forked from extern/shorewall_code
Add 'dhcp' option for IPv6
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9005 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
9a3deaaf51
commit
f6c3dba1b9
@ -1,3 +1,7 @@
|
|||||||
|
Changes in Shorewall 4.3.2
|
||||||
|
|
||||||
|
1) Added 'dhcp' option.
|
||||||
|
|
||||||
Changes in Shorewall 4.3.1
|
Changes in Shorewall 4.3.1
|
||||||
|
|
||||||
1) Allow addresses in rules to be enclosed in square brackets.
|
1) Allow addresses in rules to be enclosed in square brackets.
|
||||||
|
@ -1,32 +1,18 @@
|
|||||||
Shorewall 4.3.1
|
Shorewall 4.3.2
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
R E L E A S E 4 . 3 H I G H L I G H T S
|
R E L E A S E 4 . 3 H I G H L I G H T S
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
1) Support is included for IPv6.
|
1) Support is included for IPv6.
|
||||||
|
|
||||||
Problems Corrected in 4.3.1
|
Problems Corrected in 4.3.2
|
||||||
|
|
||||||
1) Shorewall6 parsing of the hosts file HOSTS column has been
|
None.
|
||||||
corrected.
|
|
||||||
|
|
||||||
Other changes in 4.3.1
|
Other changes in 4.3.2
|
||||||
|
|
||||||
1) It is now permitted to enclose addresses in [] even when an
|
1) The 'dhcp' option has been added to accomodate IPv6 DHCP (UDP ports
|
||||||
interface name is not specified.
|
546 and 547).
|
||||||
|
|
||||||
Example:
|
|
||||||
|
|
||||||
ACCEPT net:[2001:1::1] $FW
|
|
||||||
|
|
||||||
2) The Socket6 perl module is only required now if DNS names appear in
|
|
||||||
your Shorewall6 configuration files.
|
|
||||||
|
|
||||||
3) Shorewall6 now recognizes IPv4 addresses embedded in the IPv6
|
|
||||||
address space (e.g., ::ffff:192.168.1.3).
|
|
||||||
|
|
||||||
4) IP_FORWARDING has been added back into shorewall6.conf and works
|
|
||||||
like the corresponding option in Shorewall.
|
|
||||||
|
|
||||||
Migration Issues.
|
Migration Issues.
|
||||||
|
|
||||||
@ -64,6 +50,7 @@ New Features in Shorewall 4.3
|
|||||||
|
|
||||||
blacklist
|
blacklist
|
||||||
bridge
|
bridge
|
||||||
|
dhcp
|
||||||
optional
|
optional
|
||||||
routeback
|
routeback
|
||||||
sourceroute
|
sourceroute
|
||||||
@ -93,8 +80,14 @@ New Features in Shorewall 4.3
|
|||||||
The HOSTS column in /etc/shorewall6/hosts also uses this
|
The HOSTS column in /etc/shorewall6/hosts also uses this
|
||||||
convention:
|
convention:
|
||||||
|
|
||||||
#ZONE HOSTS OPTIONS
|
#ZONE HOSTS OPTIONS
|
||||||
chat6 eth0:[2001:19f0:feee::dead:beef:cafe]
|
chat6 eth0:[2001:19f0:feee::dead:beef:cafe]
|
||||||
|
|
||||||
|
Even when an interface is not specified, it is permitted to
|
||||||
|
enclose addresses in [] to improve readability. Example:
|
||||||
|
|
||||||
|
#ACTION SOURCE DEST
|
||||||
|
ACCEPT net:[2001:1::1] $FW
|
||||||
|
|
||||||
g) There are currently no Shorewall6 or Shorewall6-lite manpages.
|
g) There are currently no Shorewall6 or Shorewall6-lite manpages.
|
||||||
|
|
||||||
|
@ -516,25 +516,21 @@ EOF
|
|||||||
|
|
||||||
emit 'do_iptables -A OUTPUT -o lo -j ACCEPT' unless $config{ADMINISABSENTMINDED};
|
emit 'do_iptables -A OUTPUT -o lo -j ACCEPT' unless $config{ADMINISABSENTMINDED};
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
my $interfaces = find_interfaces_by_option 'dhcp';
|
||||||
my $interfaces = find_interfaces_by_option 'dhcp';
|
|
||||||
|
if ( @$interfaces ) {
|
||||||
|
my $ports = $family == F_IPV4 ? '67:68' : '546:547';
|
||||||
|
|
||||||
for my $interface ( @$interfaces ) {
|
for my $interface ( @$interfaces ) {
|
||||||
emit "do_iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT";
|
emit "do_iptables -A INPUT -p udp -i $interface --dport $ports -j ACCEPT";
|
||||||
emit "do_iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT" unless $config{ADMINISABSENTMINDED};
|
emit "do_iptables -A OUTPUT -p udp -o $interface --dport $ports -j ACCEPT" unless $config{ADMINISABSENTMINDED};
|
||||||
#
|
#
|
||||||
# This might be a bridge
|
# This might be a bridge
|
||||||
#
|
#
|
||||||
emit "do_iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT";
|
emit "do_iptables -A FORWARD -p udp -i $interface -o $interface --dport $ports-j ACCEPT";
|
||||||
}
|
|
||||||
} else {
|
|
||||||
for my $interface ( all_bridges ) {
|
|
||||||
emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT";
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
emit '';
|
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
if ( $config{IP_FORWARDING} eq 'on' ) {
|
if ( $config{IP_FORWARDING} eq 'on' ) {
|
||||||
emit( 'echo 1 > /proc/sys/net/ipv4/ip_forward',
|
emit( 'echo 1 > /proc/sys/net/ipv4/ip_forward',
|
||||||
@ -545,6 +541,10 @@ EOF
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
for my $interface ( all_bridges ) {
|
||||||
|
emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT";
|
||||||
|
}
|
||||||
|
|
||||||
if ( $config{IP_FORWARDING} eq 'on' ) {
|
if ( $config{IP_FORWARDING} eq 'on' ) {
|
||||||
emit( 'echo 1 > /proc/sys/net/ipv6/conf/all/forwarding',
|
emit( 'echo 1 > /proc/sys/net/ipv6/conf/all/forwarding',
|
||||||
'progress_message2 IP Forwarding Enabled' );
|
'progress_message2 IP Forwarding Enabled' );
|
||||||
|
@ -595,21 +595,23 @@ sub add_common_rules() {
|
|||||||
add_rule $rejectref , '-j REJECT';
|
add_rule $rejectref , '-j REJECT';
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
$list = find_interfaces_by_option 'dhcp';
|
||||||
$list = find_interfaces_by_option 'dhcp';
|
|
||||||
|
|
||||||
if ( @$list ) {
|
if ( @$list ) {
|
||||||
progress_message2 'Adding rules for DHCP';
|
progress_message2 'Adding rules for DHCP';
|
||||||
|
|
||||||
for $interface ( @$list ) {
|
my $ports = $family == F_IPV4 ? '67:68' : '546:547';
|
||||||
for $chain ( input_chain $interface, output_chain $interface ) {
|
|
||||||
add_rule $filter_table->{$chain} , '-p udp --dport 67:68 -j ACCEPT';
|
|
||||||
}
|
|
||||||
|
|
||||||
add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if get_interface_option( $interface, 'bridge' );
|
for $interface ( @$list ) {
|
||||||
|
for $chain ( input_chain $interface, output_chain $interface ) {
|
||||||
|
add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT";
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
|
add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport $ports -j ACCEPT" if get_interface_option( $interface, 'bridge' );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $family == F_IPV4 ) {
|
||||||
$list = find_hosts_by_option 'norfc1918';
|
$list = find_hosts_by_option 'norfc1918';
|
||||||
setup_rfc1918_filteration $list if @$list;
|
setup_rfc1918_filteration $list if @$list;
|
||||||
}
|
}
|
||||||
|
@ -627,6 +627,7 @@ sub validate_interfaces_file( $ )
|
|||||||
} else {
|
} else {
|
||||||
%validoptions = ( blacklist => SIMPLE_IF_OPTION,
|
%validoptions = ( blacklist => SIMPLE_IF_OPTION,
|
||||||
bridge => SIMPLE_IF_OPTION,
|
bridge => SIMPLE_IF_OPTION,
|
||||||
|
dhcp => SIMPLE_IF_OPTION,
|
||||||
optional => SIMPLE_IF_OPTION,
|
optional => SIMPLE_IF_OPTION,
|
||||||
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY,
|
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY,
|
||||||
sourceroute => BINARY_IF_OPTION,
|
sourceroute => BINARY_IF_OPTION,
|
||||||
|
Loading…
Reference in New Issue
Block a user