forked from extern/shorewall_code
Enable "maclist"
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9021 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
5caaf813d0
commit
4bc7d60f36
@ -1,3 +1,9 @@
|
||||
Changes in Shorewall 4.3.3
|
||||
|
||||
1) Removed 'ecn'.
|
||||
|
||||
2) Enabled 'maclist'.
|
||||
|
||||
Changes in Shorewall 4.3.2
|
||||
|
||||
1) Added 'dhcp' option.
|
||||
|
@ -1,4 +1,4 @@
|
||||
Shorewall 4.3.2
|
||||
Shorewall 4.3.3
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
R E L E A S E 4 . 3 H I G H L I G H T S
|
||||
@ -12,32 +12,22 @@ Shorewall 4.3.2
|
||||
- Perl 5.10 if you wish to use DNS names in your IPv6 config files.
|
||||
In that case you will also have to install Perl Socket6 support.
|
||||
|
||||
Problems Corrected in 4.3.2
|
||||
Problems Corrected in 4.3.3
|
||||
|
||||
1) Typos in the macro.AllowICMPs file have been corrected.
|
||||
None.
|
||||
|
||||
2) IP_FORWARDING is now correctly recognized by Shorewall-perl.
|
||||
Other changes in 4.3.3
|
||||
|
||||
3) A bug in processing of the routestopped file has been fixed. This
|
||||
bug also affected IPv4 configurations.
|
||||
1) In as much as ip6tables doesn't support the ECN target, the 'ecn'
|
||||
file has been removed and its processing disabled.
|
||||
|
||||
Other changes in 4.3.2
|
||||
2) The 'maclist' option is now supported in /etc/shorewall6/interfaces
|
||||
and in /etc/shorewall6/hosts.
|
||||
|
||||
1) The 'dhcp' option has been added to accomodate IPv6 DHCP (UDP ports
|
||||
546 and 547).
|
||||
MAC verification is not performed on the following IPv6 traffic:
|
||||
|
||||
2) The 'allowBcast' and 'dropBcast' builtin actions have been added to
|
||||
Shorewall6. Respectively, they accept or silently drop packets with
|
||||
an anycast or multicast destination address.
|
||||
|
||||
3) The nosmurfs option has been added to
|
||||
/etc/shorewall8/interfaces. The option drops incoming packets with
|
||||
a source address that is an anycast or multicast addreess.
|
||||
|
||||
4) Multi-ISP is now enabled in Shorewall6.
|
||||
|
||||
5) When running the 'ip' utility, Shorewall now unconditionally
|
||||
specifies the address family (-4 or -6).
|
||||
a) Multicast.
|
||||
b) Source or destination is a link-level address (ff80::/10).
|
||||
|
||||
Migration Issues.
|
||||
|
||||
|
@ -987,18 +987,22 @@ sub compiler {
|
||||
# TOS
|
||||
#
|
||||
process_tos;
|
||||
#
|
||||
# ECN
|
||||
#
|
||||
setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
|
||||
#
|
||||
# Setup Masquerading/SNAT
|
||||
#
|
||||
setup_masq;
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
#
|
||||
# ECN
|
||||
#
|
||||
setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
|
||||
#
|
||||
# Setup Masquerading/SNAT
|
||||
#
|
||||
setup_masq;
|
||||
}
|
||||
|
||||
#
|
||||
# MACLIST Filtration
|
||||
#
|
||||
setup_mac_lists 1 if $family == F_IPV4;
|
||||
setup_mac_lists 1;
|
||||
#
|
||||
# Process the rules file.
|
||||
#
|
||||
@ -1015,7 +1019,7 @@ sub compiler {
|
||||
#
|
||||
# MACLIST Filtration again
|
||||
#
|
||||
setup_mac_lists 2 if $family == F_IPV4;
|
||||
setup_mac_lists 2;
|
||||
#
|
||||
# Apply Policies
|
||||
#
|
||||
|
@ -725,8 +725,20 @@ sub setup_mac_lists( $ ) {
|
||||
for my $interface ( @maclist_interfaces ) {
|
||||
my $chainref = new_chain $table , mac_chain $interface;
|
||||
|
||||
add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN'
|
||||
if ( $table eq 'mangle' ) && get_interface_option( $interface, 'dhcp' );
|
||||
if ( $family == F_IPV4 ) {
|
||||
add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN'
|
||||
if $table eq 'mangle' && get_interface_option( $interface, 'dhcp');
|
||||
} else {
|
||||
#
|
||||
# Accept any packet with a link-level source or destination address
|
||||
#
|
||||
add_rule $chainref , '-s ff80::/10 -j RETURN';
|
||||
add_rule $chainref , '-d ff80::/10 -j RETURN';
|
||||
#
|
||||
# Accept Multicast
|
||||
#
|
||||
add_rule $chainref , '-d ff00::/10 -j RETURN';
|
||||
}
|
||||
|
||||
if ( $ttl ) {
|
||||
my $chain1ref = new_chain $table, macrecent_target $interface;
|
||||
@ -806,26 +818,27 @@ sub setup_mac_lists( $ ) {
|
||||
}
|
||||
}
|
||||
} else {
|
||||
for my $interface ( @maclist_interfaces ) {
|
||||
my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
|
||||
my $chain = $chainref->{name};
|
||||
if ( $family == F_IPV4 ) {
|
||||
for my $interface ( @maclist_interfaces ) {
|
||||
my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
|
||||
my $chain = $chainref->{name};
|
||||
|
||||
if ( $level ne '' || $disposition ne 'ACCEPT' ) {
|
||||
my $variable = get_interface_addresses source_port_to_bridge( $interface );
|
||||
if ( $level ne '' || $disposition ne 'ACCEPT' ) {
|
||||
my $variable = get_interface_addresses source_port_to_bridge( $interface );
|
||||
|
||||
if ( $capabilities{ADDRTYPE} ) {
|
||||
add_commands( $chainref,
|
||||
"for address in $variable; do",
|
||||
" echo \"-A $chainref->{name} -s \$address -m addrtype --dst-type BROADCAST -j RETURN\" >&3",
|
||||
" echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3",
|
||||
'done' );
|
||||
} else {
|
||||
my $bridge = source_port_to_bridge( $interface );
|
||||
my $bridgeref = find_interface( $bridge );
|
||||
|
||||
add_commands( $chainref,
|
||||
"for address in $variable; do" );
|
||||
if ( $family == F_IPV4 ) {
|
||||
if ( $capabilities{ADDRTYPE} ) {
|
||||
add_commands( $chainref,
|
||||
"for address in $variable; do",
|
||||
" echo \"-A $chainref->{name} -s \$address -m addrtype --dst-type BROADCAST -j RETURN\" >&3",
|
||||
" echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3",
|
||||
'done' );
|
||||
} else {
|
||||
my $bridge = source_port_to_bridge( $interface );
|
||||
my $bridgeref = find_interface( $bridge );
|
||||
|
||||
add_commands( $chainref,
|
||||
"for address in $variable; do" );
|
||||
|
||||
if ( $bridgeref->{broadcasts} ) {
|
||||
for my $address ( @{$bridgeref->{broadcasts}}, '255.255.255.255' ) {
|
||||
add_commands( $chainref ,
|
||||
@ -841,13 +854,6 @@ sub setup_mac_lists( $ ) {
|
||||
}
|
||||
|
||||
add_commands( $chainref, " echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3" );
|
||||
} else {
|
||||
my $variable1 = get_interface_bcasts $bridge;
|
||||
|
||||
add_commands( $chainref,
|
||||
" for address1 in $variable1; do" ,
|
||||
" echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3",
|
||||
" done" );
|
||||
}
|
||||
|
||||
add_command( $chainref, 'done' );
|
||||
|
@ -628,6 +628,7 @@ sub validate_interfaces_file( $ )
|
||||
%validoptions = ( blacklist => SIMPLE_IF_OPTION,
|
||||
bridge => SIMPLE_IF_OPTION,
|
||||
dhcp => SIMPLE_IF_OPTION,
|
||||
maclist => SIMPLE_IF_OPTION,
|
||||
nosmurfs => SIMPLE_IF_OPTION,
|
||||
optional => SIMPLE_IF_OPTION,
|
||||
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY,
|
||||
@ -983,6 +984,7 @@ sub validate_hosts_file()
|
||||
} else {
|
||||
%validoptions = (
|
||||
blacklist => 1,
|
||||
maclist => 1,
|
||||
routeback => 1,
|
||||
tcpflags => 1,
|
||||
);
|
||||
|
10
Shorewall6/maclist
Normal file
10
Shorewall6/maclist
Normal file
@ -0,0 +1,10 @@
|
||||
#
|
||||
# Shorewall version 4 - Maclist file
|
||||
#
|
||||
# For information about entries in this file, type "man shorewall-maclist"
|
||||
#
|
||||
# For additional information, see http://shorewall.net/MAC_Validation.html
|
||||
#
|
||||
###############################################################################
|
||||
#DISPOSITION INTERFACE MAC IP ADDRESSES (Optional)
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
Loading…
Reference in New Issue
Block a user