Bridging Changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1194 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-03-15 18:55:13 +00:00
parent 8925f25168
commit 74219e2e3a
6 changed files with 276 additions and 74 deletions

View File

@ -99,6 +99,8 @@ report () { # $* = message
#
run_iptables() {
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
if ! iptables $@ ; then
[ -z "$stopping" ] && { stop_firewall; exit 2; }
fi
@ -423,6 +425,84 @@ first_chains() #$1 = interface
echo ${c}_fwd ${c}_in
}
#
# Horrible hack to work around an iptables bug
#
physdev_echo()
{
if [ -f $TMP_DIR/physdev ]; then
echo $@
else
echo -m physdev $@
> $TMP_DIR/physdev
fi
}
#
# We allow hosts to be specified by IP address or by physdev. These two functions
# are used to produce the proper match in a netfilter rule.
#
match_source_hosts()
{
if [ -n "$BRIDGING" ]; then
case $1 in
*:*)
physdev_echo "--physdev-in ${1%:*} -s ${1#*:}"
;;
*.*.*.*)
echo -s $1
;;
*)
physdev_echo "--physdev-in $1"
;;
esac
else
echo -s $1
fi
}
match_dest_hosts()
{
if [ -n "$BRIDGING" ]; then
case $1 in
*:*)
physdev_echo "--physdev-out ${1%:*} -d ${1#*:}"
;;
*.*.*.*)
echo -d $1
;;
*)
physdev_echo "--physdev-out $1"
;;
esac
else
echo -d $1
fi
}
#
# Similarly, the source or destination in a rule can be qualified by a device name. If
# the device is defined in /etc/shorewall/interfaces then a normal interface match is
# generated (-i or -o); otherwise, a physdev match is generated.
#
match_source_dev()
{
if [ -n "$BRIDGING" ]; then
list_search $1 $all_interfaces && echo -i $1 || physdev_echo "--physdev-in $1"
else
echo -i $1
fi
}
match_dest_dev()
{
if [ -n "$BRIDGING" ]; then
list_search $1 $all_interfaces && echo -o $1 || physdev_echo "--physdev-out $1"
else
echo -o $1
fi
}
#
#
# Find hosts in a given zone
#
@ -436,7 +516,7 @@ find_hosts() # $1 = host zone
while read z hosts options; do
if [ "x$(expand $z)" = "x$1" ]; then
expandv hosts
interface=${hosts%:*}
interface=${hosts%%:*}
addresses=${hosts#*:}
for address in $(separate_list $addresses); do
echo $interface:$address
@ -459,6 +539,18 @@ determine_interfaces() {
done
}
#
# Determine if an interface has a given option
#
interface_has_option() # $1 = interface, #2 = option
{
local options
eval options=\$$(chain_base $1)_options
list_search $2 $options
}
#
# Determine the defined hosts in each zone and generate report
#
@ -471,8 +563,7 @@ determine_hosts() {
eval interfaces=\$${zone}_interfaces
for interface in $interfaces; do
eval options=\$$(chain_base $interface)_options
if list_search detectnets $options; then
if interface_has_option $interface detectnets; then
subnets=$(get_routed_subnets $interface)
else
subnets=0.0.0.0/0
@ -612,7 +703,8 @@ validate_hosts_file() {
r="$z $hosts $options"
validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
interface=${hosts%:*}
interface=${hosts%%:*}
iface=$(chain_base $interface)
list_search $interface $all_interfaces || \
startup_error "Unknown interface ($interface) in record \"$r\""
@ -620,6 +712,21 @@ validate_hosts_file() {
hosts=${hosts#*:}
for host in $(separate_list $hosts); do
[ -n "$BRIDGING" ] && case $host in
*:*)
eval ${iface}_is_bridge=Yes
list_search ${host%:*} $all_interfaces && \
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
;;
*.*.*.*)
;;
*)
eval ${iface}_is_bridge=Yes
list_search $host $all_interfaces && \
startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
;;
esac
for option in $(separate_list $options); do
case $option in
maclist|-)
@ -838,7 +945,7 @@ find_hosts_by_option() # $1 = option
expandv options
if list_search $1 $(separate_list $options); then
expandv hosts
interface=${hosts%:*}
interface=${hosts%%:*}
addresses=${hosts#*:}
for address in $(separate_list $addresses); do
echo $interface:$address
@ -847,8 +954,7 @@ find_hosts_by_option() # $1 = option
done < $TMP_DIR/hosts
for interface in $all_interfaces; do
eval options=\$$(chain_base $interface)_options
list_search $1 $options && \
interface_has_option $interface $option && \
echo ${interface}:0.0.0.0/0
done
}
@ -984,7 +1090,7 @@ disable_ipv6() {
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
else
error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system has no ip6tables"
error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
fi
}
@ -1049,12 +1155,35 @@ stop_firewall() {
strip_file routestopped
while read interface host; do
expandv interface host
while read interface host options; do
expandv interface host options
[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
for h in $(separate_list $host); do
hosts="$hosts $interface:$h"
done
routeback=
if [ -n $options ]; then
for option in $(separate_list $options); do
case $option in
routeback)
if [ -n "$routeback" ]; then
error_message "Warning: Duplicate option ignored: routeback"
else
routeback=Yes
for h in $(separate_list $host); do
iptables -A FORWARD -i $interface -s $h -o $interface -d $h -j ACCEPT
done
fi
;;
*)
error_message "Warning: Unknown option ignored: $option"
;;
esac
done
fi
done < $TMP_DIR/routestopped
for host in $hosts; do
@ -1065,7 +1194,7 @@ stop_firewall() {
iptables -A OUTPUT -o $interface -d $subnet -j ACCEPT
for host1 in $hosts; do
iptables -A FORWARD -i $interface -s $subnet -o ${host1%:*} -d ${host1#*:} -j ACCEPT
[ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -s $subnet -o ${host1%:*} -d ${host1#*:} -j ACCEPT
done
done
@ -1077,6 +1206,10 @@ stop_firewall() {
iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT
[ -z "$ADMINISABSENTMINDED" ] && \
iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
#
# This might be a bridge
#
iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
done
setup_forwarding
@ -1415,7 +1548,7 @@ setup_mac_lists() {
maclist_interfaces=
for hosts in $maclist_hosts; do
interface=${hosts%:*}
interface=${hosts%%:*}
if ! list_search $interface $maclist_interfaces; then\
if [ -z "$maclist_interfaces" ]; then
maclist_interfaces=$interface
@ -1447,6 +1580,17 @@ setup_mac_lists() {
while read interface mac addresses; do
expandv interface mac addresses
physdev_part=
if [ -n "$BRIDGING" ]; then
case $interface in
*:*)
physdev_part="-m physdev --physdev-in ${interface#*:}"
interface=${interface%:*}
;;
esac
fi
chain=$(mac_chain $interface)
if ! havechain $chain ; then
@ -1456,10 +1600,10 @@ setup_mac_lists() {
macpart=$(mac_match $mac)
if [ -z "$addresses" ]; then
run_iptables -A $chain $macpart -j RETURN
run_iptables -A $chain $macpart $physdev_part -j RETURN
else
for address in $(separate_list $addresses) ; do
run_iptables2 -A $chain $macpart -s $address -j RETURN
run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN
done
fi
done < $TMP_DIR/maclist
@ -1494,10 +1638,10 @@ setup_mac_lists() {
# Generate jumps from the input and forward chains
#
for hosts in $maclist_hosts; do
interface=${hosts%:*}
interface=${hosts%%:*}
hosts=${hosts#*:}
for chain in $(first_chains $interface) ; do
run_iptables -A $chain -s $hosts -m state --state NEW \
run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \
-j $(mac_chain $interface)
done
done
@ -1692,11 +1836,11 @@ process_tc_rule()
chain=tcout
;;
*)
if ! list_search $source $all_interfaces; then
if [ -z "$BRIDGING" ] && ! list_search $source $all_interfaces; then
fatal_error "Unknown interface $source in rule \"$rule\""
fi
r="-i $source "
r="$(select_source_dev) $source "
;;
esac
fi
@ -1852,7 +1996,7 @@ process_accounting_rule() {
case $source in
*:*)
rule="-s ${source#*:} -i ${source%:*}"
rule="-s ${source#*:} $(match_source_dev ${source%:*})"
;;
*.*.*.*)
rule="-s $source"
@ -1860,13 +2004,13 @@ process_accounting_rule() {
-|all|any)
;;
*)
[ -n "$source" ] && rule="-i $source"
[ -n "$source" ] && rule="$(match_source_dev $source)"
;;
esac
[ -n "$dest" ] && case $dest in
*:*)
rule="$rule -d ${dest#*:} -o ${dest%:*}"
rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})"
;;
*.*.*.*)
rule="$rule -d $dest"
@ -1874,7 +2018,7 @@ process_accounting_rule() {
-|all|any)
;;
*)
rule="$rule -o $dest"
rule="$rule $(match_dest_dev $dest)"
;;
esac
@ -1959,7 +2103,6 @@ setup_accounting() # $1 = Name of accounting file
}
#
# Check the configuration
#
@ -2113,7 +2256,7 @@ add_an_action()
-)
;;
*:*)
cli="-i ${client%:*} -s ${client#*:}"
cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
;;
*.*.*)
cli="-s $client"
@ -2122,7 +2265,7 @@ add_an_action()
cli=$(mac_match $client)
;;
*)
[ -n "$client" ] && cli="-i $client"
[ -n "$client" ] && cli="$(match_source_dev $client)"
;;
esac
@ -2141,7 +2284,7 @@ add_an_action()
fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
;;
*)
[ -n "$server" ] && dest_interface="-o $server"
[ -n "$server" ] && dest_interface="$(match_dest_dev $server)"
;;
esac
@ -2321,7 +2464,7 @@ process_action() # $1 = action
for client in $(separate_list ${clients:=-}); do
for server in $(separate_list ${servers:=-}); do
#
# add_a_rule() modifies these so we must set their values each time
# add_an_action() modifies these so we must set their values each time
#
port=${ports:=-}
cport=${cports:=-}
@ -2673,7 +2816,7 @@ add_nat_rule() {
for z in $(separate_list $excludezones); do
eval hosts=\$${z}_hosts
for host in $hosts; do
addnatrule $chain -s ${host#*:} -j RETURN
addnatrule $chain $(match_source_hosts ${host#*:}) -j RETURN
done
done
@ -2723,7 +2866,7 @@ add_nat_rule() {
error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\""
[ $COMMAND = check ] || addnatrule $(snat_chain $dest) \
-s ${source_host#*:} $proto $sports $multiport \
$(match_source_hosts ${source_host#*:}) $proto $sports $multiport \
-d $serv $dports -j SNAT --to-source $snat
done
fi
@ -2784,7 +2927,7 @@ add_a_rule()
-)
;;
*:*)
cli="-i ${client%:*} -s ${client#*:}"
cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
;;
*.*.*)
cli="-s $client"
@ -2793,7 +2936,7 @@ add_a_rule()
cli=$(mac_match $client)
;;
*)
[ -n "$client" ] && cli="-i $client"
[ -n "$client" ] && cli="$(match_source_dev $client)"
;;
esac
@ -2812,7 +2955,7 @@ add_a_rule()
fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
;;
*)
[ -n "$server" ] && dest_interface="-o $server"
[ -n "$server" ] && dest_interface="$(match_dest_dev $server)"
;;
esac
@ -2879,7 +3022,7 @@ add_a_rule()
# Complain if the rule is really a policy
case $logtarget in
ACCEPT|DROP|REJECT)
ACCEPT|DROP|REJECT|CONTINUE)
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userspec" ] ; then
error_message "Warning -- Rule \"$rule\" is a POLICY"
error_message " -- and should be moved to the policy file"
@ -3371,7 +3514,7 @@ process_tos_rule() {
#
# Assume that this is a device name
#
src="-i $src"
src="$(match_source_dev $src)"
;;
esac
@ -4441,6 +4584,11 @@ add_common_rules() {
echo "Adding rules for DHCP"
for interface in $interfaces; do
if [ -n "$BRIDGING" ]; then
eval is_bridge=\$$(chain_base $interface)_is_bridge
[ -n "$is_bridge" ] && \
iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 -j ACCEPT
fi
run_iptables -A $(input_chain $interface) -p udp --dport 67:68 -j ACCEPT
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT
done
@ -4698,8 +4846,11 @@ activate_rules()
shift
shift
havenatchain $destchain && \
if havenatchain $destchain ; then
run_iptables -t nat -A $sourcechain $@ -j $destchain
elif [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]; then
rm -f #TMP_DIR/physdev
fi
}
#
@ -4716,6 +4867,8 @@ activate_rules()
eval run_iptables -t nat -I $sourcechain \
\$${sourcechain}_rule $@ -j $destchain
eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
elif [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]; then
rm -f $TMP_DIR/physdev
fi
}
@ -4754,28 +4907,31 @@ activate_rules()
need_broadcast=
for host in $source_hosts; do
interface=${host%:*}
interface=${host%%:*}
subnet=${host#*:}
run_iptables -A OUTPUT -o $interface -d $subnet -j $chain1
run_iptables -A OUTPUT -o $interface $(match_dest_hosts $subnet) -j $chain1
#
# Add jumps from the builtin chains for DNAT and SNAT rules
#
addrulejump PREROUTING $(dnat_chain $zone) -i $interface -s $subnet
addrulejump POSTROUTING $(snat_chain $zone) -o $interface -d $subnet
addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $subnet)
addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $subnet)
run_iptables -A $(input_chain $interface) -s $subnet -j $chain2
run_iptables -A $(input_chain $interface) $(match_source_hosts $subnet) -j $chain2
[ -n "$complex" ] && \
run_iptables -A $(forward_chain $interface) -s $subnet -j $frwd_chain
run_iptables -A $(forward_chain $interface) $(match_source_hosts $subnet) -j $frwd_chain
case $subnet in
*.*.*.*)
if [ "$subnet" != 0.0.0.0/0 ]; then
if ! list_search $interface $need_broadcast ; then
eval options=\$$(chain_base $interface)_options
list_search detectnets $options && need_broadcast="$need_broadcast $interface"
interface_has_option $interface detectnets && need_broadcast="$need_broadcast $interface"
fi
fi
;;
esac
done
@ -4804,29 +4960,29 @@ activate_rules()
if [ -n "$complex" ]; then
for host1 in $dest_hosts; do
interface1=${host1%:*}
interface1=${host1%%:*}
subnet1=${host1#*:}
if [ $(list_count1 $source_hosts) -eq 1 -a "$source_hosts" = "$host1" ]; then
if list_search $host1 $routeback; then
run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain
run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $subnet1) -j $chain
fi
else
run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain
run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $subnet1) -j $chain
fi
done
else
for host in $source_hosts; do
interface=${host%:*}
interface=${host%%:*}
subnet=${host#*:}
chain1=$(forward_chain $interface)
for host1 in $dest_hosts; do
interface1=${host1%:*}
interface1=${host1%%:*}
subnet1=${host1#*:}
if [ "$host" != "$host1" ] || list_search $host $routeback; then
run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
run_iptables -A $chain1 $(match_source_hosts $subnet) -o $interface1 $(match_dest_hosts $subnet1) -j $chain
fi
done
done
@ -5178,11 +5334,11 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
fi
for h in $dest_hosts; do
iface=${h%:*}
iface=${h%%:*}
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
do_iptables -I $source_chain $rulenum -s $host -o $iface -d $hosts -j $chain
do_iptables -I $source_chain $rulenum -s $host -o $iface $(match_dest_hosts $hosts) -j $chain
rulenum=$(($rulenum + 1))
fi
done
@ -5205,7 +5361,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
eval source_hosts=\"\$${z1}_hosts\"
for h in $source_hosts; do
iface=${h%:*}
iface=${h%%:*}
hosts=${h#*:}
base=$(chain_base $iface)
@ -5221,7 +5377,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
fi
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
do_iptables -I $(forward_chain $iface) $rulenum -s $hosts -o $interface -d $host -j $chain
do_iptables -I $(forward_chain $iface) $rulenum $(match_source_hosts $hosts) -o $interface -d $host -j $chain
rulenum=$(($rulenum + 1))
fi
@ -5328,11 +5484,11 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
eval dest_hosts=\"\$${z2}_hosts\"
for h in $dest_hosts $delhost; do
iface=${h%:*}
iface=${h%%:*}
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt iptables -D $source_chain -s $host -o $iface -d $hosts -j $chain
qt iptables -D $source_chain -s $host -o $iface $(match_source_hosts $hosts) -j $chain
fi
done
fi
@ -5343,11 +5499,11 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
eval source_hosts=\"\$${z1}_hosts\"
for h in $source_hosts; do
iface=${h%:*}
iface=${h%%:*}
hosts=${h#*:}
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
qt iptables -D $(forward_chain $iface) -s $hosts -o $interface -d $host -j $chain
qt iptables -D $(forward_chain $iface) $(match_source_hosts $hosts) -o $interface -d $host -j $chain
fi
done
fi
@ -5463,6 +5619,7 @@ do_initialize() {
USEDACTIONS=
SMURF_LOG_LEVEL=
DISABLE_IPV6=
BRIDGING=
stopping=
have_mutex=
@ -5613,6 +5770,7 @@ do_initialize() {
ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED)
BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY)
DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
[ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz"
#
@ -5629,6 +5787,8 @@ do_initialize() {
if [ $(encodeaddr $temp) != 192.168.1.1 ]; then
startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
fi
rm -f $TMP_DIR/physdev
}
#

View File

@ -12,21 +12,28 @@
#
# ZONE - The name of a zone defined in /etc/shorewall/zones
#
# HOST(S) - The name of an interface followed by a colon (":") and
# HOST(S) - The name of an interface defined in the
# /etc/shorewall/interfaces file followed by a colon (":") and
# a comma-separated list whose elements are either:
#
# a) The IP address of a host
# b) A subnetwork in the form
# <subnet-address>/<mask width>
#
# The interface must be defined in the
# /etc/shorewall/interfaces file.
# c) A physical port name; only allowed when the
# interface names a bridge created by the
# brctl addbr command. This port must not
# be defined in /etc/shorewall/interfaces and may
# optionally followed by a colon (":") and a
# host or network IP.
# See http://www.shorewall.net/Bridge.html for details.
#
# Examples:
#
# eth1:192.168.1.3
# eth2:192.168.2.0/24
# eth3:192.168.2.0/24,192.168.3.1
# br0:eth4
# br0:eth0:192.168.1.16/28
#
# OPTIONS - A comma-separated list of options. Currently-defined
# options are:

View File

@ -46,10 +46,19 @@
# OPTIONS A comma-separated list of options including the
# following:
#
# dhcp - interface is managed by DHCP or used by
# a DHCP server running on the firewall or
# you have a static IP but are on a LAN
# segment with lots of Laptop DHCP clients.
# dhcp - Specify this option when any of
# the following are true:
# 1. the interface gets its IP address
# via DHCP
# 2. the interface is used by
# a DHCP server running on the firewall
# 3. you have a static IP but are on a LAN
# segment with lots of Laptop DHCP
# clients.
# 4. the interface is a bridge with
# a DHCP server on one port and DHCP
# clients on another port.
#
# norfc1918 - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
@ -58,6 +67,7 @@
# enabled in shorewall.conf, packets
# whose destination addresses are
# reserved by RFC 1918 are also rejected.
#
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This
# option can also be enabled globally in
@ -65,12 +75,14 @@
# . . blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
#
# maclist - Connection requests from this interface
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
#
# tcpflags - Packets arriving on this interface are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
@ -79,6 +91,7 @@
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
#
# proxyarp -
# Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
@ -127,7 +140,7 @@
# hosts routed through the interface.
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE!
# INTERNET INTERFACE.
#
# The order in which you list the options is not
# significant but the list should have no embedded white

View File

@ -5,7 +5,10 @@
#
# Columns are:
#
# INTERFACE Network interface to a host
# INTERFACE Network interface to a host. If the interface
# names a bridge, it may be optionally followed by
# a colon (":") and a physical port name (e.g.,
# br0:eth4).
#
# MAC MAC address of the host -- you do not need to use
# the Shorewall format for MAC addresses here

View File

@ -14,12 +14,18 @@
# HOST(S) - (Optional) Comma-separated list of IP/subnet
# If left empty or supplied as "-",
# 0.0.0.0/0 is assumed.
# OPTIONS - (Optional) A comma-separated list of
# options. The currently-supported options are:
#
# routeback - Set up a rule to ACCEPT traffic from
# these hosts back to themselves.
#
# Example:
#
# INTERFACE HOST(S)
# INTERFACE HOST(S) OPTIONS
# eth2 192.168.1.0/24
# eth0 192.0.2.44
# br0 - routeback
##############################################################################
#INTERFACE HOST(S)
#INTERFACE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -524,6 +524,18 @@ MODULE_SUFFIX=
# firewall system. This requires that you have ip6tables installed.
DISABLE_IPV6=Yes
#
# BRIDGING
#
# If you wish to control traffic through a bridge (see http://bridge.sf.net),
# then set BRIDGING=Yes. Your kernel must have the physdev match option
# enabled; that option is available through Patch-O-Matic for 2.4 kernels and
# is included as a standard part of the 2.6 series kernels. If not
# specified or specified as empty (BRIDGING="") then "No" is assumed.
#
BRIDGING=No
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################
@ -534,6 +546,7 @@ DISABLE_IPV6=Yes
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
# DROP is assumed.
#
BLACKLIST_DISPOSITION=DROP
#