functions.m4, local.m4: Introduce more kinds of hosts.

[firewall] / local.m4

diff --git a/local.m4 b/local.m4
index f373e3f..0705fb2 100644 (file)
--- a/local.m4
+++ b/local.m4
@@ -35,10 +35,12 @@ m4_divert(-1)
 
 ## Define the available network classes.
 m4_divert(42)m4_dnl
-defnetclass untrusted untrusted trusted
-defnetclass trusted untrusted trusted safe noloop
-defnetclass safe trusted safe noloop
-defnetclass noloop trusted safe
+defnetclass untrusted untrusted trusted mcast
+defnetclass trusted untrusted trusted safe noloop mcast
+defnetclass safe trusted safe noloop mcast
+defnetclass noloop trusted safe mcast
+defnetclass link
+defnetclass mcast
 m4_divert(-1)
 
 m4_divert(26)m4_dnl
@@ -74,7 +76,7 @@ defnet housebdry virtual
 
 ## House hosts.
 defhost radius
-       router
+       hosttype router
        iface eth0 dmz unsafe safe
        iface eth1 dmz unsafe safe
        iface eth2 safe
@@ -89,19 +91,21 @@ defhost artist
        iface eth0 dmz unsafe
        iface eth1 dmz unsafe
 defhost vampire
-       router
-       iface eth0.0 dmz unsafe safe
-       iface eth0.1 dmz unsafe safe
+       hosttype router
+       iface eth0.0 dmz unsafe safe default
+       iface eth0.1 dmz unsafe safe default
        iface eth0.2 safe
-       iface eth0.3 untrusted
+       iface eth0.3 untrusted default
        iface dns0 dns
        iface vpn-+ vpn
        iface vpn-precision colobdry vpn
+       iface t6-he default
 defhost ibanez
        iface br-dmz dmz unsafe
        iface br-unsafe unsafe
 
 defhost gibson
+       hosttype client
        iface eth0 unsafe
 
 ## Colocated networks.
@@ -122,7 +126,7 @@ defhost fender
        iface br-jump jump colo
        iface br-colo jump colo
 defhost precision
-       router
+       hosttype router
        iface eth0 jump colo
        iface eth1 jump colo
        iface vpn-+ vpn
@@ -161,7 +165,7 @@ case $forward in
     run iptables -A fwd-spec-nofrag -j RETURN --fragment
     run ip6tables -A fwd-spec-nofrag -j RETURN \
            -m ipv6header --soft --header frag
-    run iptables -A FORWARD -j fwd-spec-nofrag
+    run ip46tables -A FORWARD -j fwd-spec-nofrag
 
     ## Allow ping from safe/noloop to untrusted networks.
     run iptables -A fwd-spec-nofrag -j ACCEPT \
@@ -236,22 +240,6 @@ run iptables -A inbound -j ACCEPT \
        -s 172.29.198.0/23 \
        -p udp --source-port $port_bootpc --destination-port $port_bootps
 
-## Incoming multicast on a network interface associated with a trusted
-## network is OK, since it must have originated there (or been forwarded, but
-## we don't do that yet).
-seen=:-:
-for net in $allnets; do
-  eval class=\$net_class_$net
-  case $class in trusted) ;; *) continue ;; esac
-  for iface in $(net_interfaces FWHOST $net); do
-    case "$seen" in *:$iface:*) continue ;; esac
-    seen=$seen$iface:
-    run iptables -A inbound -j ACCEPT \
-       -s 0.0.0.0 -d 224.0.0.0/24 \
-       -i $iface
-  done
-done
-
 ## Allow incoming ping.  This is the only ICMP left.
 run ip46tables -A inbound -j ACCEPT -p icmp