forked from extern/shorewall_code
Add 'unmanaged' option
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
c653d9ce83
commit
53f1cd40df
@ -1428,7 +1428,9 @@ sub handle_loopback_traffic() {
|
||||
my $rawout = $raw_table->{OUTPUT};
|
||||
my $rulenum = 0;
|
||||
my $loopback = loopback_zones;
|
||||
my $loref = known_interface('lo');
|
||||
|
||||
my $unmanaged;
|
||||
my $outchainref;
|
||||
my @rule;
|
||||
|
||||
@ -1442,8 +1444,13 @@ sub handle_loopback_traffic() {
|
||||
#
|
||||
# Only the firewall -- just use the OUTPUT chain
|
||||
#
|
||||
$outchainref = $filter_table->{OUTPUT};
|
||||
@rule = ( o => 'lo');
|
||||
if ( $unmanaged = $loref && $loref->{options}{unmanaged} ) {
|
||||
add_ijump( $filter_table->{INPUT}, j => 'ACCEPT', i => 'lo' );
|
||||
add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', o => 'lo' );
|
||||
} else {
|
||||
$outchainref = $filter_table->{OUTPUT};
|
||||
@rule = ( o => 'lo');
|
||||
}
|
||||
}
|
||||
|
||||
for my $z1 ( @zones ) {
|
||||
@ -1456,10 +1463,9 @@ sub handle_loopback_traffic() {
|
||||
#
|
||||
if ( $type1 == FIREWALL ) {
|
||||
for my $z2 ( @zones ) {
|
||||
next if $loopback && $z1 eq $z2;
|
||||
next if $z1 eq $z2 && ( $loopback || $unmanaged );
|
||||
|
||||
my $chain = rules_target( $z1, $z2 );
|
||||
|
||||
generate_dest_rules( $outchainref, $chain, $z2, @rule ) if $chain;
|
||||
}
|
||||
#
|
||||
@ -2081,7 +2087,7 @@ sub optimize1_zones( $$@ ) {
|
||||
# nat-table rules.
|
||||
#
|
||||
sub generate_matrix() {
|
||||
my @interfaces = ( all_interfaces );
|
||||
my @interfaces = ( managed_interfaces );
|
||||
#
|
||||
# Should this be the real PREROUTING chain?
|
||||
#
|
||||
@ -2250,17 +2256,23 @@ sub generate_matrix() {
|
||||
|
||||
add_interface_jumps @interfaces unless $interface_jumps_added;
|
||||
|
||||
my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
|
||||
nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
|
||||
filter=> [ qw/INPUT FORWARD OUTPUT/ ] );
|
||||
|
||||
unless ( $config{COMPLETE} ) {
|
||||
for ( unmanaged_interfaces ) {
|
||||
my $physical = get_physical $_;
|
||||
add_ijump( $filter_table->{INPUT}, j => 'ACCEPT', i => $physical );
|
||||
add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', o => $physical );
|
||||
}
|
||||
|
||||
complete_standard_chain $filter_table->{INPUT} , 'all' , firewall_zone , 'DROP';
|
||||
complete_standard_chain $filter_table->{OUTPUT} , firewall_zone , 'all', 'REJECT';
|
||||
complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all', 'REJECT';
|
||||
}
|
||||
|
||||
if ( $config{LOGALLNEW} ) {
|
||||
my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
|
||||
nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
|
||||
filter=> [ qw/INPUT FORWARD OUTPUT/ ] );
|
||||
|
||||
for my $table ( qw/mangle nat filter/ ) {
|
||||
for my $chain ( @{$builtins{$table}} ) {
|
||||
log_rule_limit
|
||||
|
@ -72,6 +72,8 @@ our @EXPORT = ( qw( NOTHING
|
||||
all_real_interfaces
|
||||
all_plain_interfaces
|
||||
all_bridges
|
||||
managed_interfaces
|
||||
unmanaged_interfaces
|
||||
interface_number
|
||||
find_interface
|
||||
known_interface
|
||||
@ -244,9 +246,28 @@ use constant { NO_UPDOWN => 1,
|
||||
|
||||
our %validinterfaceoptions;
|
||||
|
||||
our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60, accept_ra => 1 );
|
||||
our %prohibitunmanaged = (
|
||||
blacklist => 1,
|
||||
bridge => 1,
|
||||
destonly => 1,
|
||||
detectnets => 1,
|
||||
dhcp => 1,
|
||||
maclist => 1,
|
||||
nets => 1,
|
||||
norfc1918 => 1,
|
||||
nosmurfs => 1,
|
||||
optional => 1,
|
||||
routeback => 1,
|
||||
rpfilter => 1,
|
||||
sfilter => 1,
|
||||
tcpflags => 1,
|
||||
upnp => 1,
|
||||
upnpclient => 1,
|
||||
);
|
||||
|
||||
our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN, accept_ra => 2 );
|
||||
our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60, accept_ra => 1 , ignore => 3 );
|
||||
|
||||
our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN | NO_SFILTER, accept_ra => 2 );
|
||||
|
||||
our %validhostoptions;
|
||||
|
||||
@ -332,6 +353,7 @@ sub initialize( $$ ) {
|
||||
upnpclient => SIMPLE_IF_OPTION,
|
||||
mss => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
|
||||
physical => STRING_IF_OPTION + IF_OPTION_HOST,
|
||||
unmanaged => SIMPLE_IF_OPTION,
|
||||
wait => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
|
||||
);
|
||||
%validhostoptions = (
|
||||
@ -374,6 +396,7 @@ sub initialize( $$ ) {
|
||||
mss => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
|
||||
forward => BINARY_IF_OPTION,
|
||||
physical => STRING_IF_OPTION + IF_OPTION_HOST,
|
||||
unmanaged => SIMPLE_IF_OPTION,
|
||||
wait => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
|
||||
);
|
||||
%validhostoptions = (
|
||||
@ -1305,7 +1328,7 @@ sub process_interface( $$ ) {
|
||||
$hostoptions{routeback} = $options{routeback} = 1;
|
||||
}
|
||||
|
||||
$hostoptions{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export || $options{routeback};
|
||||
$hostoptions{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export || $options{routeback} || $options{unmanaged};
|
||||
|
||||
$hostoptionsref = \%hostoptions;
|
||||
} else {
|
||||
@ -1319,6 +1342,14 @@ sub process_interface( $$ ) {
|
||||
$options{ignore} ||= 0;
|
||||
}
|
||||
|
||||
if ( $options{unmanaged} ) {
|
||||
fatal_error "The 'lo' interface may not be unmanaged when there are vserver zones" if $physical eq 'lo' && vserver_zones;
|
||||
|
||||
while ( my ( $option, $value ) = each( %options ) ) {
|
||||
fatal_error "The $option option may not be specified with 'unmanaged'" if $prohibitunmanaged{$option};
|
||||
}
|
||||
}
|
||||
|
||||
$physical{$physical} = $interfaces{$interface} = { name => $interface ,
|
||||
bridge => $bridge ,
|
||||
filter => $filterref ,
|
||||
@ -1334,6 +1365,8 @@ sub process_interface( $$ ) {
|
||||
};
|
||||
|
||||
if ( $zone ) {
|
||||
fatal_error "Unmanaged interfaces may not be associated with a zone" if $options{unmanaged};
|
||||
|
||||
if ( $physical eq 'lo' ) {
|
||||
fatal_error "Only a loopback zone may be assigned to 'lo'" unless $zoneref->{type} == LOOPBACK;
|
||||
fatal_error "Invalid definition of 'lo'" if $bridge ne $interface;
|
||||
@ -1490,7 +1523,7 @@ sub known_interface($)
|
||||
}
|
||||
}
|
||||
|
||||
0;
|
||||
$physical{$interface} || 0;
|
||||
}
|
||||
|
||||
#
|
||||
@ -1508,10 +1541,10 @@ sub all_interfaces() {
|
||||
}
|
||||
|
||||
#
|
||||
# Return all non-vserver interfaces
|
||||
# Return all managed non-vserver interfaces
|
||||
#
|
||||
sub all_real_interfaces() {
|
||||
grep $_ ne '%vserver%', @interfaces;
|
||||
grep $_ ne '%vserver%' && ! $interfaces{$_}{options}{unmanaged}, @interfaces;
|
||||
}
|
||||
|
||||
#
|
||||
@ -1521,6 +1554,20 @@ sub all_bridges() {
|
||||
grep ( $interfaces{$_}{options}{bridge} , @interfaces );
|
||||
}
|
||||
|
||||
#
|
||||
# Return a list of managed interfaces
|
||||
#
|
||||
sub managed_interfaces() {
|
||||
grep (! $interfaces{$_}{options}{unmanaged} , @interfaces );
|
||||
}
|
||||
|
||||
#
|
||||
# Return a list of unmanaged interfaces (skip 'lo' since it is implicitly unmanaged when there are no loopback zones).
|
||||
#
|
||||
sub unmanaged_interfaces() {
|
||||
grep ( $interfaces{$_}{options}{unmanaged} && $_ ne 'lo', @interfaces );
|
||||
}
|
||||
|
||||
#
|
||||
# Return a reference to the interfaces table entry for an interface
|
||||
#
|
||||
@ -1913,6 +1960,8 @@ sub process_host( ) {
|
||||
$hosts = $2;
|
||||
|
||||
fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
|
||||
fatal_error "Unmanaged interfaces may not be associated with a zone" if $interfaceref->{unmanaged};
|
||||
|
||||
if ( $interfaceref->{name} eq 'lo' ) {
|
||||
fatal_error "Only a loopback zone may be associated with the loopback interface (lo)" if $type != LOOPBACK;
|
||||
} else {
|
||||
|
@ -210,7 +210,7 @@ loc eth2 -</programlisting>
|
||||
changed; the value assigned to the setting will be the value
|
||||
specified (if any) or 1 if no value is given.</para>
|
||||
|
||||
<para></para>
|
||||
<para/>
|
||||
|
||||
<note>
|
||||
<para>This option does not work with a wild-card
|
||||
@ -244,7 +244,7 @@ loc eth2 -</programlisting>
|
||||
|
||||
<para>8 - do not reply for all local addresses</para>
|
||||
|
||||
<para></para>
|
||||
<para/>
|
||||
|
||||
<note>
|
||||
<para>This option does not work with a wild-card
|
||||
@ -252,7 +252,7 @@ loc eth2 -</programlisting>
|
||||
the INTERFACE column.</para>
|
||||
</note>
|
||||
|
||||
<para></para>
|
||||
<para/>
|
||||
|
||||
<warning>
|
||||
<para>Do not specify <emphasis
|
||||
@ -411,7 +411,7 @@ loc eth2 -</programlisting>
|
||||
1
|
||||
teastep@lists:~$ </programlisting>
|
||||
|
||||
<para></para>
|
||||
<para/>
|
||||
|
||||
<note>
|
||||
<para>This option does not work with a wild-card
|
||||
@ -719,6 +719,55 @@ loc eth2 -</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>unmanaged</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.18. Causes all traffic between
|
||||
the firewall and hosts on the interface to be accepted. When
|
||||
this option is given:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The ZONE column must contain '-'.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Only the following other options are allowed with
|
||||
<emphasis role="bold">unmanaged</emphasis>:</para>
|
||||
|
||||
<simplelist>
|
||||
<member><emphasis
|
||||
role="bold">arp_filter</emphasis></member>
|
||||
|
||||
<member><emphasis
|
||||
role="bold">arp_ignore</emphasis></member>
|
||||
|
||||
<member><emphasis role="bold">ignore</emphasis></member>
|
||||
|
||||
<member><emphasis
|
||||
role="bold">routefilter</emphasis></member>
|
||||
|
||||
<member><emphasis
|
||||
role="bold">optional</emphasis></member>
|
||||
|
||||
<member><emphasis
|
||||
role="bold">physical</emphasis></member>
|
||||
|
||||
<member><emphasis
|
||||
role="bold">routefilter</emphasis></member>
|
||||
|
||||
<member><emphasis
|
||||
role="bold">sourceroute</emphasis></member>
|
||||
|
||||
<member><emphasis
|
||||
role="bold">proxyndp</emphasis></member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">upnp</emphasis></term>
|
||||
|
||||
|
@ -514,6 +514,49 @@ loc eth2 -</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>unmanaged</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.18. Causes all traffic between
|
||||
the firewall and hosts on the interface to be accepted. When
|
||||
this option is given:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The ZONE column must contain '-'.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Only the following other options are allowed with
|
||||
<emphasis role="bold">unmanaged</emphasis>:</para>
|
||||
|
||||
<simplelist>
|
||||
<member><emphasis
|
||||
role="bold">accept_ra</emphasis></member>
|
||||
|
||||
<member><emphasis
|
||||
role="bold">forward</emphasis></member>
|
||||
|
||||
<member><emphasis role="bold">ignore</emphasis></member>
|
||||
|
||||
<member><emphasis
|
||||
role="bold">optional</emphasis></member>
|
||||
|
||||
<member><emphasis
|
||||
role="bold">physical</emphasis></member>
|
||||
|
||||
<member><emphasis
|
||||
role="bold">sourceroute</emphasis></member>
|
||||
|
||||
<member><emphasis
|
||||
role="bold">proxyndp</emphasis></member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">wait</emphasis>=<emphasis>seconds</emphasis></term>
|
||||
|
Loading…
Reference in New Issue
Block a user