forked from extern/shorewall_code
More physical interface changes
This commit is contained in:
Tom Eastep
parent
4ef45ff665
commit
b491745f1c
@ -195,7 +195,7 @@ sub process_one_masq( )
|
||||
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
|
||||
|
||||
unless ( $interfaceref->{root} ) {
|
||||
$rule .= "-o $interface ";
|
||||
$rule .= match_dest_dev( $interface );
|
||||
$interface = $interfaceref->{name};
|
||||
}
|
||||
|
||||
@ -220,7 +220,7 @@ sub process_one_masq( )
|
||||
if ( $addresses =~ /^SAME/ ) {
|
||||
fatal_error "The SAME target is no longer supported";
|
||||
} elsif ( $addresses eq 'detect' ) {
|
||||
my $variable = get_interface_address $interface;
|
||||
my $variable = get_interface_address $interfaceref->{physical};
|
||||
$target = "-j SNAT --to-source $variable";
|
||||
|
||||
if ( interface_is_optional $interface ) {
|
||||
@ -367,8 +367,8 @@ sub do_one_nat( $$$$$ )
|
||||
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
|
||||
|
||||
unless ( $interfaceref->{root} ) {
|
||||
$rulein = "-i $interface ";
|
||||
$ruleout = "-o $interface ";
|
||||
$rulein = match_source_dev $interface;
|
||||
$ruleout = match_dest_dev $interface;
|
||||
$interface = $interfaceref->{name};
|
||||
}
|
||||
|
||||
@ -460,8 +460,8 @@ sub setup_netmap() {
|
||||
fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface );
|
||||
|
||||
unless ( $interfaceref->{root} ) {
|
||||
$rulein = "-i $interface ";
|
||||
$ruleout = "-o $interface ";
|
||||
$rulein = match_source_dev $interface;
|
||||
$ruleout = match_dest_dev $interface;
|
||||
$interface = $interfaceref->{name};
|
||||
}
|
||||
|
||||
|
||||
@ -199,8 +199,8 @@ sub setup_ecn()
|
||||
for my $interface ( @interfaces ) {
|
||||
my $chainref = ensure_chain 'mangle', ecn_chain( $interface );
|
||||
|
||||
add_jump $mangle_table->{POSTROUTING} , $chainref, 0, "-p tcp -o $interface ";
|
||||
add_jump $mangle_table->{OUTPUT}, $chainref, 0, "-p tcp -o $interface ";
|
||||
add_jump $mangle_table->{POSTROUTING} , $chainref, 0, "-p tcp " . match_dest_dev( $interface );
|
||||
add_jump $mangle_table->{OUTPUT}, $chainref, 0, "-p tcp " . match_dest_dev( $interface );
|
||||
}
|
||||
|
||||
for my $host ( @hosts ) {
|
||||
@ -342,10 +342,11 @@ sub process_routestopped() {
|
||||
$routeback = 1;
|
||||
|
||||
for my $host ( split /,/, $hosts ) {
|
||||
my $source = match_source_net $host;
|
||||
my $dest = match_dest_net $host;
|
||||
|
||||
add_rule $chainref , "-i $interface -o $interface $source $dest -j ACCEPT";
|
||||
add_rule( $chainref ,
|
||||
match_source_dev( $interface ) .
|
||||
match_dest_dev( $interface ) .
|
||||
match_source_net( $host ) .
|
||||
match_dest_net( $host ) );
|
||||
clearrule;
|
||||
}
|
||||
}
|
||||
@ -551,7 +552,11 @@ sub add_common_rules() {
|
||||
add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT";
|
||||
}
|
||||
|
||||
add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport $ports -j ACCEPT" if get_interface_option( $interface, 'bridge' );
|
||||
add_rule( $filter_table->{forward_chain $interface} ,
|
||||
"-p udp " .
|
||||
match_dest_dev( $interface ) .
|
||||
"--dport $ports -j ACCEPT" )
|
||||
if get_interface_option( $interface, 'bridge' );
|
||||
}
|
||||
}
|
||||
|
||||
@ -635,10 +640,10 @@ sub add_common_rules() {
|
||||
if ( interface_is_optional $interface ) {
|
||||
add_commands( $chainref,
|
||||
qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) ,
|
||||
qq( echo -A $chainref->{name} -i $interface -s $variable -p udp -j ACCEPT >&3) ,
|
||||
qq( echo -A $chainref->{name} ) . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) ,
|
||||
qq(fi) );
|
||||
} else {
|
||||
add_commands( $chainref, qq(echo -A $chainref->{name} -i $interface -s $variable -p udp -j ACCEPT >&3) );
|
||||
add_commands( $chainref, qq(echo -A $chainref->{name} ) . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) );
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -2287,12 +2292,12 @@ EOF
|
||||
my $ports = $family == F_IPV4 ? '67:68' : '546:547';
|
||||
|
||||
for my $interface ( @$interfaces ) {
|
||||
add_rule $input, "-p udp -i $interface --dport $ports -j ACCEPT";
|
||||
add_rule $output, "-p udp -o $interface --dport $ports -j ACCEPT" unless $config{ADMINISABSENTMINDED};
|
||||
add_rule $input, "-p udp " . match_source_dev( $interface ) . "--dport $ports -j ACCEPT";
|
||||
add_rule $output, "-p udp " . match_dest_dev( $interface ) . "--dport $ports -j ACCEPT" unless $config{ADMINISABSENTMINDED};
|
||||
#
|
||||
# This might be a bridge
|
||||
#
|
||||
add_rule $forward, "-p udp -i $interface -o $interface --dport $ports -j ACCEPT";
|
||||
add_rule $forward, "-p udp " . match_source_dev( $interface ) . match_dest_dev( $interface ) . "--dport $ports -j ACCEPT";
|
||||
}
|
||||
}
|
||||
|
||||
@ -2311,7 +2316,7 @@ EOF
|
||||
}
|
||||
} else {
|
||||
for my $interface ( all_bridges ) {
|
||||
emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT";
|
||||
emit "do_iptables -A FORWARD -p 58 " . match_source_interface( $interface ) . match_dest_interface( $interface ) . "-j ACCEPT";
|
||||
}
|
||||
|
||||
if ( $config{IP_FORWARDING} eq 'on' ) {
|
||||
|
||||
@ -997,11 +997,10 @@ sub known_interface($)
|
||||
|
||||
for my $i ( @interfaces ) {
|
||||
$interfaceref = $interfaces{$i};
|
||||
my $val = $interfaceref->{root};
|
||||
next if $val eq $i;
|
||||
if ( substr( $interface, 0, length $val ) eq $val ) {
|
||||
my $root = $interfaceref->{root};
|
||||
if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) {
|
||||
#
|
||||
# Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces.
|
||||
# Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces and we do not set the root;
|
||||
#
|
||||
return $interfaces{$interface} = { options => $interfaceref->{options},
|
||||
bridge => $interfaceref->{bridge} ,
|
||||
@ -1095,7 +1094,11 @@ sub find_interfaces_by_option( $ ) {
|
||||
my @ints = ();
|
||||
|
||||
for my $interface ( @interfaces ) {
|
||||
my $optionsref = $interfaces{$interface}{options};
|
||||
my $interfaceref = $interfaces{$interface};
|
||||
|
||||
next unless $interfaceref->{root};
|
||||
|
||||
my $optionsref = $interfaceref->{options};
|
||||
if ( $optionsref && defined $optionsref->{$option} ) {
|
||||
push @ints , $interface
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user