Add nets= OPTION to the interfaces file

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9520 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-02-23 23:39:46 +00:00
parent 734085e83b
commit dba858068c
4 changed files with 86 additions and 5 deletions

View File

@ -314,7 +314,7 @@ sub setup_blacklist() {
if ( $first_entry ) {
unless ( @$hosts ) {
warning_message q(The entries in $fn have been ignored because there are no 'blacklist' interfaces);
warning_message qq(The entries in $fn have been ignored because there are no 'blacklist' interfaces);
close_file;
last BLACKLIST;
}

View File

@ -600,8 +600,8 @@ sub validate_interfaces_file( $ )
ENUM_IF_OPTION => 3,
NUMERIC_IF_OPTION => 4,
OBSOLETE_IF_OPTION => 5,
IPLIST_IF_OPTION => 6,
MASK_IF_OPTION => 7,
IF_OPTION_ZONEONLY => 8 };
my %validoptions;
@ -615,6 +615,7 @@ sub validate_interfaces_file( $ )
dhcp => SIMPLE_IF_OPTION,
maclist => SIMPLE_IF_OPTION,
logmartians => BINARY_IF_OPTION,
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
norfc1918 => SIMPLE_IF_OPTION,
nosmurfs => SIMPLE_IF_OPTION,
optional => SIMPLE_IF_OPTION,
@ -650,6 +651,8 @@ sub validate_interfaces_file( $ )
while ( read_a_line ) {
my $nets;
if ( $first_entry ) {
progress_message2 "$doing $fn...";
$first_entry = 0;
@ -737,7 +740,7 @@ sub validate_interfaces_file( $ )
if ( $options ) {
for my $option (split_list $options, 'option' ) {
for my $option (split_list1 $options, 'option' ) {
next if $option eq '-';
( $option, my $value ) = split /=/, $option;
@ -776,6 +779,13 @@ sub validate_interfaces_file( $ )
my $numval = numeric_value $value;
fatal_error "Invalid value ($value) for option $option" unless defined $numval;
$options{$option} = $numval;
} elsif ( $type == IPLIST_IF_OPTION ) {
fatal_error "The $option option requires a value" unless defined $value;
fatal_error "Duplicate $option option" if $nets;
$value =~ s/\)$// if $value =~ s/^\(//;
$value = join ',' , ALLIP , $value if $value =~ /^!/;
$nets = [ split_list $value, 'address' ];
$options{broadcast} = 1;
} else {
warning_message "Support for the $option interface option has been removed from Shorewall-perl";
}
@ -803,9 +813,9 @@ sub validate_interfaces_file( $ )
push @ifaces, $interface;
my @networks = allip;
$nets = [ allip ] unless $nets;
add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone;
add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $optionsref ) if $zone;
$interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()

View File

@ -1,2 +1,9 @@
Changes in Shorewall 4.3.5
1) Remove support for shorewall-shell.
2) Combine shorewall-common and shorewall-perl to product shorewall.
3) Add nets= OPTION in interfaces file.

View File

@ -4,6 +4,13 @@ Shorewall 4.3.5
R E L E A S E 4 . 4 H I G H L I G H T S
----------------------------------------------------------------------------
1) Support for Shorewall-shell has been discontinued. Shorewall-perl
has been combined with Shorewall-common to produce a single
Shorewall package.
2) The interfaces file OPTIONs have been extended to largely remove the
need for the hosts file.
Problems corrected in 4.3.5
None.
@ -14,3 +21,60 @@ None.
New Features in Shorewall 4.3.5
New Features in Shorewall 4.4
1) The Shorewall packaging has been completely revamped in Shorewall
4.4.
The new packages are:
- Shorewall. Includes the former Shorewall-common and
Shorewall-perl packages. Includes everything needed
to create an IPv4 firewall.
- Shorewall6. Requires Shorewall. Adds the components necessary to
create an IPv6 firewall.
- Shorewall-lite
May be installed on a firewall system to run
IPv4 firewall scripts generated by Shorewall.
- Shorewall6-lite
May be installed on a firewall system to run
IPv6 firewall scripts generated by Shorewall.
2) The interfaces file supports a new 'nets=' option. This option
allows users to restrict a zone's definition to particular networks
through an interface without having to use the hosts file.
Example interfaces file:
#ZONE INTERFACE BROADCAST OPTIONS
loc eth3 detect dhcp,logmartians=1,routefilter=1,nets=172.20.1.0/24
dmz eth4 detect logmartians=1,routefilter=1,nets=206.124.146.177
net eth0 detect dhcp,blacklist,tcpflags,optional,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177)
net eth2 detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177)
loc tun+ detect nets=172.20.0.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Note that when more than one network address is listed, the list
must be enclosed in parentheses. Notice also that exclusion may be
used.
The first entry in the above interfaces file is equivalent to the
following:
interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
- eth0 detect dhcp,logmartians=1,routefilter=1
hosts:
#ZONE HOST(S) OPTIONS
loc $INT_IF:192.20.1.0/24 broadcast
Note that the 'broadcast' option is automatically assumed and need
not be explicitly specified.