Add RFC 2526 anycast addresses to nosmurfs

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9040 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/changelog.txt

@@ -8,7 +8,13 @@ Changes in Shorewall 4.3.3
 
 4) Convert AllowICMPs to a builtin action.
 
-5) Add 'proxyndp' interface option.
+5) Use <> rather than [].
+
+6) Remove duplicated macros.
+
+7) Add 'proxyndp' interface option.
+
+8) Add RFC 2526 anycast addresses to nosmurfs
 
 Changes in Shorewall 4.3.2
 

Shorewall-common/releasenotes.txt

@@ -21,7 +21,7 @@ There are two incompatible changes in this release.
 
    Minimun system requirements:
 
-   - Kernel 2.6.23 or later with 2.6.25 or later strongly recommended.
+   - Kernel 2.6.25 or later.
    - iptables 1.4.0 or later with 1.4.1 strongly recommended.
    - Perl 5.10 if you wish to use DNS names in your IPv6 config files. 
      In that case you will also have to install Perl Socket6 support.
@@ -38,7 +38,7 @@ Other changes in 4.3.3
 2)  The 'maclist' option is now supported in /etc/shorewall6/interfaces
     and in /etc/shorewall6/hosts.
 
-    MAC verification is not performed on the following IPv6 traffic:
+    The following IPv6 traffic is exempt from MAC validation:
 
     a) Multicast.
     b) Source or destination is a link-level address (ff80::/10).
@@ -57,6 +57,14 @@ Other changes in 4.3.3
 
 	AllowICMPs	$FW	net	ipv6-icmp
 
+6)  A 'proxyndp' option has been added to
+    /etc/shorewall6/interfaces. The option is the IPv6 analog of the
+    'proxyarp' option in /etc/shorewall/interfaces.
+
+7)  Source anycast addresses defined by RFC 2526 are not trapped by
+    'nosmurfs'.
+
+
 Migration Issues.
 
    None.
@@ -94,7 +102,8 @@ New Features in Shorewall 4.3
 	blacklist
         bridge
 	dhcp
-	nosmurfs
+	nosmurfs (traps multicast and Subnet-router anycast addresses
+        used as the packet source address).
 	optional
 	routeback
 	sourceroute

Shorewall-perl/prog.header6

@@ -557,36 +557,48 @@ normalize_address() # $1 = valid IPv6 Address
 
 convert_to_anycast() {
     local address
+    local badress
     local vlsm
+    local host
     local o
     local m
+    m=
+    local l
 
     while read address; do
 	case $address in 
 	    2*|3*)
 		vlsm=${address#*/}
-		if [ ${vlsm:-128} -ne 128 ]; then
+		vlsm=${vlsm:=128}
+		host=$((128 - $vlsm))
+
+		if [ $vlsm -ne 128 ]; then
 	            #
-	            # Defines a subnet -- get the anycast address
+	            # Defines a subnet -- get the subnet-router anycast address
 	            #
 		    address=$(normalize_address ${address%/*})
 
-		    while [ $vlsm -le 112 ]; do
+		    while [ $host -ge 16 ]; do
 			address=${address%:*}
-			vlsm=$(($vlsm + 16))
+			host=$(($host - 16))
 		    done
 
-		    if [ $vlsm -lt 128 ]; then
+		    badress=$address
+
+		    if [ $host -gt 0 ]; then
 			o=$((0x${address##*:}))
 			m=0
-			while [ $vlsm -lt 128 ]; do
+			while [ $host -gt 0 ]; do
 			    m=$((($m >> 1) | 0x8000))
-			    vlsm=$(($vlsm + 1))
+			    host=$(($host - 1))
 			done
 
 			o=$(($o & $m))
 
+			badress=$badress:ffff
+
 			address=${address%:*}:$(printf %04x $o)
+
 		    fi
 
 		    list_count $(split $address)
@@ -596,6 +608,25 @@ convert_to_anycast() {
 		    fi
 
 		    echo $address
+
+		    list_count $(split $badress)
+		    
+		    l=$?
+		    #
+		    # Now generate the anycast addresses defined by RFC 2526
+		    #
+		    if [ $l -lt 8 ]; then
+		    	while [ $l -lt 8 ]; do
+			    if [ $l -lt 7 ]; then
+				badress=$badress:ffff
+			    else
+				badress=$badress:ff80
+			    fi
+			    l=$(($l + 1 ))
+			done
+		    fi
+
+		    echo $badress/121
 		fi
 		;;
 	esac