shorewall_code/Shorewall/clib.nat

#!/bin/sh
#
# Shorewall 3.2 -- /usr/share/shorewall/clib.nat
#
#     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
#     (c) 2005,2006 - Tom Eastep (teastep@shorewall.net)
#
#	Complete documentation is available at http://shorewall.net
#
#	This program is free software; you can redistribute it and/or modify
#	it under the terms of Version 2 of the GNU General Public License
#	as published by the Free Software Foundation.
#
#	This program is distributed in the hope that it will be useful,
#	but WITHOUT ANY WARRANTY; without even the implied warranty of
#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#	GNU General Public License for more details.
#
#	You should have received a copy of the GNU General Public License
#	along with this program; if not, write to the Free Software
#	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA


#
# Setup Static Network Address Translation (NAT)
#
setup_nat() {
    local external= interface= internal= allints= localnat= policyin= policyout=

    validate_one() #1 = Variable Name, $2 = Column name, $3 = value
    {
	case $3 in
	    Yes|yes)
                ;;
	    No|no)
		eval ${1}=
		;;
	    *)
		[ -n "$3" ] && \
		    fatal_error "Invalid value ($3) for $2 in entry \"$external $interface $internal $allints $localnat\""
		;;
	esac
    }

    do_one_nat() {
	local add_ip_aliases=$ADD_IP_ALIASES iface=${interface%:*}

	if [ -n "$add_ip_aliases" ]; then
	    case $interface in
		*:)
		    interface=${interface%:}
		    add_ip_aliases=
		    ;;
		*)
		    [ -n "$RETAIN_ALIASES" ] || save_command del_ip_addr $external $iface
		    ;;
	    esac
	else
	    interface=${interface%:}
	fi

	validate_one allints  "ALL INTERFACES" $allints
	validate_one localnat "LOCAL"          $localnat

	if [ -n "$allints" ]; then
	    addnatrule nat_in  -d $external $policyin  -j DNAT --to-destination $internal
	    addnatrule nat_out -s $internal $policyout -j SNAT --to-source $external
	else
	    addnatrule $(input_chain $iface)  -d $external $policyin  -j DNAT --to-destination $internal
		addnatrule $(output_chain $iface) -s $internal $policyout -j SNAT --to-source $external
	fi

	[ -n "$localnat" ] && \
	    run_iptables2 -t nat -A OUTPUT -d $external $policyout -j DNAT --to-destination $internal

	if [ -n "$add_ip_aliases" ]; then
	    list_search $external $ALIASES_TO_ADD || \
		ALIASES_TO_ADD="$ALIASES_TO_ADD $external $interface"
	fi
    }
    #
    # At this point, we're just interested in the network translation
    #
    > $STATEDIR/nat

    if [ -n "$POLICY_MATCH" ]; then
	policyin="-m policy --pol none --dir in"
	policyout="-m policy --pol none --dir out"
    fi

    [ -n "$RETAIN_ALIASES" ] || save_progress_message "Setting up one-to-one NAT..."

    while read external interface internal allints localnat; do
	expandv external interface internal allints localnat

	do_one_nat

	progress_message_and_save "   Host $internal NAT $external on $interface"
    done < $TMP_DIR/nat
}

#
# Delete existing Static NAT
#
delete_nat() {
    run_iptables -t nat -F
    run_iptables -t nat -X

    [ -d $STATEDIR ] && touch $STATEDIR/nat

    indent >&3 << __EOF__

if [ -f \${VARDIR}/nat ]; then
   while read external interface; do
       del_ip_addr \$external \$interface
    done < \${VARDIR}/nat

    rm -f \${VARDIR}/nat
fi

__EOF__
}

#
# Setup Network Mapping (NETMAP)
#
setup_netmap() {

    while read type net1 interface net2 ; do
	expandv type net1 interface net2

	list_search $interface $ALL_INTERFACES || \
	    fatal_error "Unknown interface $interface in entry \"$type $net1 $interface $net2\""

	case $type in
	    DNAT)
		addnatrule $(input_chain $interface)  -d $net1 -j NETMAP --to $net2
		;;
	    SNAT)
		addnatrule $(output_chain $interface) -s $net1 -j NETMAP --to $net2
		;;
	    *)
		fatal_error "Invalid type $type in entry \"$type $net1 $interface $net2\""
		;;
	esac

	progress_message_and_save "   Network $net1 on $interface mapped to $net2 ($type)"

    done < $TMP_DIR/netmap
}

CLIB_NAT_LOADED=Yes