forked from extern/shorewall_code
Add nets= OPTION to the interfaces file
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9520 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
734085e83b
commit
dba858068c
@ -314,7 +314,7 @@ sub setup_blacklist() {
|
|||||||
|
|
||||||
if ( $first_entry ) {
|
if ( $first_entry ) {
|
||||||
unless ( @$hosts ) {
|
unless ( @$hosts ) {
|
||||||
warning_message q(The entries in $fn have been ignored because there are no 'blacklist' interfaces);
|
warning_message qq(The entries in $fn have been ignored because there are no 'blacklist' interfaces);
|
||||||
close_file;
|
close_file;
|
||||||
last BLACKLIST;
|
last BLACKLIST;
|
||||||
}
|
}
|
||||||
|
@ -600,8 +600,8 @@ sub validate_interfaces_file( $ )
|
|||||||
ENUM_IF_OPTION => 3,
|
ENUM_IF_OPTION => 3,
|
||||||
NUMERIC_IF_OPTION => 4,
|
NUMERIC_IF_OPTION => 4,
|
||||||
OBSOLETE_IF_OPTION => 5,
|
OBSOLETE_IF_OPTION => 5,
|
||||||
|
IPLIST_IF_OPTION => 6,
|
||||||
MASK_IF_OPTION => 7,
|
MASK_IF_OPTION => 7,
|
||||||
|
|
||||||
IF_OPTION_ZONEONLY => 8 };
|
IF_OPTION_ZONEONLY => 8 };
|
||||||
|
|
||||||
my %validoptions;
|
my %validoptions;
|
||||||
@ -615,6 +615,7 @@ sub validate_interfaces_file( $ )
|
|||||||
dhcp => SIMPLE_IF_OPTION,
|
dhcp => SIMPLE_IF_OPTION,
|
||||||
maclist => SIMPLE_IF_OPTION,
|
maclist => SIMPLE_IF_OPTION,
|
||||||
logmartians => BINARY_IF_OPTION,
|
logmartians => BINARY_IF_OPTION,
|
||||||
|
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
|
||||||
norfc1918 => SIMPLE_IF_OPTION,
|
norfc1918 => SIMPLE_IF_OPTION,
|
||||||
nosmurfs => SIMPLE_IF_OPTION,
|
nosmurfs => SIMPLE_IF_OPTION,
|
||||||
optional => SIMPLE_IF_OPTION,
|
optional => SIMPLE_IF_OPTION,
|
||||||
@ -650,6 +651,8 @@ sub validate_interfaces_file( $ )
|
|||||||
|
|
||||||
while ( read_a_line ) {
|
while ( read_a_line ) {
|
||||||
|
|
||||||
|
my $nets;
|
||||||
|
|
||||||
if ( $first_entry ) {
|
if ( $first_entry ) {
|
||||||
progress_message2 "$doing $fn...";
|
progress_message2 "$doing $fn...";
|
||||||
$first_entry = 0;
|
$first_entry = 0;
|
||||||
@ -737,7 +740,7 @@ sub validate_interfaces_file( $ )
|
|||||||
|
|
||||||
if ( $options ) {
|
if ( $options ) {
|
||||||
|
|
||||||
for my $option (split_list $options, 'option' ) {
|
for my $option (split_list1 $options, 'option' ) {
|
||||||
next if $option eq '-';
|
next if $option eq '-';
|
||||||
|
|
||||||
( $option, my $value ) = split /=/, $option;
|
( $option, my $value ) = split /=/, $option;
|
||||||
@ -776,6 +779,13 @@ sub validate_interfaces_file( $ )
|
|||||||
my $numval = numeric_value $value;
|
my $numval = numeric_value $value;
|
||||||
fatal_error "Invalid value ($value) for option $option" unless defined $numval;
|
fatal_error "Invalid value ($value) for option $option" unless defined $numval;
|
||||||
$options{$option} = $numval;
|
$options{$option} = $numval;
|
||||||
|
} elsif ( $type == IPLIST_IF_OPTION ) {
|
||||||
|
fatal_error "The $option option requires a value" unless defined $value;
|
||||||
|
fatal_error "Duplicate $option option" if $nets;
|
||||||
|
$value =~ s/\)$// if $value =~ s/^\(//;
|
||||||
|
$value = join ',' , ALLIP , $value if $value =~ /^!/;
|
||||||
|
$nets = [ split_list $value, 'address' ];
|
||||||
|
$options{broadcast} = 1;
|
||||||
} else {
|
} else {
|
||||||
warning_message "Support for the $option interface option has been removed from Shorewall-perl";
|
warning_message "Support for the $option interface option has been removed from Shorewall-perl";
|
||||||
}
|
}
|
||||||
@ -803,9 +813,9 @@ sub validate_interfaces_file( $ )
|
|||||||
|
|
||||||
push @ifaces, $interface;
|
push @ifaces, $interface;
|
||||||
|
|
||||||
my @networks = allip;
|
$nets = [ allip ] unless $nets;
|
||||||
|
|
||||||
add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone;
|
add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $optionsref ) if $zone;
|
||||||
|
|
||||||
$interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
|
$interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
|
||||||
|
|
||||||
|
@ -1,2 +1,9 @@
|
|||||||
Changes in Shorewall 4.3.5
|
Changes in Shorewall 4.3.5
|
||||||
|
|
||||||
|
1) Remove support for shorewall-shell.
|
||||||
|
|
||||||
|
2) Combine shorewall-common and shorewall-perl to product shorewall.
|
||||||
|
|
||||||
|
3) Add nets= OPTION in interfaces file.
|
||||||
|
|
||||||
|
|
||||||
|
@ -4,6 +4,13 @@ Shorewall 4.3.5
|
|||||||
R E L E A S E 4 . 4 H I G H L I G H T S
|
R E L E A S E 4 . 4 H I G H L I G H T S
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
1) Support for Shorewall-shell has been discontinued. Shorewall-perl
|
||||||
|
has been combined with Shorewall-common to produce a single
|
||||||
|
Shorewall package.
|
||||||
|
|
||||||
|
2) The interfaces file OPTIONs have been extended to largely remove the
|
||||||
|
need for the hosts file.
|
||||||
|
|
||||||
Problems corrected in 4.3.5
|
Problems corrected in 4.3.5
|
||||||
|
|
||||||
None.
|
None.
|
||||||
@ -14,3 +21,60 @@ None.
|
|||||||
|
|
||||||
New Features in Shorewall 4.3.5
|
New Features in Shorewall 4.3.5
|
||||||
|
|
||||||
|
New Features in Shorewall 4.4
|
||||||
|
|
||||||
|
1) The Shorewall packaging has been completely revamped in Shorewall
|
||||||
|
4.4.
|
||||||
|
|
||||||
|
The new packages are:
|
||||||
|
|
||||||
|
- Shorewall. Includes the former Shorewall-common and
|
||||||
|
Shorewall-perl packages. Includes everything needed
|
||||||
|
to create an IPv4 firewall.
|
||||||
|
|
||||||
|
- Shorewall6. Requires Shorewall. Adds the components necessary to
|
||||||
|
create an IPv6 firewall.
|
||||||
|
|
||||||
|
- Shorewall-lite
|
||||||
|
|
||||||
|
May be installed on a firewall system to run
|
||||||
|
IPv4 firewall scripts generated by Shorewall.
|
||||||
|
|
||||||
|
- Shorewall6-lite
|
||||||
|
|
||||||
|
May be installed on a firewall system to run
|
||||||
|
IPv6 firewall scripts generated by Shorewall.
|
||||||
|
|
||||||
|
2) The interfaces file supports a new 'nets=' option. This option
|
||||||
|
allows users to restrict a zone's definition to particular networks
|
||||||
|
through an interface without having to use the hosts file.
|
||||||
|
|
||||||
|
Example interfaces file:
|
||||||
|
|
||||||
|
#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
|
loc eth3 detect dhcp,logmartians=1,routefilter=1,nets=172.20.1.0/24
|
||||||
|
dmz eth4 detect logmartians=1,routefilter=1,nets=206.124.146.177
|
||||||
|
net eth0 detect dhcp,blacklist,tcpflags,optional,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177)
|
||||||
|
net eth2 detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nets=(!172.20.0.0/24,206.124.146.177)
|
||||||
|
loc tun+ detect nets=172.20.0.0/24
|
||||||
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
|
||||||
|
Note that when more than one network address is listed, the list
|
||||||
|
must be enclosed in parentheses. Notice also that exclusion may be
|
||||||
|
used.
|
||||||
|
|
||||||
|
The first entry in the above interfaces file is equivalent to the
|
||||||
|
following:
|
||||||
|
|
||||||
|
interfaces:
|
||||||
|
|
||||||
|
#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
|
- eth0 detect dhcp,logmartians=1,routefilter=1
|
||||||
|
|
||||||
|
hosts:
|
||||||
|
|
||||||
|
#ZONE HOST(S) OPTIONS
|
||||||
|
loc $INT_IF:192.20.1.0/24 broadcast
|
||||||
|
|
||||||
|
Note that the 'broadcast' option is automatically assumed and need
|
||||||
|
not be explicitly specified.
|
||||||
|
Loading…
Reference in New Issue
Block a user