forked from extern/shorewall_code
More physical interface changes
This commit is contained in:
Tom Eastep
parent
4ef45ff665
commit
b491745f1c
@ -195,7 +195,7 @@ sub process_one_masq( )
|
|||||||
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
|
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
|
||||||
|
|
||||||
unless ( $interfaceref->{root} ) {
|
unless ( $interfaceref->{root} ) {
|
||||||
$rule .= "-o $interface ";
|
$rule .= match_dest_dev( $interface );
|
||||||
$interface = $interfaceref->{name};
|
$interface = $interfaceref->{name};
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -220,7 +220,7 @@ sub process_one_masq( )
|
|||||||
if ( $addresses =~ /^SAME/ ) {
|
if ( $addresses =~ /^SAME/ ) {
|
||||||
fatal_error "The SAME target is no longer supported";
|
fatal_error "The SAME target is no longer supported";
|
||||||
} elsif ( $addresses eq 'detect' ) {
|
} elsif ( $addresses eq 'detect' ) {
|
||||||
my $variable = get_interface_address $interface;
|
my $variable = get_interface_address $interfaceref->{physical};
|
||||||
$target = "-j SNAT --to-source $variable";
|
$target = "-j SNAT --to-source $variable";
|
||||||
|
|
||||||
if ( interface_is_optional $interface ) {
|
if ( interface_is_optional $interface ) {
|
||||||
@ -367,8 +367,8 @@ sub do_one_nat( $$$$$ )
|
|||||||
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
|
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
|
||||||
|
|
||||||
unless ( $interfaceref->{root} ) {
|
unless ( $interfaceref->{root} ) {
|
||||||
$rulein = "-i $interface ";
|
$rulein = match_source_dev $interface;
|
||||||
$ruleout = "-o $interface ";
|
$ruleout = match_dest_dev $interface;
|
||||||
$interface = $interfaceref->{name};
|
$interface = $interfaceref->{name};
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -460,8 +460,8 @@ sub setup_netmap() {
|
|||||||
fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface );
|
fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface );
|
||||||
|
|
||||||
unless ( $interfaceref->{root} ) {
|
unless ( $interfaceref->{root} ) {
|
||||||
$rulein = "-i $interface ";
|
$rulein = match_source_dev $interface;
|
||||||
$ruleout = "-o $interface ";
|
$ruleout = match_dest_dev $interface;
|
||||||
$interface = $interfaceref->{name};
|
$interface = $interfaceref->{name};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -199,8 +199,8 @@ sub setup_ecn()
|
|||||||
for my $interface ( @interfaces ) {
|
for my $interface ( @interfaces ) {
|
||||||
my $chainref = ensure_chain 'mangle', ecn_chain( $interface );
|
my $chainref = ensure_chain 'mangle', ecn_chain( $interface );
|
||||||
|
|
||||||
add_jump $mangle_table->{POSTROUTING} , $chainref, 0, "-p tcp -o $interface ";
|
add_jump $mangle_table->{POSTROUTING} , $chainref, 0, "-p tcp " . match_dest_dev( $interface );
|
||||||
add_jump $mangle_table->{OUTPUT}, $chainref, 0, "-p tcp -o $interface ";
|
add_jump $mangle_table->{OUTPUT}, $chainref, 0, "-p tcp " . match_dest_dev( $interface );
|
||||||
}
|
}
|
||||||
|
|
||||||
for my $host ( @hosts ) {
|
for my $host ( @hosts ) {
|
||||||
@ -342,10 +342,11 @@ sub process_routestopped() {
|
|||||||
$routeback = 1;
|
$routeback = 1;
|
||||||
|
|
||||||
for my $host ( split /,/, $hosts ) {
|
for my $host ( split /,/, $hosts ) {
|
||||||
my $source = match_source_net $host;
|
add_rule( $chainref ,
|
||||||
my $dest = match_dest_net $host;
|
match_source_dev( $interface ) .
|
||||||
|
match_dest_dev( $interface ) .
|
||||||
add_rule $chainref , "-i $interface -o $interface $source $dest -j ACCEPT";
|
match_source_net( $host ) .
|
||||||
|
match_dest_net( $host ) );
|
||||||
clearrule;
|
clearrule;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -551,7 +552,11 @@ sub add_common_rules() {
|
|||||||
add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT";
|
add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT";
|
||||||
}
|
}
|
||||||
|
|
||||||
add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport $ports -j ACCEPT" if get_interface_option( $interface, 'bridge' );
|
add_rule( $filter_table->{forward_chain $interface} ,
|
||||||
|
"-p udp " .
|
||||||
|
match_dest_dev( $interface ) .
|
||||||
|
"--dport $ports -j ACCEPT" )
|
||||||
|
if get_interface_option( $interface, 'bridge' );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -635,10 +640,10 @@ sub add_common_rules() {
|
|||||||
if ( interface_is_optional $interface ) {
|
if ( interface_is_optional $interface ) {
|
||||||
add_commands( $chainref,
|
add_commands( $chainref,
|
||||||
qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) ,
|
qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) ,
|
||||||
qq( echo -A $chainref->{name} -i $interface -s $variable -p udp -j ACCEPT >&3) ,
|
qq( echo -A $chainref->{name} ) . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) ,
|
||||||
qq(fi) );
|
qq(fi) );
|
||||||
} else {
|
} else {
|
||||||
add_commands( $chainref, qq(echo -A $chainref->{name} -i $interface -s $variable -p udp -j ACCEPT >&3) );
|
add_commands( $chainref, qq(echo -A $chainref->{name} ) . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -2287,12 +2292,12 @@ EOF
|
|||||||
my $ports = $family == F_IPV4 ? '67:68' : '546:547';
|
my $ports = $family == F_IPV4 ? '67:68' : '546:547';
|
||||||
|
|
||||||
for my $interface ( @$interfaces ) {
|
for my $interface ( @$interfaces ) {
|
||||||
add_rule $input, "-p udp -i $interface --dport $ports -j ACCEPT";
|
add_rule $input, "-p udp " . match_source_dev( $interface ) . "--dport $ports -j ACCEPT";
|
||||||
add_rule $output, "-p udp -o $interface --dport $ports -j ACCEPT" unless $config{ADMINISABSENTMINDED};
|
add_rule $output, "-p udp " . match_dest_dev( $interface ) . "--dport $ports -j ACCEPT" unless $config{ADMINISABSENTMINDED};
|
||||||
#
|
#
|
||||||
# This might be a bridge
|
# This might be a bridge
|
||||||
#
|
#
|
||||||
add_rule $forward, "-p udp -i $interface -o $interface --dport $ports -j ACCEPT";
|
add_rule $forward, "-p udp " . match_source_dev( $interface ) . match_dest_dev( $interface ) . "--dport $ports -j ACCEPT";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2311,7 +2316,7 @@ EOF
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
for my $interface ( all_bridges ) {
|
for my $interface ( all_bridges ) {
|
||||||
emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT";
|
emit "do_iptables -A FORWARD -p 58 " . match_source_interface( $interface ) . match_dest_interface( $interface ) . "-j ACCEPT";
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $config{IP_FORWARDING} eq 'on' ) {
|
if ( $config{IP_FORWARDING} eq 'on' ) {
|
||||||
|
|||||||
@ -997,11 +997,10 @@ sub known_interface($)
|
|||||||
|
|
||||||
for my $i ( @interfaces ) {
|
for my $i ( @interfaces ) {
|
||||||
$interfaceref = $interfaces{$i};
|
$interfaceref = $interfaces{$i};
|
||||||
my $val = $interfaceref->{root};
|
my $root = $interfaceref->{root};
|
||||||
next if $val eq $i;
|
if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) {
|
||||||
if ( substr( $interface, 0, length $val ) eq $val ) {
|
|
||||||
#
|
#
|
||||||
# Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces.
|
# Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces and we do not set the root;
|
||||||
#
|
#
|
||||||
return $interfaces{$interface} = { options => $interfaceref->{options},
|
return $interfaces{$interface} = { options => $interfaceref->{options},
|
||||||
bridge => $interfaceref->{bridge} ,
|
bridge => $interfaceref->{bridge} ,
|
||||||
@ -1095,7 +1094,11 @@ sub find_interfaces_by_option( $ ) {
|
|||||||
my @ints = ();
|
my @ints = ();
|
||||||
|
|
||||||
for my $interface ( @interfaces ) {
|
for my $interface ( @interfaces ) {
|
||||||
my $optionsref = $interfaces{$interface}{options};
|
my $interfaceref = $interfaces{$interface};
|
||||||
|
|
||||||
|
next unless $interfaceref->{root};
|
||||||
|
|
||||||
|
my $optionsref = $interfaceref->{options};
|
||||||
if ( $optionsref && defined $optionsref->{$option} ) {
|
if ( $optionsref && defined $optionsref->{$option} ) {
|
||||||
push @ints , $interface
|
push @ints , $interface
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user