extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-23 16:13:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add NULL_ROUTE_RFC1918 option

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8375 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-03-29 00:35:00 +00:00
parent 8f47e47efa
commit f3323ef6fb
5 changed files with 46 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-common/changelog.txt
View File

@ -18,6 +18,8 @@ Changes in 4.1.7
9) Add ORIGINAL DEST column to macros. 9) Add ORIGINAL DEST column to macros.
10) Add NULL_ROUTE_RFC1918 option.
Changes in 4.1.6 Changes in 4.1.6
1) Deprecate IMPLICIT_CONTINUE=Yes 1) Deprecate IMPLICIT_CONTINUE=Yes

32
Shorewall-common/releasenotes.txt
View File

@ -196,8 +196,14 @@ New Features in 4.1.7.
The column must be left empty if the macro is to be used in the The column must be left empty if the macro is to be used in the
body of an action. body of an action.
Note that the position of the ORIGINAL DEST column is different The new column is placed between the SOURCE PORT(S) and RATE LIMIT
from its position in the /etc/shorewall/rules file. Beware! columns. So that Shorewall-perl can determine which column layout
each macro has, a new FORMAT directive is added:
FORMAT {1|2}
The default is FORMAT 1 which is the old format. FORMAT 2 specifies
that the macro is in the new format.
5) Shorewall-perl implements a new Rfc1918 macro that deals with 5) Shorewall-perl implements a new Rfc1918 macro that deals with
RFC 1918 addresses. This macro should be used in place of RFC 1918 addresses. This macro should be used in place of
@ -205,17 +211,33 @@ New Features in 4.1.7.
The macro body is: The macro body is:
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ ORIGINAL #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT(S) PORT(S) LIMIT GROUP DEST # PORT(S) PORT(S) DEST LIMIT GROUP
FORMAT 2
PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \ PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \
DEST - - - - - - DEST - - - - - -
PARAM SOURCE DEST - - - - - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 PARAM SOURCE DEST - - - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
The 'norfc1918' option on the interface associated with zone 'z' The 'norfc1918' option on the interface associated with zone 'z'
and with RFC1018_STRICT=Yes is equivalent to: and with RFC1018_STRICT=Yes is equivalent to:
Rfc1918(DROP) z all Rfc1918(DROP) z all
6) A better way to perform RFC 1918 filtration is to null-route the
address ranges reserved by RFC 1918. You can do that by setting the
new NULL_ROUTE_RFC1918 option to 'Yes' in shorewall.conf.
It is highly recommended that you also set ROUTE_FILTER=Yes to get
Martian messages. These will help diagnose problems where you need
to be able to access hosts with RFC 1918 addresses that are outside
of your local networks. Sometimes, these can be subtle such as the
case where your ISP is using RFC 1918 addresses on their DHCP
servers.
NULL_ROUTE_RFC1918 defaults to 'No' and is only supported by
Shorewall-perl; Shorewall-shell ignores the option.
New Features in Shorewall 4.1. New Features in Shorewall 4.1.
1) Shorewall 4.1 contains support for multiple Internet providers 1) Shorewall 4.1 contains support for multiple Internet providers

2
Shorewall-perl/Shorewall/Config.pm
View File

@ -357,6 +357,7 @@ sub initialize() {
DONT_LOAD => '', DONT_LOAD => '',
AUTO_COMMENT => undef , AUTO_COMMENT => undef ,
MANGLE_ENABLED => undef , MANGLE_ENABLED => undef ,
NULL_ROUTE_RFC1918 => undef ,
# #
# Packet Disposition # Packet Disposition
# #
@ -1894,6 +1895,7 @@ sub get_configuration( $ ) {
default_yes_no 'MULTICAST' , ''; default_yes_no 'MULTICAST' , '';
default_yes_no 'MARK_IN_FORWARD_CHAIN' , ''; default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
default_yes_no 'MANGLE_ENABLED' , 'Yes'; default_yes_no 'MANGLE_ENABLED' , 'Yes';
default_yes_no 'NULL_ROUTE_RFC1918' , '';
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK}; $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};

2
Shorewall-perl/Shorewall/IPAddrs.pm
View File

@ -45,7 +45,7 @@ our @EXPORT = qw( ALLIPv4
ip_range_explicit ip_range_explicit
expand_port_range expand_port_range
allipv4 allipv4
rfc1918_neworks rfc1918_networks
resolve_proto resolve_proto
proto_name proto_name
validate_port validate_port

13
Shorewall-perl/Shorewall/Providers.pm
View File

@ -454,6 +454,19 @@ sub add_an_rtrule( $$$$ ) {
} }
sub setup_providers() { sub setup_providers() {
#
# This probably doesn't belong here but looking forward to the day when we get Shorewall out of the routing business,
# it makes sense to keep all of the routing code together
#
if ( $config{NULL_ROUTE_RFC1918} ) {
emit 'if [ -z "$NOROUTES" ]; then';
push_indent;
save_progress_message "Null Routing the RFC 1918 subnets";
emit "run_ip route replace unreachable $_" for rfc1918_networks;
pop_indent;
emit "fi\n";
}
my $providers = 0; my $providers = 0;
my $fn = open_file 'providers'; my $fn = open_file 'providers';