forked from extern/shorewall_code
Verify physdev match if BRIDGING=Yes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1602 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
2fca478477
commit
0649e6ad70
@ -60,3 +60,5 @@ Changes since 2.0.3
|
|||||||
28) Apply Richard Musil's patch.
|
28) Apply Richard Musil's patch.
|
||||||
|
|
||||||
29) Correct parsing of PROTO column in setup_tc1().
|
29) Correct parsing of PROTO column in setup_tc1().
|
||||||
|
|
||||||
|
30) Verify Physdev match if BRIDGING=Yes
|
||||||
|
@ -2503,6 +2503,10 @@ check_config() {
|
|||||||
|
|
||||||
verify_os_version
|
verify_os_version
|
||||||
|
|
||||||
|
if [ -n "$BRIDGING" ]; then
|
||||||
|
[ -n "$PHYSDEV_MATCH" || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
|
||||||
|
fi
|
||||||
|
|
||||||
echo "Determining Zones..."
|
echo "Determining Zones..."
|
||||||
|
|
||||||
determine_zones
|
determine_zones
|
||||||
@ -5187,11 +5191,13 @@ determine_capabilities() {
|
|||||||
CONNTRACK_MATCH=
|
CONNTRACK_MATCH=
|
||||||
MULTIPORT=
|
MULTIPORT=
|
||||||
POLICY_MATCH=
|
POLICY_MATCH=
|
||||||
|
PHYSDEV_MATCH=
|
||||||
|
|
||||||
if qt iptables -N fooX1234 ; then
|
if qt iptables -N fooX1234 ; then
|
||||||
qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||||
qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
||||||
qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||||
|
qt iptables -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
||||||
|
|
||||||
|
|
||||||
qt iptables -F fooX1234
|
qt iptables -F fooX1234
|
||||||
@ -5225,6 +5231,7 @@ report_capabilities() {
|
|||||||
report_capability $CONNTRACK_MATCH "Connection Tracking Match"
|
report_capability $CONNTRACK_MATCH "Connection Tracking Match"
|
||||||
report_capability $PKTTYPE "Packet Type Match"
|
report_capability $PKTTYPE "Packet Type Match"
|
||||||
report_capability $POLICY_MATCH "Policy Match"
|
report_capability $POLICY_MATCH "Policy Match"
|
||||||
|
report_capability $PHYSDEV_MATCH "Physdev Match"
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -5239,6 +5246,10 @@ initialize_netfilter () {
|
|||||||
|
|
||||||
report_capabilities
|
report_capabilities
|
||||||
|
|
||||||
|
if [ -n "$BRIDGING" ]; then
|
||||||
|
[ -n "$PHYSDEV_MATCH" || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
|
||||||
|
fi
|
||||||
|
|
||||||
echo "Determining Zones..."
|
echo "Determining Zones..."
|
||||||
|
|
||||||
determine_zones
|
determine_zones
|
||||||
|
@ -420,6 +420,7 @@ New Features:
|
|||||||
See the comments at the top of /etc/shorewall/accounting for
|
See the comments at the top of /etc/shorewall/accounting for
|
||||||
details.
|
details.
|
||||||
|
|
||||||
|
13) Shorewall now verifies that your kernel and iptables have physdev
|
||||||
|
match support if BRIDGING=Yes in shorewall.conf.
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user