diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 520d77d20..297f4eb16 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -1,3 +1,7 @@ +Changes in Shorewall 4.3.2 + +1) Added 'dhcp' option. + Changes in Shorewall 4.3.1 1) Allow addresses in rules to be enclosed in square brackets. diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 7abe6848a..de5d0f303 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -1,32 +1,18 @@ -Shorewall 4.3.1 +Shorewall 4.3.2 ---------------------------------------------------------------------------- R E L E A S E 4 . 3 H I G H L I G H T S ---------------------------------------------------------------------------- 1) Support is included for IPv6. -Problems Corrected in 4.3.1 +Problems Corrected in 4.3.2 -1) Shorewall6 parsing of the hosts file HOSTS column has been - corrected. + None. -Other changes in 4.3.1 +Other changes in 4.3.2 -1) It is now permitted to enclose addresses in [] even when an - interface name is not specified. - - Example: - - ACCEPT net:[2001:1::1] $FW - -2) The Socket6 perl module is only required now if DNS names appear in - your Shorewall6 configuration files. - -3) Shorewall6 now recognizes IPv4 addresses embedded in the IPv6 - address space (e.g., ::ffff:192.168.1.3). - -4) IP_FORWARDING has been added back into shorewall6.conf and works - like the corresponding option in Shorewall. +1) The 'dhcp' option has been added to accomodate IPv6 DHCP (UDP ports + 546 and 547). Migration Issues. @@ -64,6 +50,7 @@ New Features in Shorewall 4.3 blacklist bridge + dhcp optional routeback sourceroute @@ -93,8 +80,14 @@ New Features in Shorewall 4.3 The HOSTS column in /etc/shorewall6/hosts also uses this convention: - #ZONE HOSTS OPTIONS - chat6 eth0:[2001:19f0:feee::dead:beef:cafe] + #ZONE HOSTS OPTIONS + chat6 eth0:[2001:19f0:feee::dead:beef:cafe] + + Even when an interface is not specified, it is permitted to + enclose addresses in [] to improve readability. Example: + + #ACTION SOURCE DEST + ACCEPT net:[2001:1::1] $FW g) There are currently no Shorewall6 or Shorewall6-lite manpages. diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm index 0094650da..1ad965d44 100644 --- a/Shorewall-perl/Shorewall/Compiler.pm +++ b/Shorewall-perl/Shorewall/Compiler.pm @@ -516,25 +516,21 @@ EOF emit 'do_iptables -A OUTPUT -o lo -j ACCEPT' unless $config{ADMINISABSENTMINDED}; - if ( $family == F_IPV4 ) { - my $interfaces = find_interfaces_by_option 'dhcp'; + my $interfaces = find_interfaces_by_option 'dhcp'; + if ( @$interfaces ) { + my $ports = $family == F_IPV4 ? '67:68' : '546:547'; + for my $interface ( @$interfaces ) { - emit "do_iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT"; - emit "do_iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT" unless $config{ADMINISABSENTMINDED}; + emit "do_iptables -A INPUT -p udp -i $interface --dport $ports -j ACCEPT"; + emit "do_iptables -A OUTPUT -p udp -o $interface --dport $ports -j ACCEPT" unless $config{ADMINISABSENTMINDED}; # # This might be a bridge # - emit "do_iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT"; + emit "do_iptables -A FORWARD -p udp -i $interface -o $interface --dport $ports-j ACCEPT"; } - } else { - for my $interface ( all_bridges ) { - emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT"; - } } - emit ''; - if ( $family == F_IPV4 ) { if ( $config{IP_FORWARDING} eq 'on' ) { emit( 'echo 1 > /proc/sys/net/ipv4/ip_forward', @@ -545,6 +541,10 @@ EOF ); } } else { + for my $interface ( all_bridges ) { + emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT"; + } + if ( $config{IP_FORWARDING} eq 'on' ) { emit( 'echo 1 > /proc/sys/net/ipv6/conf/all/forwarding', 'progress_message2 IP Forwarding Enabled' ); diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index e62223e88..5c99c0132 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -595,21 +595,23 @@ sub add_common_rules() { add_rule $rejectref , '-j REJECT'; } - if ( $family == F_IPV4 ) { - $list = find_interfaces_by_option 'dhcp'; + $list = find_interfaces_by_option 'dhcp'; + + if ( @$list ) { + progress_message2 'Adding rules for DHCP'; - if ( @$list ) { - progress_message2 'Adding rules for DHCP'; - - for $interface ( @$list ) { - for $chain ( input_chain $interface, output_chain $interface ) { - add_rule $filter_table->{$chain} , '-p udp --dport 67:68 -j ACCEPT'; - } - - add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if get_interface_option( $interface, 'bridge' ); + my $ports = $family == F_IPV4 ? '67:68' : '546:547'; + + for $interface ( @$list ) { + for $chain ( input_chain $interface, output_chain $interface ) { + add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT"; } + + add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport $ports -j ACCEPT" if get_interface_option( $interface, 'bridge' ); } + } + if ( $family == F_IPV4 ) { $list = find_hosts_by_option 'norfc1918'; setup_rfc1918_filteration $list if @$list; } diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm index 6a8b26215..c8b7dd490 100644 --- a/Shorewall-perl/Shorewall/Zones.pm +++ b/Shorewall-perl/Shorewall/Zones.pm @@ -627,6 +627,7 @@ sub validate_interfaces_file( $ ) } else { %validoptions = ( blacklist => SIMPLE_IF_OPTION, bridge => SIMPLE_IF_OPTION, + dhcp => SIMPLE_IF_OPTION, optional => SIMPLE_IF_OPTION, routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY, sourceroute => BINARY_IF_OPTION,