holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Restore 'haveroute' and add 'persistent' to proxyarp

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1113 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-02-01 18:39:39 +00:00
parent e322b27dda
commit 427808d8c2
4 changed files with 84 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Shorewall2/changelog.txt
View File

@ -18,4 +18,5 @@ Changes since 1.4.10
9) Get installer/uninstaller to work. 9) Get installer/uninstaller to work.
10) Restore HAVEROUTE and add PERSISTENT column to the proxy arp file.

60
Shorewall2/firewall
View File

@ -1342,22 +1342,72 @@ setup_tunnels() # $1 = name of tunnels file
# #
setup_proxy_arp() { setup_proxy_arp() {
print_error() {
error_message "Invalid value for HAVEROUTE - ($haveroute)"
error_message "Entry \"$address $interface $external $haveroute\" ignored"
}
print_error1() {
error_message "Invalid value for PERSISTENT - ($persistent)"
error_message "Entry \"$address $interface $external $haveroute $persistent\" ignored"
}
print_warning() {
error_message "PERSISTENT setting ignored - ($persistent)"
error_message "Entry \"$address $interface $external $haveroute $persistent\""
}
setup_one_proxy_arp() { setup_one_proxy_arp() {
case $haveroute in
[Nn][Oo])
haveroute=
;;
[Yy][Ee][Ss])
;;
*)
if [ -n "$haveroute" ]; then
print_error
return
fi
;;
esac
case $persistent in
[Nn][Oo])
persistent=
;;
[Yy][Ee][Ss])
;;
*)
if [ -n "$persistent" ]; then
print_error1
return
fi
[ -z "$haveroute" ] || print_warning
;;
esac
if [ -z "$haveroute" ]; then
run_ip route replace $address dev $interface
[ -n "$persistent" ] && haveroute=yes
fi
run_arp -Ds $address $external pub run_arp -Ds $address $external pub
echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp
echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp
echo $address $interface $external yes >> ${STATEDIR}/proxyarp echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp
echo " Host $address connected to $interface added to ARP on $external" echo " Host $address connected to $interface added to ARP on $external"
} }
> ${STATEDIR}/proxyarp > ${STATEDIR}/proxyarp
while read address interface external; do while read address interface external haveroute persistent; do
expandv address interface external expandv address interface external haveroute persistent
setup_one_proxy_arp setup_one_proxy_arp
done < $TMP_DIR/proxyarp done < $TMP_DIR/proxyarp
@ -1521,10 +1571,6 @@ delete_proxy_arp() {
if [ -f ${STATEDIR}/proxyarp ]; then if [ -f ${STATEDIR}/proxyarp ]; then
while read address interface external haveroute; do while read address interface external haveroute; do
qt arp -i $external -d $address pub qt arp -i $external -d $address pub
#
# 1.x Shorewall included a mechanism for automatically
# adding routes
#
[ -z "$haveroute" ] && qt ip route del $address dev $interface [ -z "$haveroute" ] && qt ip route del $address dev $interface
done < ${STATEDIR}/proxyarp done < ${STATEDIR}/proxyarp

18
Shorewall2/proxyarp
View File

@ -14,6 +14,22 @@
# you may enter "-" in this column. # you may enter "-" in this column.
# EXTERNAL External Interface to be used to access this system # EXTERNAL External Interface to be used to access this system
# #
# HAVEROUTE If there is already a route from the firewall to
# the host whose address is given, enter "Yes" or "yes"
# in this column. Otherwise, entry "no", "No" or leave
# the column empty and Shorewall will add the route for
# you. If Shorewall adds the route,the route will be
# persistent if the PERSISTENT column contains Yes;
# otherwise, "shorewall stop" or "shorewall clear" will
# delete the route.
#
# PERSISTENT If HAVEROUTE is No or "no", then the value of this
# column determines if the route added by Shorewall
# persists after a "shorewall stop" or a "shorewall
# clear". If this column contains "Yes" or "yes" then
# the route persists; If the column is empty or contains
# "No"or "no" then the route is deleted at "shorewall
# stop" or "shorewall clear".
# #
# Example: Host with IP 155.186.235.6 is connected to # Example: Host with IP 155.186.235.6 is connected to
# interface eth1 and we want hosts attached via eth0 # interface eth1 and we want hosts attached via eth0
@ -22,5 +38,5 @@
# #ADDRESS INTERFACE EXTERNAL # #ADDRESS INTERFACE EXTERNAL
# 155.186.235.6 eth1 eth0 # 155.186.235.6 eth1 eth0
############################################################################## ##############################################################################
#ADDRESS INTERFACE EXTERNAL #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

27
Shorewall2/releasenotes.txt
View File

@ -1,7 +1,7 @@
Shorewall 2.0.0-Alpha1 Shorewall 2.0.0-Alpha2
This is a major release of Shorewall. During the Alpha and Beta stages, This is a major release of Shorewall. During the Alpha and Beta stages,
the product name is changed to "Shoreall2" so that Shorewall version 1 the product name is changed to "Shorewall2" so that Shorewall version 1
and Shorewall version 2 may coexist on a system. and Shorewall version 2 may coexist on a system.
The following name changes have occured: The following name changes have occured:
@ -21,11 +21,11 @@ To switch from shorewall version 1 to shorewall version 2:
To switch back: To switch back:
shoewall restart shorewall restart
In the first release candidate, the product name will return to In the first release candidate, the product name will return to
"Shorewall". The installer (install.sh) will only be able to upgrade "Shorewall". The installer (install.sh) will only be able to upgrade
to Shoreall 2.0 from Shorewall version 1.4.0 or later. to Shorewall 2.0 from Shorewall version 1.4.0 or later.
During the Alpha and Beta periods, there will be no RPMs nor will there During the Alpha and Beta periods, there will be no RPMs nor will there
be any documentation tarballs. Note that the installer does NOT attempt be any documentation tarballs. Note that the installer does NOT attempt
@ -50,17 +50,12 @@ Issues when migrating from Shorewall to Shorewall2:
NAT_BEFORE_RULES=No had been specified. In other words, DNAT rules NAT_BEFORE_RULES=No had been specified. In other words, DNAT rules
now always take precidence over one-to-one NAT specifications. now always take precidence over one-to-one NAT specifications.
3) The HAVEROUTE column has been removed from 3) The default value for the ALL INTERFACES column in
/etc/shorewall2/proxyarp. Shorewall2 will no longer automatically add
routes for Proxy ARP hosts. Use your distribution's static route
capability to add these routes instead.
4) The default value for the ALL INTERFACES column in
/etc/shorewall2/nat has changed. In Shorewall, if the column was /etc/shorewall2/nat has changed. In Shorewall, if the column was
left empty, a value of "Yes" was assumed. This has been changed so left empty, a value of "Yes" was assumed. This has been changed so
that a value of "No" is now assumed. that a value of "No" is now assumed.
5) The following files don't exist in Shorewall2: 4) The following files don't exist in Shorewall2:
/etc/shorewall2/common.def /etc/shorewall2/common.def
/etc/shorewall2/common /etc/shorewall2/common
@ -142,7 +137,7 @@ Issues when migrating from Shorewall to Shorewall2:
Drop:DROP Drop:DROP
Reject:REJECT Reject:REJECT
6) The /etc/shorewall2 directory no longer contains a 'users' file or a 5) The /etc/shorewall2 directory no longer contains a 'users' file or a
'usersets' file. Similar functionality is now available using 'usersets' file. Similar functionality is now available using
user-defined actions. user-defined actions.
@ -160,10 +155,10 @@ Issues when migrating from Shorewall to Shorewall2:
[!]:<group number> [!]:<group number>
[!]<user id>:<group id> [!]<user id>:<group id>
[!]<user number>:<group id> [!]<user number>:<group id>
[!]<user number>:<group id> [!]<user id>:<group number>
[!]<user number>:<group number> [!]<user number>:<group number>
7) It is no longer possible to specify rate limiting in the ACTION 6) It is no longer possible to specify rate limiting in the ACTION
column of /etc/shorewall2/rules -- you must use the RATE LIMIT column of /etc/shorewall2/rules -- you must use the RATE LIMIT
column. column.
@ -182,5 +177,9 @@ New Features:
simply add a fw->fw policy and fw->fw rules. If you have neither a simply add a fw->fw policy and fw->fw rules. If you have neither a
fw->fw policy nor fw->fw rules, all fw->fw traffic is allowed. fw->fw policy nor fw->fw rules, all fw->fw traffic is allowed.
4) There is a new PERSISTENT column in the proxyarp file. A value of
"Yes" in this column means that the route added by Shorewall for
this host will remain after a "shorewall stop" or "shorewall clear".