From 7014bd3ea012eff41a38524a3a03f25d6c8ae52c Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 6 Nov 2009 08:07:13 -0800 Subject: [PATCH] Add 'physical' interface option for bridge ports --- Shorewall/Perl/Shorewall/Chains.pm | 2 -- Shorewall/Perl/Shorewall/Zones.pm | 1 + docs/bridge-Shorewall-perl.xml | 54 +++++++++++++++++++++++++++++ manpages/shorewall-interfaces.xml | 23 ++++++++++-- manpages6/shorewall6-interfaces.xml | 15 +++++++- 5 files changed, 89 insertions(+), 6 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index fdb975957..d4fa8417e 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -1727,7 +1727,6 @@ sub match_source_dev( $ ) { my $interfaceref = known_interface( $interface ); my $physical = $interfaceref->{physical}; if ( $interfaceref && $interfaceref->{options}{port} ) { - $interface =~ s/\++/+/; "-i $interfaceref->{bridge} -m physdev --physdev-in $physical "; } else { "-i $physical "; @@ -1744,7 +1743,6 @@ sub match_dest_dev( $ ) { my $physical = $interfaceref->{physical}; if ( $interfaceref && $interfaceref->{options}{port} ) { if ( $capabilities{PHYSDEV_BRIDGE} ) { - $interface =~ s/\++/+/; "-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $physical "; } else { "-o $interfaceref->{bridge} -m physdev --physdev-out $physical "; diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index fca47f70c..9a9bc09d2 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -144,6 +144,7 @@ our %reservedName = ( all => 1, # bridge => # broadcasts => 'none', 'detect' or [ , , ... ] # number => +# physical => # } # } # diff --git a/docs/bridge-Shorewall-perl.xml b/docs/bridge-Shorewall-perl.xml index 5db909c4d..58edae23b 100644 --- a/docs/bridge-Shorewall-perl.xml +++ b/docs/bridge-Shorewall-perl.xml @@ -619,6 +619,60 @@ br0 192.168.1.0/24 routeback firewall rules. +
+ Multiple Bridges with Wildcard Ports + + It is sometimes required to configure multiple bridges on a single + firewall/gateway. The following seemingly valid configuration results in a + compile-time error + + + ERROR: Duplicate Interface Name (p+) + + + /etc/shorewall/zones: + + #ZONE TYPE + fw firewall + world ipv4 + z1:world bport4 + z2:world bport4 + + /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS + world br0 - bridge + world br1 - bridge + z1 br0:p+ + z2 br1:p+ + + The reason is that the Shorewall implementation requires each bridge + port to have a unique name. The interface option + was added in Shorewall 4.4.4 to work around this problem. The above + configuration may be defined using the following in + /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS + world br0 - bridge + world br1 - bridge + z1 br0:x+ - physical=p+ + z2 br1:y+ - physical=p+ + + In this configuration, 'x+' is the logical name for ports p+ on + bridge br0 while 'y+' is the logical name for ports p+ on bridge + br1. + + If you need to refer to a particular port on br1 (for example + p1023), you write it as y1023; Shorewall will translate that name to p1023 + when needed. + + Example from /etc/shorewall/rules: + + #ACTION SOURCE DEST PROTO DEST + # PORT(S) + REJECT z1:x1023 z1:x1024 tcp 1234 +
+
Combination Router/Bridge diff --git a/manpages/shorewall-interfaces.xml b/manpages/shorewall-interfaces.xml index de77bce44..b659ffe71 100644 --- a/manpages/shorewall-interfaces.xml +++ b/manpages/shorewall-interfaces.xml @@ -123,7 +123,7 @@ loc eth2 - If you use the special value detect, Shorewall will detect the broadcast address(es) for you if your iptables and kernel include Address Type - Match support. + Match support. If your iptables and/or kernel lack Address Type Match support then you may list the broadcast address(es) for the network(s) to @@ -188,7 +188,8 @@ loc eth2 - 2 - reply only if the target IP address is local address configured on the incoming interface and the sender's IP - address is part from same subnet on this interface's address + address is part from same subnet on this interface's + address 3 - do not reply for local addresses configured with scope host, only resolutions for global and link @@ -290,7 +291,8 @@ loc eth2 - role="bold">logmartians. Even if you do not specify the option, it is a good idea to specify because your distribution - may have enabled route filtering without you knowing it. + may have enabled route filtering without you knowing + it. Only those interfaces with the option will have their setting @@ -433,6 +435,21 @@ loc eth2 - + + physical=name + + + Added in Shorewall 4.4.4. This option may only be used + when defining a bridge port (:port appeared in the INTERFACE + column). When specified, the port name in the INTERFACE column + is a logical name that refers to the name given in this + option. It is useful when you want to specify the same + wildcard port name on two or more bridges. See http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple. + + + proxyarp[={0|1}] diff --git a/manpages6/shorewall6-interfaces.xml b/manpages6/shorewall6-interfaces.xml index 07a9b968d..2a328e7be 100644 --- a/manpages6/shorewall6-interfaces.xml +++ b/manpages6/shorewall6-interfaces.xml @@ -172,8 +172,21 @@ loc eth2 - cannot be obtained. + + - + + physical=name + + + Added in Shorewall 4.4.4. This option may only be used + when defining a bridge port (:port appeared in the INTERFACE + column). When specified, the port name in the INTERFACE column + is a logical name that refers to the name given in this + option. It is useful when you want to specify the same + wildcard port name on two or more bridges. See http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple.