Add 'dhcp' option for IPv6

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9005 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-12 16:08:20 +00:00
parent 9a3deaaf51
commit f6c3dba1b9
5 changed files with 44 additions and 44 deletions

View File

@ -1,3 +1,7 @@
Changes in Shorewall 4.3.2
1) Added 'dhcp' option.
Changes in Shorewall 4.3.1 Changes in Shorewall 4.3.1
1) Allow addresses in rules to be enclosed in square brackets. 1) Allow addresses in rules to be enclosed in square brackets.

View File

@ -1,32 +1,18 @@
Shorewall 4.3.1 Shorewall 4.3.2
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
R E L E A S E 4 . 3 H I G H L I G H T S R E L E A S E 4 . 3 H I G H L I G H T S
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
1) Support is included for IPv6. 1) Support is included for IPv6.
Problems Corrected in 4.3.1 Problems Corrected in 4.3.2
1) Shorewall6 parsing of the hosts file HOSTS column has been None.
corrected.
Other changes in 4.3.1 Other changes in 4.3.2
1) It is now permitted to enclose addresses in [] even when an 1) The 'dhcp' option has been added to accomodate IPv6 DHCP (UDP ports
interface name is not specified. 546 and 547).
Example:
ACCEPT net:[2001:1::1] $FW
2) The Socket6 perl module is only required now if DNS names appear in
your Shorewall6 configuration files.
3) Shorewall6 now recognizes IPv4 addresses embedded in the IPv6
address space (e.g., ::ffff:192.168.1.3).
4) IP_FORWARDING has been added back into shorewall6.conf and works
like the corresponding option in Shorewall.
Migration Issues. Migration Issues.
@ -64,6 +50,7 @@ New Features in Shorewall 4.3
blacklist blacklist
bridge bridge
dhcp
optional optional
routeback routeback
sourceroute sourceroute
@ -93,8 +80,14 @@ New Features in Shorewall 4.3
The HOSTS column in /etc/shorewall6/hosts also uses this The HOSTS column in /etc/shorewall6/hosts also uses this
convention: convention:
#ZONE HOSTS OPTIONS #ZONE HOSTS OPTIONS
chat6 eth0:[2001:19f0:feee::dead:beef:cafe] chat6 eth0:[2001:19f0:feee::dead:beef:cafe]
Even when an interface is not specified, it is permitted to
enclose addresses in [] to improve readability. Example:
#ACTION SOURCE DEST
ACCEPT net:[2001:1::1] $FW
g) There are currently no Shorewall6 or Shorewall6-lite manpages. g) There are currently no Shorewall6 or Shorewall6-lite manpages.

View File

@ -516,25 +516,21 @@ EOF
emit 'do_iptables -A OUTPUT -o lo -j ACCEPT' unless $config{ADMINISABSENTMINDED}; emit 'do_iptables -A OUTPUT -o lo -j ACCEPT' unless $config{ADMINISABSENTMINDED};
if ( $family == F_IPV4 ) { my $interfaces = find_interfaces_by_option 'dhcp';
my $interfaces = find_interfaces_by_option 'dhcp';
if ( @$interfaces ) {
my $ports = $family == F_IPV4 ? '67:68' : '546:547';
for my $interface ( @$interfaces ) { for my $interface ( @$interfaces ) {
emit "do_iptables -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT"; emit "do_iptables -A INPUT -p udp -i $interface --dport $ports -j ACCEPT";
emit "do_iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT" unless $config{ADMINISABSENTMINDED}; emit "do_iptables -A OUTPUT -p udp -o $interface --dport $ports -j ACCEPT" unless $config{ADMINISABSENTMINDED};
# #
# This might be a bridge # This might be a bridge
# #
emit "do_iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT"; emit "do_iptables -A FORWARD -p udp -i $interface -o $interface --dport $ports-j ACCEPT";
}
} else {
for my $interface ( all_bridges ) {
emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT";
} }
} }
emit '';
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
if ( $config{IP_FORWARDING} eq 'on' ) { if ( $config{IP_FORWARDING} eq 'on' ) {
emit( 'echo 1 > /proc/sys/net/ipv4/ip_forward', emit( 'echo 1 > /proc/sys/net/ipv4/ip_forward',
@ -545,6 +541,10 @@ EOF
); );
} }
} else { } else {
for my $interface ( all_bridges ) {
emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT";
}
if ( $config{IP_FORWARDING} eq 'on' ) { if ( $config{IP_FORWARDING} eq 'on' ) {
emit( 'echo 1 > /proc/sys/net/ipv6/conf/all/forwarding', emit( 'echo 1 > /proc/sys/net/ipv6/conf/all/forwarding',
'progress_message2 IP Forwarding Enabled' ); 'progress_message2 IP Forwarding Enabled' );

View File

@ -595,21 +595,23 @@ sub add_common_rules() {
add_rule $rejectref , '-j REJECT'; add_rule $rejectref , '-j REJECT';
} }
if ( $family == F_IPV4 ) { $list = find_interfaces_by_option 'dhcp';
$list = find_interfaces_by_option 'dhcp';
if ( @$list ) { if ( @$list ) {
progress_message2 'Adding rules for DHCP'; progress_message2 'Adding rules for DHCP';
for $interface ( @$list ) { my $ports = $family == F_IPV4 ? '67:68' : '546:547';
for $chain ( input_chain $interface, output_chain $interface ) {
add_rule $filter_table->{$chain} , '-p udp --dport 67:68 -j ACCEPT';
}
add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if get_interface_option( $interface, 'bridge' ); for $interface ( @$list ) {
for $chain ( input_chain $interface, output_chain $interface ) {
add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT";
} }
}
add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport $ports -j ACCEPT" if get_interface_option( $interface, 'bridge' );
}
}
if ( $family == F_IPV4 ) {
$list = find_hosts_by_option 'norfc1918'; $list = find_hosts_by_option 'norfc1918';
setup_rfc1918_filteration $list if @$list; setup_rfc1918_filteration $list if @$list;
} }

View File

@ -627,6 +627,7 @@ sub validate_interfaces_file( $ )
} else { } else {
%validoptions = ( blacklist => SIMPLE_IF_OPTION, %validoptions = ( blacklist => SIMPLE_IF_OPTION,
bridge => SIMPLE_IF_OPTION, bridge => SIMPLE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION,
optional => SIMPLE_IF_OPTION, optional => SIMPLE_IF_OPTION,
routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY, routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY,
sourceroute => BINARY_IF_OPTION, sourceroute => BINARY_IF_OPTION,