Add 'dhcp' option for IPv6

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9005 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-23 08:03:11 +01:00 · 2008-12-12 16:08:20 +00:00 · 2008-12-12 16:08:20 +00:00 · f6c3dba1b9
commit f6c3dba1b9
parent 9a3deaaf51
5 changed files with 44 additions and 44 deletions
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@ -1,3 +1,7 @@
+Changes in Shorewall 4.3.2
+
+1) Added 'dhcp' option.
+
 Changes in Shorewall 4.3.1

 1) Allow addresses in rules to be enclosed in square brackets.
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@ -1,32 +1,18 @@
-Shorewall 4.3.1
+Shorewall 4.3.2

 ----------------------------------------------------------------------------
               R E L E A S E  4 . 3  H I G H L I G H T S
 ----------------------------------------------------------------------------
 1) Support is included for IPv6.

-Problems Corrected in 4.3.1
+Problems Corrected in 4.3.2

-1) Shorewall6 parsing of the hosts file HOSTS column has been
-   corrected.
+    None.

-Other changes in 4.3.1
+Other changes in 4.3.2

-1) It is now permitted to enclose addresses in [] even when an
-   interface name is not specified.
-
-   Example:
-
-	ACCEPT	net:[2001:1::1]	$FW
-
-2) The Socket6 perl module is only required now if DNS names appear in
-   your Shorewall6 configuration files.
-
-3) Shorewall6 now recognizes IPv4 addresses embedded in the IPv6
-   address space (e.g., ::ffff:192.168.1.3).
-
-4) IP_FORWARDING has been added back into shorewall6.conf and works
-   like the corresponding option in Shorewall.
+1)  The 'dhcp' option has been added to accomodate IPv6 DHCP (UDP ports
+    546 and 547).

 Migration Issues.

@ -64,6 +50,7 @@ New Features in Shorewall 4.3

 	blacklist
        bridge
+	dhcp
 	optional
 	routeback
 	sourceroute
@ -93,8 +80,14 @@ New Features in Shorewall 4.3
       The HOSTS column in /etc/shorewall6/hosts also uses this
       convention:

-       #ZONE      HOSTS					OPTIONS
-       chat6	  eth0:[2001:19f0:feee::dead:beef:cafe]
+           #ZONE      HOSTS					OPTIONS
+           chat6      eth0:[2001:19f0:feee::dead:beef:cafe]
+
+       Even when an interface is not specified, it is permitted to
+       enclose addresses in [] to improve readability. Example:
+
+           #ACTION      SOURCE		DEST
+	   ACCEPT	net:[2001:1::1]	$FW

   g)  There are currently no Shorewall6 or Shorewall6-lite manpages.

--- a/Shorewall-perl/Shorewall/Compiler.pm
+++ b/Shorewall-perl/Shorewall/Compiler.pm
@ -516,25 +516,21 @@ EOF

    emit 'do_iptables -A OUTPUT -o lo -j ACCEPT' unless $config{ADMINISABSENTMINDED};

-    if ( $family == F_IPV4 ) {
-	my $interfaces = find_interfaces_by_option 'dhcp';
+    my $interfaces = find_interfaces_by_option 'dhcp';
+
+    if ( @$interfaces ) {
+	my $ports = $family == F_IPV4 ? '67:68' : '546:547';
 	
 	for my $interface ( @$interfaces ) {
-	    emit "do_iptables -A INPUT  -p udp -i $interface --dport 67:68 -j ACCEPT";
-	    emit "do_iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT" unless $config{ADMINISABSENTMINDED};
+	    emit "do_iptables -A INPUT  -p udp -i $interface --dport $ports -j ACCEPT";
+	    emit "do_iptables -A OUTPUT -p udp -o $interface --dport $ports -j ACCEPT" unless $config{ADMINISABSENTMINDED};
 	    #
 	    # This might be a bridge
 	    #
-	    emit "do_iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT";
-	}
-    } else {
-	for my $interface ( all_bridges ) {
-	    emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT";
+	    emit "do_iptables -A FORWARD -p udp -i $interface -o $interface --dport $ports-j ACCEPT";
 	}
    }

-    emit '';
-
    if ( $family == F_IPV4 ) {
 	if ( $config{IP_FORWARDING} eq 'on' ) {
 	    emit( 'echo 1 > /proc/sys/net/ipv4/ip_forward',
@ -545,6 +541,10 @@ EOF
 		);
 	}
    } else {
+	for my $interface ( all_bridges ) {
+	    emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT";
+	}	    
+
 	if ( $config{IP_FORWARDING} eq 'on' ) {
 	    emit( 'echo 1 > /proc/sys/net/ipv6/conf/all/forwarding',
 		  'progress_message2 IP Forwarding Enabled' );
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@ -595,21 +595,23 @@ sub add_common_rules() {
 	add_rule $rejectref , '-j REJECT';
    }

-    if ( $family == F_IPV4 ) {
-	$list = find_interfaces_by_option 'dhcp';
+    $list = find_interfaces_by_option 'dhcp';
    
-	if ( @$list ) {
-	    progress_message2 'Adding rules for DHCP';
+    if ( @$list ) {
+	progress_message2 'Adding rules for DHCP';

-	    for $interface ( @$list ) {
-		for $chain ( input_chain $interface, output_chain $interface ) {
-		    add_rule $filter_table->{$chain} , '-p udp --dport 67:68 -j ACCEPT';
-		}
+	my $ports = $family == F_IPV4 ? '67:68' : '546:547';
 	
-		add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if get_interface_option( $interface, 'bridge' );
+	for $interface ( @$list ) {
+	    for $chain ( input_chain $interface, output_chain $interface ) {
+		add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT";
 	    }
-	}
 	    
+	    add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport $ports -j ACCEPT" if get_interface_option( $interface, 'bridge' );
+	}
+    }
+
+    if ( $family == F_IPV4 ) {
 	$list = find_hosts_by_option 'norfc1918';
 	setup_rfc1918_filteration $list if @$list;
    }
--- a/Shorewall-perl/Shorewall/Zones.pm
+++ b/Shorewall-perl/Shorewall/Zones.pm
@ -627,6 +627,7 @@ sub validate_interfaces_file( $ )
    } else {
 	%validoptions = (  blacklist   => SIMPLE_IF_OPTION,
 			   bridge      => SIMPLE_IF_OPTION,
+			   dhcp        => SIMPLE_IF_OPTION,
 			   optional    => SIMPLE_IF_OPTION,
 			   routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY,
 			   sourceroute => BINARY_IF_OPTION,