forked from extern/shorewall_code
Add nets= OPTION to the interfaces file
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9520 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
734085e83b
commit
dba858068c
@ -314,7 +314,7 @@ sub setup_blacklist() {
|
||||
|
||||
if ( $first_entry ) {
|
||||
unless ( @$hosts ) {
|
||||
warning_message q(The entries in $fn have been ignored because there are no 'blacklist' interfaces);
|
||||
warning_message qq(The entries in $fn have been ignored because there are no 'blacklist' interfaces);
|
||||
close_file;
|
||||
last BLACKLIST;
|
||||
}
|
||||
|
@ -600,8 +600,8 @@ sub validate_interfaces_file( $ )
|
||||
ENUM_IF_OPTION => 3,
|
||||
NUMERIC_IF_OPTION => 4,
|
||||
OBSOLETE_IF_OPTION => 5,
|
||||
IPLIST_IF_OPTION => 6,
|
||||
MASK_IF_OPTION => 7,
|
||||
|
||||
IF_OPTION_ZONEONLY => 8 };
|
||||
|
||||
my %validoptions;
|
||||
@ -615,6 +615,7 @@ sub validate_interfaces_file( $ )
|
||||
dhcp => SIMPLE_IF_OPTION,
|
||||
maclist => SIMPLE_IF_OPTION,
|
||||
logmartians => BINARY_IF_OPTION,
|
||||
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
|
||||
norfc1918 => SIMPLE_IF_OPTION,
|
||||
nosmurfs => SIMPLE_IF_OPTION,
|
||||
optional => SIMPLE_IF_OPTION,
|
||||
@ -650,6 +651,8 @@ sub validate_interfaces_file( $ )
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my $nets;
|
||||
|
||||
if ( $first_entry ) {
|
||||
progress_message2 "$doing $fn...";
|
||||
$first_entry = 0;
|
||||
@ -737,7 +740,7 @@ sub validate_interfaces_file( $ )
|
||||
|
||||
if ( $options ) {
|
||||
|
||||
for my $option (split_list $options, 'option' ) {
|
||||
for my $option (split_list1 $options, 'option' ) {
|
||||
next if $option eq '-';
|
||||
|
||||
( $option, my $value ) = split /=/, $option;
|
||||
@ -776,6 +779,13 @@ sub validate_interfaces_file( $ )
|
||||
my $numval = numeric_value $value;
|
||||
fatal_error "Invalid value ($value) for option $option" unless defined $numval;
|
||||
$options{$option} = $numval;
|
||||
} elsif ( $type == IPLIST_IF_OPTION ) {
|
||||
fatal_error "The $option option requires a value" unless defined $value;
|
||||
fatal_error "Duplicate $option option" if $nets;
|
||||
$value =~ s/\)$// if $value =~ s/^\(//;
|
||||
$value = join ',' , ALLIP , $value if $value =~ /^!/;
|
||||
$nets = [ split_list $value, 'address' ];
|
||||
$options{broadcast} = 1;
|
||||
} else {
|
||||
warning_message "Support for the $option interface option has been removed from Shorewall-perl";
|
||||
}
|
||||
@ -803,9 +813,9 @@ sub validate_interfaces_file( $ )
|
||||
|
||||
push @ifaces, $interface;
|
||||
|
||||
my @networks = allip;
|
||||
$nets = [ allip ] unless $nets;
|
||||
|
||||
add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone;
|
||||
add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $optionsref ) if $zone;
|
||||
|
||||
$interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
|
||||
|
||||
|
@ -1,2 +1,9 @@
|
||||
Changes in Shorewall 4.3.5
|
||||
|
||||
1) Remove support for shorewall-shell.
|
||||
|
||||
2) Combine shorewall-common and shorewall-perl to product shorewall.
|
||||
|
||||
3) Add nets= OPTION in interfaces file.
|
||||
|
||||
|
||||
|
@ -4,6 +4,13 @@ Shorewall 4.3.5
|
||||
R E L E A S E 4 . 4 H I G H L I G H T S
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
1) Support for Shorewall-shell has been discontinued. Shorewall-perl
|
||||
has been combined with Shorewall-common to produce a single
|
||||
Shorewall package.
|
||||
|
||||
2) The interfaces file OPTIONs have been extended to largely remove the
|
||||
need for the hosts file.
|
||||
|
||||
Problems corrected in 4.3.5
|
||||
|
||||
None.
|
||||
@ -14,3 +21,60 @@ None.
|
||||
|
||||
New Features in Shorewall 4.3.5
|
||||
|
||||
New Features in Shorewall 4.4
|
||||
|
||||
1) The Shorewall packaging has been completely revamped in Shorewall
|
||||
4.4.
|
||||
|
||||
The new packages are:
|
||||
|
||||
- Shorewall. Includes the former Shorewall-common and
|
||||
Shorewall-perl packages. Includes everything needed
|
||||
to create an IPv4 firewall.
|
||||
|
||||
- Shorewall6. Requires Shorewall. Adds the components necessary to
|
||||
create an IPv6 firewall.
|
||||
|
||||
- Shorewall-lite
|
||||
|
||||
May be installed on a firewall system to run
|
||||
IPv4 firewall scripts generated by Shorewall.
|
||||
|
||||
- Shorewall6-lite
|
||||
|
||||
May be installed on a firewall system to run
|
||||
IPv6 firewall scripts generated by Shorewall.
|
||||
|
||||
2) The interfaces file supports a new 'nets=' option. This option
|
||||
allows users to restrict a zone's definition to particular networks
|
||||
through an interface without having to use the hosts file.
|
||||
|
||||
Example interfaces file:
|
||||
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth3 detect dhcp,logmartians=1,routefilter=1,nets=172.20.1.0/24
|
||||
dmz eth4 detect logmartians=1,routefilter=1,nets=206.124.146.177
|
||||
net eth0 detect dhcp,blacklist,tcpflags,optional,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177)
|
||||
net eth2 detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177)
|
||||
loc tun+ detect nets=172.20.0.0/24
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
Note that when more than one network address is listed, the list
|
||||
must be enclosed in parentheses. Notice also that exclusion may be
|
||||
used.
|
||||
|
||||
The first entry in the above interfaces file is equivalent to the
|
||||
following:
|
||||
|
||||
interfaces:
|
||||
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
- eth0 detect dhcp,logmartians=1,routefilter=1
|
||||
|
||||
hosts:
|
||||
|
||||
#ZONE HOST(S) OPTIONS
|
||||
loc $INT_IF:192.20.1.0/24 broadcast
|
||||
|
||||
Note that the 'broadcast' option is automatically assumed and need
|
||||
not be explicitly specified.
|
||||
|
Loading…
Reference in New Issue
Block a user