Add NONAT and ACCEPT+ actions

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1309 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/changelog.txt

@@ -48,3 +48,4 @@ Changes since 2.0.1
 
 23) Apply Alex Wilms's patch for install.sh
 
+24) Add ACCEPT+ and NONAT targets.

Shorewall2/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=2.0.2-Beta1
+VERSION=2.0.2-Beta2
 
 usage() # $1 = exit status
 {

Shorewall2/firewall

@@ -3222,9 +3222,23 @@ add_a_rule()
 				    log_rule_limit $loglevel $chain $logtarget "$ratelimit" "$logtag" $userandgroup \
 					$(fix_bang $proto $sports $multiport $cli -d $srv $dports)
 				fi
-
+				
-				run_iptables2 -A $chain $proto $multiport $cli $sports \
+				case $logtarget in
-				    -d $srv $dports $ratelimit $userandgroup -j $target
+				    NONAT)
+					addnatrule $(dnat_chain $source) $proto $multiport \
+					    $cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN
+					;;
+				    ACCEPT+)
+					addnatrule $(dnat_chain $source) $proto $multiport \
+					    $cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN
+					run_iptables2 -A $chain $proto $multiport $cli $sports \
+					    -d $srv $dports $ratelimit $userandgroup -j $target
+					;;
+				    *)
+					run_iptables2 -A $chain $proto $multiport $cli $sports \
+					    -d $srv $dports $ratelimit $userandgroup -j $target
+					;;
+				    esac
 			    fi
 			done
 		    done
@@ -3234,8 +3248,22 @@ add_a_rule()
 			    $(fix_bang $proto $sports $multiport $cli $dports)
 		    fi
 
-		    run_iptables2 -A $chain $proto $multiport $cli $sports \
+		    case $logtarget in
-			$dports $ratelimit $userandgroup -j $target
+			NONAT)
+			    addnatrule $(dnat_chain $source) $proto $multiport \
+				$cli $sports $dports $ratelimit $userandgroup -j RETURN
+                            ;;
+			ACCEPT+)
+			    addnatrule $(dnat_chain $source) $proto $multiport \
+				$cli $sports $dports $ratelimit $userandgroup -j RETURN
+			    run_iptables2 -A $chain $proto $multiport $cli $sports \
+				$dports $ratelimit $userandgroup -j $target
+			    ;;
+			*)
+			    run_iptables2 -A $chain $proto $multiport $cli $sports \
+				$dports $ratelimit $userandgroup -j $target
+			    ;;
+		    esac
 		fi
 	    fi
 	fi
@@ -3253,10 +3281,24 @@ add_a_rule()
 		    $(fix_bang $proto $multiport $dest_interface $cli $sports $dports)
 	    fi
 
-	    if [ $logtarget != LOG ]; then
+	    case $logtarget in
-		run_iptables2 -A $chain $proto $multiport $dest_interface \
+		LOG)
-		    $cli $sports $dports $ratelimit $userandgroup -j $target
+		    ;;
-	    fi
+		NONAT)
+		    addnatrule $(dnat_chain $source) $proto $multiport \
+		       $cli $sports $dports $ratelimit $userandgroup -j RETURN
+		    ;;
+		ACCEPT+)
+		    addnatrule $(dnat_chain $source) $proto $multiport \
+		       $cli $sports $dports $ratelimit $userandgroup -j RETURN
+		    run_iptables2 -A $chain $proto $multiport $dest_interface \
+			$cli $sports $dports $ratelimit $userandgroup -j $target
+		    ;;
+		*)
+		    run_iptables2 -A $chain $proto $multiport $dest_interface \
+			$cli $sports $dports $ratelimit $userandgroup -j $target
+		    ;;
+		esac
 	fi
     fi
 }
@@ -3368,7 +3410,10 @@ process_rule() # $1 = target
     fi
 
     case $target in
-	ACCEPT|LOG)
+	ACCEPT+)
+	    target=ACCEPT
+	    ;;
+	ACCEPT|LOG|NONAT)
 	    ;;
 	DROP)
 	    [ -n "$ratelimit" ] && fatal_error "Rate Limiting not available with DROP"
@@ -3613,7 +3658,7 @@ process_rules()
     while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
 	temp="${xtarget%%:*}"
 	case "${temp%<*}" in
-	    ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
+	    ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
 		do_it
 		;;
 	    *)

Shorewall2/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
 
-VERSION=2.0.2-Beta1
+VERSION=2.0.2-Beta2
 
 usage() # $1 = exit status
 {

Shorewall2/releasenotes.txt

@@ -210,4 +210,14 @@ New Features:
        To 0.0.0.0/0 (tcp 25) from 10.0.0.0/8 through eth0 using 206.124.146.177
        To 0.0.0.0/0 (all) from 10.0.0.0/8 through eth0 using 206.124.146.176
 
+11) Two new actions are available in the /etc/shorewall/rules file.
+
+    ACCEPT+    -- Behaves like ACCEPT with the exception that it exempts
+                  matching connections from subsequent DNAT[-] and
+                  REDIRECT[-] rules.
+
+    NONAT      -- Exempts matching connections from subsequent DNAT[-]
+                  and REDIRECT[-] rules.
+
+
 

Shorewall2/rules

@@ -25,6 +25,13 @@
 #			LOG, QUEUE or an <action>.
 #
 #				ACCEPT   -- allow the connection request
+#				ACCEPT+  -- like ACCEPT but also excludes the
+#					    connection from any subsequent
+#					    DNAT[-] or REDIRECT[-] rules
+#				NONAT    -- Excludes the connection from any
+#					    subsequent DNAT[-] or REDIRECT[-]
+					    rules but doesn't generate a rule
+#					    to accept the traffic.
 #				DROP     -- ignore the request
 #				REJECT   -- disallow the request and return an
 #					    icmp-unreachable or an RST packet.

Shorewall2/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
 %define version 2.0.2
-%define release 0Beta1
+%define release 0Beta2
 %define prefix /usr
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -140,6 +140,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 
 %changelog
+* Tue May 04 2004 Tom Eastep tom@shorewall.net
+- Shorewall 2.0.2-Beta2
 * Tue Apr 13 2004 Tom Eastep tom@shorewall.net
 - Add /usr/share/shorewall/configpath
 * Mon Apr 05 2004 Tom Eastep tom@shorewall.net

Shorewall2/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
 
-VERSION=2.0.2-Beta1
+VERSION=2.0.2-Beta2
 
 usage() # $1 = exit status
 {