On 01/04/2013 03:51 PM, Tom Eastep wrote: > On 01/04/2013 03:20 PM, Tom Eastep wrote: >> On 01/04/2013 10:08 AM, Tom Eastep wrote: >>> Beta 3 is now available for testing. >>> >>> Changes since Beta 2: >>> >>> 1) Two defects associated with 'update -D' have been corrected. >>> >>> - shorewall.conf.bak is no longer deleted. >>> - files that are not changed no longer have their mtime updated. >>> >>> 2) Support for arptables has been added to Shorewall and Shorewall >>> Lite. >> >> I recommend against testing this feature until I've posted a patch. MAC >> address handling is pretty broken. >> > > Attached is the patch.
The attached patch is required by those who run arptables_jf. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/ARP.pm b/Shorewall/Perl/Shorewall/ARP.pm
index 3b8287a..5b041c0 100644
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -39,6 +39,8 @@ our $arp_output;
our $arp_forward;
our $sourcemac;
our $destmac;
+our $addrlen;
+our $hw;
our @builtins;
our $arptablesjf;
our @map = ( qw( 0 Request Reply Request_Reverse Reply_Reverse DRARP_Request
DRARP_Reply DRARP_Error InARP_Request ARP_NAK ) );
@@ -105,17 +107,17 @@ sub process_arprule() {
DNAT => sub() { validate_address $newaddr, 0;
$rule .= "-j mangle --mangle-ip-d
$newaddr"; },
SMAT => sub() { fatal_error "Invalid MAC address
($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
- $rule .= "--h-length 6 -j mangle
--mangle-mac-s $newaddr"; },
+ $rule .= "$addrlen 6 -j mangle
--mangle-$hw-s $newaddr"; },
DMAT => sub() { fatal_error "Invalid MAC address
($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
- $rule .= "--h-length 6 -j mangle
--mangle-mac-d $newaddr"; },
+ $rule .= "$addrlen 6 -j mangle
--mangle-$hw-d $newaddr"; },
SNATC => sub() { validate_address $newaddr, 0;
$rule .= "-j mangle --mangle-ip-s
$newaddr --mangle-target CONTINUE"; },
DNATC => sub() { validate_address $newaddr, 0;
$rule .= "-j mangle --mangle-ip-d
$newaddr --mangle-target CONTINUE"; },
SMATC => sub() { fatal_error "Invalid MAC address
($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
- $rule .= "--h-length 6 -j mangle
--mangle-mac-s $newaddr --mangle-target CONTINUE"; },
+ $rule .= "$addrlen 6 -j mangle
--mangle-$hw-s $newaddr --mangle-target CONTINUE"; },
DMATC => sub() { fatal_error "Invalid MAC address
($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
- $rule .= "--h-length 6 -j mangle
--mangle-mac-d $newaddr --mangle-target CONTINUE"; },
+ $rule .= "$addrlen 6 -j mangle
--mangle-$hw-d $newaddr --mangle-target CONTINUE"; },
);
if ( supplied $newaddr ) {
@@ -188,6 +190,8 @@ sub process_arprules() {
@builtins = qw( IN OUT FORWARD );
$sourcemac = '-z';
$destmac = '-y';
+ $addrlen = '--arhln';
+ $hw = 'hw';
} else {
$arp_input = $arp_table{INPUT} = [];
$arp_output = $arp_table{OUTPUT} = [];
@@ -195,6 +199,8 @@ sub process_arprules() {
@builtins = qw( INPUT OUTPUT FORWARD );
$sourcemac = '--source-mac';
$destmac = '--destination-mac';
+ $addrlen = '--h-length';
+ $hw = 'mac';
}
my $fn = open_file 'arprules';
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122912
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
