diff --git a/Shorewall/manpages/shorewall-zones.xml b/Shorewall/manpages/shorewall-zones.xml index 84bdf1770..4e0f31771 100644 --- a/Shorewall/manpages/shorewall-zones.xml +++ b/Shorewall/manpages/shorewall-zones.xml @@ -227,6 +227,19 @@ c:a,b ipv4 + + dynamic_shared + + + Added in Shorewall 4.5.9. May only be specified in the + OPTIONS column and indicates that only a single ipset should + be created for this zone if it has multiple dynamic entries in + shorewall-hosts(5). + Without this option, a separate ipset is created for each + interface. + + + reqid=number @@ -348,9 +361,9 @@ c:a,b ipv4 shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-nesting(8), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), - shorewall-proxyarp(5), shorewall-rtrules(5), - shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), - shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), - shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5) + shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5), + shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), + shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), + shorewall-tos(5), shorewall-tunnels(5) diff --git a/Shorewall/manpages/shorewall.xml b/Shorewall/manpages/shorewall.xml index fd241dd99..4d4085181 100644 --- a/Shorewall/manpages/shorewall.xml +++ b/Shorewall/manpages/shorewall.xml @@ -24,12 +24,14 @@ -options - + interface[:host-list] - zone + zone zone host-list @@ -109,12 +111,14 @@ -options - + interface[:host-list] - zone + zone zone host-list @@ -746,6 +750,15 @@ add by delete and run the same command again. Then enter the correct command. + + Beginning with Shorewall 4.5.9, the dynamic_shared zone option (shorewall-zones(5)) allows a + single ipset to handle entries for multiple interfaces. When that + option is specified for a zone, the add command + has the alternative syntax in which the + zone name precedes the + host-list. @@ -861,6 +874,15 @@ url="shorewall-interfaces.html">shorewall-interfaces(5) file. A host-list is comma-separated list whose elements are a host or network address. + + Beginning with Shorewall 4.5.9, the dynamic_shared zone option (shorewall-zones(5)) allows a + single ipset to handle entries for multiple interfaces. When that + option is specified for a zone, the delete + command has the alternative syntax in which the + zone name precedes the + host-list. diff --git a/Shorewall6/manpages/shorewall6-zones.xml b/Shorewall6/manpages/shorewall6-zones.xml index 701d988b6..23c93b365 100644 --- a/Shorewall6/manpages/shorewall6-zones.xml +++ b/Shorewall6/manpages/shorewall6-zones.xml @@ -178,7 +178,7 @@ c:a,b ipv6 Added in Shorewall 4.4.11 Beta 2 - A zone composed of Linux-vserver guests. The zone contents must be defined in - shorewall-hosts + shorewall6-hosts (5). Vserver zones are implicitly handled as subzones of the @@ -225,6 +225,20 @@ c:a,b ipv6 + + dynamic_shared + + + Added in Shorewall 4.5.9. May only be specified in the + OPTIONS column and indicates that only a single ipset should + be created for this zone if it has multiple dynamic entries in + shorewall6-hosts(5). + Without this option, a separate ipset is created for each + interface. + + + reqid=number diff --git a/Shorewall6/manpages/shorewall6.xml b/Shorewall6/manpages/shorewall6.xml index ba717adef..8131e3cac 100644 --- a/Shorewall6/manpages/shorewall6.xml +++ b/Shorewall6/manpages/shorewall6.xml @@ -24,12 +24,13 @@ -options - + interface[:host-list] - zone + zone | zone host-list + @@ -98,6 +99,23 @@ pathname + + shorewall6 + + | + + -options + + + + interface[:host-list] + + zone | zone host-list + + + shorewall @@ -649,6 +667,15 @@ add by delete and run the same command again. Then enter the correct command. + + Beginning with Shorewall 4.5.9, the dynamic_shared zone option (shorewall6-zones(5)) allows a + single ipset to handle entries for multiple interfaces. When that + option is specified for a zone, the add command + has the alternative syntax in which the + zone name precedes the + host-list. @@ -759,6 +786,15 @@ url="shorewall6-interfaces.html">shorewall6-interfaces(5) file. A host-list is comma-separated list whose elements are a host or network address. + + Beginning with Shorewall 4.5.9, the dynamic_shared zone option (shorewall6-zones(5)) allows a + single ipset to handle entries for multiple interfaces. When that + option is specified for a zone, the delete + command has the alternative syntax in which the + zone name precedes the + host-list. diff --git a/docs/Dynamic.xml b/docs/Dynamic.xml index ffc54a42f..9135b5b98 100644 --- a/docs/Dynamic.xml +++ b/docs/Dynamic.xml @@ -180,127 +180,233 @@ -
- Defining a Dynamic Zone +
+ Dynamic Zones -- Shorewall 4.5.9 and Later - A dynamic zone is defined by using the keyword dynamic in the zones - host list. + Prior to Shorewall 4.5.9, when multiple records for a zone appear in + /etc/shorewall/hosts, Shorewall would create a + separate ipset for each interface. This meant that an add or delete + command was required for each of the interface, when the address involved + was reachable via multiple interfaces. - Example: + Beginning with Shoreawll 4.5.9, it is possible to have a single + ipset shared among all interfaces. This also simplifies management of + dynamic zone contents for dynamic zones associated with only a single + interface. + + The earlier implementation described below is still available in + these later releases. + +
+ Defining a Dynamic Zone + + A dynamic zone is defined by specifying the + option in the zones file and using the + keyword in the hosts list. -
/etc/shorewall/zones:#NAME TYPE OPTIONS -loc ipv4 -webok:loc ipv4/etc/shorewall/interfaces: +net ipv4 +rsyncok:loc ipv4 dynamic_shared/etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS loc eth0 - … - +loc eth1 - … /etc/shorewall/hosts: #ZONE HOSTS OPTIONS +rsyncok eth0: +rsyncok eth1: + + When the option is specified, a + single ipset is created; the ipset has the same name as the zone. +
+ +
+ Adding a Host to a Dynamic Zone. + + Adding a host to a dynamic zone is accomplished by adding the + host's IP address to the appropriate ipset. Shorewall provldes a command + for doing that:
+ shorewall add zone + address ... +
+ + Example: + +
+ shorewall add rsyncok 70.90.191.124 +
+
+ +
+ Deleting a Host from a Dynamic Zone + + Deleting a host from a dynamic zone is accomplished by removing + the host's IP address from the appropriate ipset. Shorewall provldes a + command for doing that: + +
+ shorewall delete + zone address + ... +
+ + Example: + +
+ shorewall delete rsyncok 70.19.191.124 +
+ + The command can only be used when the ipset involved is of type + iphash. For other ipset types, the ipset command must + be used directly. +
+ +
+ Listing the Contents of a Dynamic Zone + + The shorewall show command may be used to list the current + contents of a dynamic zone. + +
+ shorewall show dynamic + zone +
+ + Example: + +
+ shorewall show dynamic rsyncok +rsyncok: + 70.90.191.122 + 70.90.191.124 +
+
+
+ +
+ Dynamic Zones -- Shorewall 5.4.8 and Earlier. + + + +
+ Defining a Dynamic Zone + + A dynamic zone is defined by using the keyword dynamic in the zones host list. + + Example: + +
+ /etc/shorewall/zones:#NAME TYPE OPTIONS +loc ipv4 +webok:loc ipv4/etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS +loc eth0 - … + + + /etc/shorewall/hosts: + + #ZONE HOSTS OPTIONS webok eth0:dynamic -
+ - Once the above definition is added, Shorewall will automatically - create an ipset named webok_eth0 the next time that - Shorewall is started or restarted. Shorewall will create an ipset of type - iphash. If you want to use a different type of - ipset, such as macipmap, then you will want to - manually create that ipset yourself before the next Shorewall - start/restart. + Once the above definition is added, Shorewall will automatically + create an ipset named webok_eth0 the next time that + Shorewall is started or restarted. Shorewall will create an ipset of + type iphash. If you want to use a different type + of ipset, such as macipmap, then you will want to + manually create that ipset yourself before the next Shorewall + start/restart. - The dynamic zone capability was added to Shorewall6 in Shorewall - 4.4.21. -
+ The dynamic zone capability was added to Shorewall6 in Shorewall + 4.4.21. +
-
- Adding a Host to a Dynamic Zone +
+ Adding a Host to a Dynamic Zone - Adding a host to a dynamic zone is accomplished by adding the host's - IP address to the appropriate ipset. Shorewall provldes a command for - doing that: + Adding a host to a dynamic zone is accomplished by adding the + host's IP address to the appropriate ipset. Shorewall provldes a command + for doing that: -
- shorewall add interface:address - ... zone -
+
+ shorewall add interface:address + ... zone +
- Example: + Example: -
- shorewall add eth0:192.168.3.4 webok -
+
+ shorewall add eth0:192.168.3.4 webok +
- The command can only be used when the ipset involved is of type - iphash. For other ipset types, the ipset command must - be used directly. -
+ The command can only be used when the ipset involved is of type + iphash. For other ipset types, the ipset command must + be used directly. +
-
- Deleting a Host from a Dynamic Zone +
+ Deleting a Host from a Dynamic Zone - Deleting a host from a dynamic zone is accomplished by removing the - host's IP address from the appropriate ipset. Shorewall provldes a command - for doing that: + Deleting a host from a dynamic zone is accomplished by removing + the host's IP address from the appropriate ipset. Shorewall provldes a + command for doing that: -
- shorewall delete interface:address - ... zone -
+
+ shorewall delete + interface:address ... + zone +
- Example: + Example: -
- shorewall delete eth0:192.168.3.4 webok -
+
+ shorewall delete eth0:192.168.3.4 + webok +
- The command can only be used when the ipset involved is of type - iphash. For other ipset types, the ipset command must - be used directly. -
+ The command can only be used when the ipset involved is of type + iphash. For other ipset types, the ipse t command + must be used directly. +
-
- Listing the Contents of a Dynamic Zone +
+ Listing the Contents of a Dynamic Zone - The shorewall show command may be used to list the current contents - of a dynamic zone. + The shorewall show command may be used to list the current + contents of a dynamic zone. -
- shorewall show dynamic - zone -
+
+ shorewall show dynamic + zone +
- Example: + Example: -
- shorewall show dynamic webok +
+ shorewall show dynamic webok eth0: 192.168.3.4 192.168.3.9 -
+
+
Dynamic Zone Contents and Shorewall stop/start/restart - The contents of a dynamic zone survive shorewall - stop/shorewall start and shorewall restart. - During shorewall stop, the contents of the ipsets are - saved in the file ${VARDIR}/ipsets.save (usually + When SAVE_IPSETS=Yes in shorewall.conf, the contents of a dynamic + zone survive shorewall stop/shorewall start and + shorewall restart. During shorewall + stop, the contents of the ipsets are saved in the file + ${VARDIR}/ipsets.save (usually /var/lib/shorewall/ipsets.save). During shorewall start, the contents of that file are restored to the sets. During both shorewall start and shorewall restart, any new ipsets required as a result of a configuration change are added.
- -
- Restrictions - - When using dynamic zones, you may not use ipsets in your /etc/shorewall/routestopped - file. -