forked from extern/shorewall_code
Restore 'haveroute' and add 'persistent' to proxyarp
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1113 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
e322b27dda
commit
427808d8c2
@ -18,4 +18,5 @@ Changes since 1.4.10
|
||||
|
||||
9) Get installer/uninstaller to work.
|
||||
|
||||
10) Restore HAVEROUTE and add PERSISTENT column to the proxy arp file.
|
||||
|
||||
|
||||
@ -1342,22 +1342,72 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
#
|
||||
setup_proxy_arp() {
|
||||
|
||||
print_error() {
|
||||
error_message "Invalid value for HAVEROUTE - ($haveroute)"
|
||||
error_message "Entry \"$address $interface $external $haveroute\" ignored"
|
||||
}
|
||||
|
||||
print_error1() {
|
||||
error_message "Invalid value for PERSISTENT - ($persistent)"
|
||||
error_message "Entry \"$address $interface $external $haveroute $persistent\" ignored"
|
||||
}
|
||||
|
||||
print_warning() {
|
||||
error_message "PERSISTENT setting ignored - ($persistent)"
|
||||
error_message "Entry \"$address $interface $external $haveroute $persistent\""
|
||||
}
|
||||
|
||||
setup_one_proxy_arp() {
|
||||
|
||||
case $haveroute in
|
||||
[Nn][Oo])
|
||||
haveroute=
|
||||
;;
|
||||
[Yy][Ee][Ss])
|
||||
;;
|
||||
*)
|
||||
if [ -n "$haveroute" ]; then
|
||||
print_error
|
||||
return
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
case $persistent in
|
||||
[Nn][Oo])
|
||||
persistent=
|
||||
;;
|
||||
[Yy][Ee][Ss])
|
||||
;;
|
||||
*)
|
||||
if [ -n "$persistent" ]; then
|
||||
print_error1
|
||||
return
|
||||
fi
|
||||
|
||||
[ -z "$haveroute" ] || print_warning
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -z "$haveroute" ]; then
|
||||
run_ip route replace $address dev $interface
|
||||
[ -n "$persistent" ] && haveroute=yes
|
||||
fi
|
||||
|
||||
run_arp -Ds $address $external pub
|
||||
|
||||
echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp
|
||||
echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp
|
||||
|
||||
echo $address $interface $external yes >> ${STATEDIR}/proxyarp
|
||||
echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp
|
||||
|
||||
echo " Host $address connected to $interface added to ARP on $external"
|
||||
}
|
||||
|
||||
> ${STATEDIR}/proxyarp
|
||||
|
||||
while read address interface external; do
|
||||
expandv address interface external
|
||||
while read address interface external haveroute persistent; do
|
||||
expandv address interface external haveroute persistent
|
||||
setup_one_proxy_arp
|
||||
done < $TMP_DIR/proxyarp
|
||||
|
||||
@ -1521,10 +1571,6 @@ delete_proxy_arp() {
|
||||
if [ -f ${STATEDIR}/proxyarp ]; then
|
||||
while read address interface external haveroute; do
|
||||
qt arp -i $external -d $address pub
|
||||
#
|
||||
# 1.x Shorewall included a mechanism for automatically
|
||||
# adding routes
|
||||
#
|
||||
[ -z "$haveroute" ] && qt ip route del $address dev $interface
|
||||
done < ${STATEDIR}/proxyarp
|
||||
|
||||
|
||||
@ -14,6 +14,22 @@
|
||||
# you may enter "-" in this column.
|
||||
# EXTERNAL External Interface to be used to access this system
|
||||
#
|
||||
# HAVEROUTE If there is already a route from the firewall to
|
||||
# the host whose address is given, enter "Yes" or "yes"
|
||||
# in this column. Otherwise, entry "no", "No" or leave
|
||||
# the column empty and Shorewall will add the route for
|
||||
# you. If Shorewall adds the route,the route will be
|
||||
# persistent if the PERSISTENT column contains Yes;
|
||||
# otherwise, "shorewall stop" or "shorewall clear" will
|
||||
# delete the route.
|
||||
#
|
||||
# PERSISTENT If HAVEROUTE is No or "no", then the value of this
|
||||
# column determines if the route added by Shorewall
|
||||
# persists after a "shorewall stop" or a "shorewall
|
||||
# clear". If this column contains "Yes" or "yes" then
|
||||
# the route persists; If the column is empty or contains
|
||||
# "No"or "no" then the route is deleted at "shorewall
|
||||
# stop" or "shorewall clear".
|
||||
#
|
||||
# Example: Host with IP 155.186.235.6 is connected to
|
||||
# interface eth1 and we want hosts attached via eth0
|
||||
@ -22,5 +38,5 @@
|
||||
# #ADDRESS INTERFACE EXTERNAL
|
||||
# 155.186.235.6 eth1 eth0
|
||||
##############################################################################
|
||||
#ADDRESS INTERFACE EXTERNAL
|
||||
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
Shorewall 2.0.0-Alpha1
|
||||
Shorewall 2.0.0-Alpha2
|
||||
|
||||
This is a major release of Shorewall. During the Alpha and Beta stages,
|
||||
the product name is changed to "Shoreall2" so that Shorewall version 1
|
||||
the product name is changed to "Shorewall2" so that Shorewall version 1
|
||||
and Shorewall version 2 may coexist on a system.
|
||||
|
||||
The following name changes have occured:
|
||||
@ -21,11 +21,11 @@ To switch from shorewall version 1 to shorewall version 2:
|
||||
|
||||
To switch back:
|
||||
|
||||
shoewall restart
|
||||
shorewall restart
|
||||
|
||||
In the first release candidate, the product name will return to
|
||||
"Shorewall". The installer (install.sh) will only be able to upgrade
|
||||
to Shoreall 2.0 from Shorewall version 1.4.0 or later.
|
||||
to Shorewall 2.0 from Shorewall version 1.4.0 or later.
|
||||
|
||||
During the Alpha and Beta periods, there will be no RPMs nor will there
|
||||
be any documentation tarballs. Note that the installer does NOT attempt
|
||||
@ -50,17 +50,12 @@ Issues when migrating from Shorewall to Shorewall2:
|
||||
NAT_BEFORE_RULES=No had been specified. In other words, DNAT rules
|
||||
now always take precidence over one-to-one NAT specifications.
|
||||
|
||||
3) The HAVEROUTE column has been removed from
|
||||
/etc/shorewall2/proxyarp. Shorewall2 will no longer automatically add
|
||||
routes for Proxy ARP hosts. Use your distribution's static route
|
||||
capability to add these routes instead.
|
||||
|
||||
4) The default value for the ALL INTERFACES column in
|
||||
3) The default value for the ALL INTERFACES column in
|
||||
/etc/shorewall2/nat has changed. In Shorewall, if the column was
|
||||
left empty, a value of "Yes" was assumed. This has been changed so
|
||||
that a value of "No" is now assumed.
|
||||
|
||||
5) The following files don't exist in Shorewall2:
|
||||
4) The following files don't exist in Shorewall2:
|
||||
|
||||
/etc/shorewall2/common.def
|
||||
/etc/shorewall2/common
|
||||
@ -142,7 +137,7 @@ Issues when migrating from Shorewall to Shorewall2:
|
||||
Drop:DROP
|
||||
Reject:REJECT
|
||||
|
||||
6) The /etc/shorewall2 directory no longer contains a 'users' file or a
|
||||
5) The /etc/shorewall2 directory no longer contains a 'users' file or a
|
||||
'usersets' file. Similar functionality is now available using
|
||||
user-defined actions.
|
||||
|
||||
@ -160,10 +155,10 @@ Issues when migrating from Shorewall to Shorewall2:
|
||||
[!]:<group number>
|
||||
[!]<user id>:<group id>
|
||||
[!]<user number>:<group id>
|
||||
[!]<user number>:<group id>
|
||||
[!]<user id>:<group number>
|
||||
[!]<user number>:<group number>
|
||||
|
||||
7) It is no longer possible to specify rate limiting in the ACTION
|
||||
6) It is no longer possible to specify rate limiting in the ACTION
|
||||
column of /etc/shorewall2/rules -- you must use the RATE LIMIT
|
||||
column.
|
||||
|
||||
@ -182,5 +177,9 @@ New Features:
|
||||
simply add a fw->fw policy and fw->fw rules. If you have neither a
|
||||
fw->fw policy nor fw->fw rules, all fw->fw traffic is allowed.
|
||||
|
||||
4) There is a new PERSISTENT column in the proxyarp file. A value of
|
||||
"Yes" in this column means that the route added by Shorewall for
|
||||
this host will remain after a "shorewall stop" or "shorewall clear".
|
||||
|
||||
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user