The generated script includes shell code to manage VLAN interfaces if the checkbox "Configure VLAN interfaces" is turned on in the "Script" tab of the firewall object "advanced" settings dialog. By default, it is turned off.
The script uses the vconfig tool which should be present on the firewall. The script checks if it is available and aborts if it cannot find it.
The script checks if the VLAN interface configured in the GUI exists on the firewall and creates it if necessary.
If the script finds a VLAN interface on the firewall that is not configured in the fwbuilder GUI, it deletes it.
A script generated by Firewall Builder and intended for a Linux firewall can create and remove VLAN interfaces if the checkbox "Configure VLAN interfaces" is turned on in the "Script" tab of the firewall object "advanced" settings dialog. By default, it is turned off.
As with IP addresses, the script manages VLAN interfaces incrementally; that is, it compares actual configuration of the firewall machine to the configuration defined in Firewall Builder and then adds or removes VLAN interfaces. Running the same script multiple times does not make any unnecessary changes on the firewall. If actual configuration matches objects created in the Firewall Builder GUI, the script does not perform any actions and just exits.
The script uses the utility vconfig to configure VLAN interfaces. It checks if the utility is present on the firewall machine and aborts execution if it is not found. If this utility is installed in an unusual place on your machine, you can configure the path to it in the "Host OS" settings dialog of the firewall object.
VLAN interfaces can have different names on Linux, depending on the naming convention established using "vconfig set_name_type" command. Four naming types are available: VLAN_PLUS_VID (vlan0005), VLAN_PLUS_VID_NO_PAD (vlan5), DEV_PLUS_VID (eth0.0005), DEV_PLUS_VID_NO_PAD (eth0.5). Fwbuilder supports all four, you just assign the name to the VLAN interface in the GUI and generated script will automatically issue "vconfig set_name_type" command to choose correct name type.
To illustrate VLAN management on Linux, consider the firewall object "linux-test-vlan-1" shown on Figure 9.9:
The interface eth1 is configured as "unnumbered" interface, we are going to add VLAN subinterfaces to it. To do this, select this interface in the tree and right-click to open the right-click menu:
The new subninterface is created with the generic name "Interface". To make it a VLAN interface we should rename it:
The name of the interface is eth1.100, which implies VLAN ID 100. Firewall Builder is aware of the naming schemes of VLAN interfaces on Linux and automatically recognizes this name and sets interface type to "VLAN" and its VLAN ID to "100". To inspect and change its VLAN ID, click the "Advanced Interface Settings" button:
The program verifies the VLAN ID configured in the VLAN interface parameters dialog and compares it to the interface name to make sure they match. It does not let you set a VLAN ID that does not match interface name because vconfig would not let you do it on the Linux machine. The program also verifies subinterface name to make sure it matches one of the supported naming schemes. It allows names such as "eth1.100", "eth1.0100", "vlan100", "vlan0100" but would not allow any other name for the VLAN subinterface.
I am going to add a second VLAN interface eth1.101 and add IPv4 addresses to both VLAN interfaces. The final configuration is shown in Figure 9.13:
The generated script includes the following shell function that sets up all VLANs and IP addresses:
configure_interfaces() { : # Configure interfaces update_vlans_of_interface "eth1 eth1.100 eth1.101" clear_vlans_except_known eth1.100@eth1 eth1.101@eth1 update_addresses_of_interface "lo ::1/128 127.0.0.1/8" "" update_addresses_of_interface "eth0 fe80::20c:29ff:fe1e:dcaa/64 10.3.14.108/24" "" update_addresses_of_interface "eth1" "" update_addresses_of_interface "eth1.100 10.1.1.1/24" "" update_addresses_of_interface "eth1.101 10.1.2.1/24" "" }
The call to update_vlans_of_interface adds and removes VLANs as needed to make sure VLAN interfaces eth1.100 and eth1.101 exist. The call to clear_vlans_except_known removes other VLAN interfaces that might exist on the machine but were not configured in Firewall Builder. Calls to update_addresses_of_interface set up IP addresses. To test, I am going to copy the generated script to the firewall and run it with the command-line parameter "test_interfaces". This command does not make any changes on the firewall but only prints commands it would have executed to configure VLANs and addresses:
root@linux-test-1:~# /etc/fw/linux-test-vlan-1.fw test_interfaces # Adding VLAN interface eth1.100 (parent: eth1) vconfig set_name_type DEV_PLUS_VID_NO_PAD vconfig add eth1 100 ifconfig eth1.100 up # Adding VLAN interface eth1.101 (parent: eth1) vconfig set_name_type DEV_PLUS_VID_NO_PAD vconfig add eth1 101 ifconfig eth1.101 up # Interface eth1.100 does not exist # Adding ip address: eth1.100 10.1.1.1/24 ip addr add 10.1.1.1/24 dev eth1.100 ifconfig eth1.100 up # Interface eth1.101 does not exist # Adding ip address: eth1.101 10.1.2.1/24 ip addr add 10.1.2.1/24 dev eth1.101 ifconfig eth1.101 up
The script uses vconfig to set up the naming scheme and add VLAN interfaces, then uses IP to add addresses. To make the change, run the script with the command-line parameter "interfaces":
root@linux-test-1:~# /etc/fw/linux-test-vlan-1.fw interfaces # Adding VLAN interface eth1.100 (parent: eth1) Set name-type for VLAN subsystem. Should be visible in /proc/net/vlan/config Added VLAN with VID == 100 to IF -:eth1:- # Adding VLAN interface eth1.101 (parent: eth1) Set name-type for VLAN subsystem. Should be visible in /proc/net/vlan/config Added VLAN with VID == 101 to IF -:eth1:- # Adding ip address: eth1.100 10.1.1.1/24 # Adding ip address: eth1.101 10.1.2.1/24
To inspect the result, use the "ip addr show" command:
root@linux-test-1:~# ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:1e:dc:aa brd ff:ff:ff:ff:ff:ff inet 10.3.14.108/24 brd 10.3.14.255 scope global eth0 inet6 fe80::20c:29ff:fe1e:dcaa/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:1e:dc:b4 brd ff:ff:ff:ff:ff:ff inet6 fe80::20c:29ff:fe1e:dcb4/64 scope link valid_lft forever preferred_lft forever 4: eth1.100@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP link/ether 00:0c:29:1e:dc:b4 brd ff:ff:ff:ff:ff:ff inet 10.1.1.1/24 scope global eth1.100 inet6 fe80::20c:29ff:fe1e:dcb4/64 scope link valid_lft forever preferred_lft forever 5: eth1.101@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP link/ether 00:0c:29:1e:dc:b4 brd ff:ff:ff:ff:ff:ff inet 10.1.2.1/24 scope global eth1.101 inet6 fe80::20c:29ff:fe1e:dcb4/64 scope link valid_lft forever preferred_lft forever
Let's try to run the same script again:
root@linux-test-1:~# /etc/fw/linux-test-vlan-1.fw interfaces root@linux-test-1:~#
The script detected that both VLAN interfaces already exist and have correct IP addresses and did nothing.
Now I am going to change the VLAN ID on one of the interfaces and demonstrate how the script executes the change on the firewall. First, I rename interface eth1.100 to eth1.102:
Then I recompile the firewall, copy the generated script to the firewall and run it:
root@linux-test-1:~# /etc/fw/linux-test-vlan-1.fw interfaces # Adding VLAN interface eth1.102 (parent: eth1) Set name-type for VLAN subsystem. Should be visible in /proc/net/vlan/config Added VLAN with VID == 102 to IF -:eth1:- # Removing VLAN interface eth1.100 (parent: eth1) Removed VLAN -:eth1.100:- # Adding ip address: eth1.102 10.1.1.1/24
The script added the new VLAN interface eth1.102 first, then removed eth1.100 and added the IP address to eth1.102.
Now lets rename both VLAN interfaces to use different naming scheme:
There is a limitation in the implementation of the incremental VLAN management at this time. The generated script cannot correctly rename VLAN interfaces, (that is, change the name) without changing the VLAN ID. There are two workarounds: (1) you can remove VLAN interfaces manually and then run the script to let it add new ones, or (2) you can run the script twice. On the first run, it will issue errors because it can't add the VLAN interfaces with different name but the same VLAN ID, but it can delete old VLAN interfaces. On the second run it adds the VLAN interfaces with new names.
root@linux-test-1:~# /etc/fw/linux-test-vlan-1.fw interfaces # Adding VLAN interface vlan0101 (parent: eth1) Set name-type for VLAN subsystem. Should be visible in /proc/net/vlan/config Added VLAN with VID == 101 to IF -:eth1:- # Adding VLAN interface vlan0102 (parent: eth1) Set name-type for VLAN subsystem. Should be visible in /proc/net/vlan/config Added VLAN with VID == 102 to IF -:eth1:- # Adding ip address: vlan0102 10.1.1.1/24 # Adding ip address: vlan0101 10.1.2.1/24
Here is how final configuration looks:
root@linux-test-1:~# ip addr ls 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:1e:dc:aa brd ff:ff:ff:ff:ff:ff inet 10.3.14.108/24 brd 10.3.14.255 scope global eth0 inet6 fe80::20c:29ff:fe1e:dcaa/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:0c:29:1e:dc:b4 brd ff:ff:ff:ff:ff:ff inet6 fe80::20c:29ff:fe1e:dcb4/64 scope link valid_lft forever preferred_lft forever 4: vlan0101@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP link/ether 00:0c:29:1e:dc:b4 brd ff:ff:ff:ff:ff:ff inet 10.1.2.1/24 scope global vlan0101 inet6 fe80::20c:29ff:fe1e:dcb4/64 scope link valid_lft forever preferred_lft forever 5: vlan0102@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP link/ether 00:0c:29:1e:dc:b4 brd ff:ff:ff:ff:ff:ff inet 10.1.1.1/24 scope global vlan0102 inet6 fe80::20c:29ff:fe1e:dcb4/64 scope link valid_lft forever preferred_lft forever
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.