 @@ sub use_forward_chain($) {
# #
sub input_chain($) sub input_chain($)
{ {
chain_base_cond($_[0]) . '_in'; chain_base($_[0]) . '_in';
} }
# #
@ -669,7 +665,7 @@ sub use_input_chain($) {
# #
sub output_chain($) sub output_chain($)
{ {
chain_base_cond($_[0]) . '_out'; chain_base_($_[0]) . '_out';
} }
# #
@ -713,7 +709,7 @@ sub use_output_chain($) {
# #
sub masq_chain($) sub masq_chain($)
{ {
chain_base_cond($_[0]) . '_masq'; chain_base($_[0]) . '_masq';
} }
# #
@ -728,12 +724,12 @@ sub syn_flood_chain ( $ ) {
# #
sub mac_chain( $ ) sub mac_chain( $ )
{ {
chain_base_cond($_[0]) . '_mac'; chain_base($_[0]) . '_mac';
} }
sub macrecent_target($) sub macrecent_target($)
{ {
$config{MACLIST_TTL} ? chain_base_cond($_[0]) . '_rec' : 'RETURN'; $config{MACLIST_TTL} ? chain_base($_[0]) . '_rec' : 'RETURN';
} }
# #
@ -741,22 +737,22 @@ sub macrecent_target($)
# #
sub dynamic_fwd( $ ) sub dynamic_fwd( $ )
{ {
chain_base_cond($_[0]) . '_dynf'; chain_base($_[0]) . '_dynf';
} }
sub dynamic_in( $ ) sub dynamic_in( $ )
{ {
chain_base_cond($_[0]) . '_dyni'; chain_base($_[0]) . '_dyni';
} }
sub dynamic_out( $ ) # $1 = interface sub dynamic_out( $ ) # $1 = interface
{ {
chain_base_cond($_[0]) . '_dyno'; chain_base($_[0]) . '_dyno';
} }
sub dynamic_chains( $ ) #$1 = interface sub dynamic_chains( $ ) #$1 = interface
{ {
my $c = chain_base_cond($_[0]); my $c = chain_base($_[0]);
( $c . '_dyni' , $c . '_dynf' , $c . '_dyno' ); ( $c . '_dyni' , $c . '_dynf' , $c . '_dyno' );
} }
@ -771,7 +767,7 @@ sub zone_dynamic_chain( $ ) # $1 = zone
# #
sub dnat_chain( $ ) sub dnat_chain( $ )
{ {
chain_base_cond($_[0]) . '_dnat'; chain_base($_[0]) . '_dnat';
} }
# #
@ -779,7 +775,7 @@ sub dnat_chain( $ )
# #
sub snat_chain( $ ) sub snat_chain( $ )
{ {
chain_base_cond($_[0]) . '_snat'; chain_base($_[0]) . '_snat';
} }
# #
@ -787,7 +783,7 @@ sub snat_chain( $ )
# #
sub ecn_chain( $ ) sub ecn_chain( $ )
{ {
chain_base_cond($_[0]) . '_ecn'; chain_base($_[0]) . '_ecn';
} }
# #
@ -795,7 +791,7 @@ sub ecn_chain( $ )
# #
sub first_chains( $ ) #$1 = interface sub first_chains( $ ) #$1 = interface
{ {
my $c = chain_base_cond($_[0]); my $c = chain_base($_[0]);
( $c . '_fwd', $c . '_in' ); ( $c . '_fwd', $c . '_in' );
} }

2
Shorewall-perl/Shorewall/Config.pm
View File

@ -1870,7 +1870,7 @@ sub get_configuration( $ ) {
default_yes_no 'DISABLE_IPV6' , ''; default_yes_no 'DISABLE_IPV6' , '';
default_yes_no 'DYNAMIC_ZONES' , ''; default_yes_no 'DYNAMIC_ZONES' , '';
fatal_error "DYNAMIC_ZONES=Yes is incompatible with the -e option" if $config{DYNAMIC_ZONES} && $export; fatal_error "DYNAMIC_ZONES=Yes is not supported by Shorewall-perl $global{VERSION}" if $config{DYNAMIC_ZONES};
default_yes_no 'BRIDGING' , ''; default_yes_no 'BRIDGING' , '';

32
Shorewall-perl/Shorewall/Rules.pm
View File

@ -638,20 +638,6 @@ sub add_common_rules() {
} }
} }
if ( $config{DYNAMIC_ZONES} ) {
for $interface ( all_interfaces ) {
for $chain ( dynamic_chains $interface ) {
new_standard_chain $chain;
}
new_nat_chain( $chain = dynamic_in($interface) );
add_rule $filter_table->{input_chain $interface}, '-j ' . dynamic_in $interface;
add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
add_rule $filter_table->{output_chain $interface}, '-j ' . dynamic_out $interface;
}
}
$list = find_interfaces_by_option 'upnp'; $list = find_interfaces_by_option 'upnp';
if ( @$list ) { if ( @$list ) {
@ -1573,10 +1559,6 @@ sub generate_matrix() {
my $type = $zoneref->{type}; my $type = $zoneref->{type};
my $source_ref = ( $zoneref->{hosts}{ipsec4} ) || {}; my $source_ref = ( $zoneref->{hosts}{ipsec4} ) || {};
if ( $config{DYNAMIC_ZONES} ) {
create_zone_dyn_chain $zone, $frwd_ref if ( scalar keys %$source_ref ) || ( $type eq 'ipsec4' );
}
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) { for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
my $sourcechainref; my $sourcechainref;
my $interfacematch = ''; my $interfacematch = '';
@ -1625,11 +1607,6 @@ sub generate_matrix() {
insert_exclusions $dnatref, $exclusions if $dnatref->{referenced}; insert_exclusions $dnatref, $exclusions if $dnatref->{referenced};
} }
if ( $config{DYNAMIC_ZONES} ) {
push @rule_chains , [ firewall_zone , $zone , $chain1 ] if $chain1;
push @rule_chains , [ $zone , firewall_zone , $chain2 ];
}
if ( $nested ) { if ( $nested ) {
# #
# This is a sub-zone. We need to determine if # This is a sub-zone. We need to determine if
@ -1831,8 +1808,6 @@ sub generate_matrix() {
next unless $chain; # CONTINUE policy with no rules next unless $chain; # CONTINUE policy with no rules
push @rule_chains, [ $zone , $zone1 , $chain ] if $config{DYNAMIC_ZONES};
my $num_ifaces = 0; my $num_ifaces = 0;
if ( $zone eq $zone1 ) { if ( $zone eq $zone1 ) {
@ -1952,13 +1927,6 @@ sub generate_matrix() {
addnatjump 'PREROUTING' , 'nat_in' , ''; addnatjump 'PREROUTING' , 'nat_in' , '';
addnatjump 'POSTROUTING' , 'nat_out' , ''; addnatjump 'POSTROUTING' , 'nat_out' , '';
if ( $config{DYNAMIC_ZONES} ) {
for my $interface ( @interfaces ) {
addnatjump 'PREROUTING' , dynamic_in( $interface ), match_source_dev( $interface );
}
}
addnatjump 'PREROUTING', 'dnat', ''; addnatjump 'PREROUTING', 'dnat', '';
for my $interface ( @interfaces ) { for my $interface ( @interfaces ) {

6
docs/IPSEC.xml
View File

@ -403,7 +403,11 @@ ipsec net 0.0.0.0/0</programlisting>
zones and add and delete remote endpoints dynamically using zones and add and delete remote endpoints dynamically using
/sbin/shorewall. With Shorewall 2.0.2 Beta 1 and later versions, this /sbin/shorewall. With Shorewall 2.0.2 Beta 1 and later versions, this
capability must be enabled by setting DYNAMIC_ZONES=Yes in <ulink capability must be enabled by setting DYNAMIC_ZONES=Yes in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>.</para> url="manpages/shorewall.conf.html">shorewall.conf</ulink>.<important>
<para>DYNAMIC_ZONES=Yes is not supported by Shorewall-perl 4.2.0 or
later versions. Use <ulink url="ipsets.html#Dynamic">dynamic zones
defined by ipsets</ulink> instead.</para>
</important></para>
<para>In /etc/shorewall/zones:</para> <para>In /etc/shorewall/zones:</para>

3
manpages/shorewall.conf.xml
View File

@ -482,6 +482,9 @@
role="bold">yes</emphasis>, enables dynamic zones. DYNAMIC_ZONES=Yes role="bold">yes</emphasis>, enables dynamic zones. DYNAMIC_ZONES=Yes
is not allowed in configurations that will run under Shorewall is not allowed in configurations that will run under Shorewall
Lite.</para> Lite.</para>
<para>DYNAMIC_ZONES=Yes is not supported by Shorewall-perl 4.2.0 and
later.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>