extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-24 00:23:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow ip range in the rule SOURCE

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1608 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-09-07 21:51:02 +00:00
parent 1f68772e22
commit 07bc13f983
4 changed files with 63 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
Shorewall2/firewall
View File

@ -4043,25 +4043,29 @@ process_rule() # $1 = target
# 16 ports are listed - use multiport match. # 16 ports are listed - use multiport match.
# #
multioption="-m multiport" multioption="-m multiport"
for client in $(separate_list ${clients:=-}); do for clientrange in $(separate_list ${clients:=-}); do
# for client in $(ip_range $clientrange); do
# add_a_rule() modifies these so we must set their values each time #
# # add_a_rule() modifies these so we must set their values each time
server=${servers:=-} #
port=${ports:=-} server=${servers:=-}
cport=${cports:=-} port=${ports:=-}
add_a_rule cport=${cports:=-}
add_a_rule
done
done done
else else
# #
# MULTIPORT is disabled or the rule isn't compatible with multiport match # MULTIPORT is disabled or the rule isn't compatible with multiport match
# #
multioption= multioption=
for client in $(separate_list ${clients:=-}); do for clientrange in $(separate_list ${clients:=-}); do
for port in $(separate_list ${ports:=-}); do for client in $(ip_range $clientrange); do
for cport in $(separate_list ${cports:=-}); do for port in $(separate_list ${ports:=-}); do
server=${servers:=-} for cport in $(separate_list ${cports:=-}); do
add_a_rule server=${servers:=-}
add_a_rule
done
done done
done done
done done
@ -4081,14 +4085,16 @@ process_rule() # $1 = target
# 16 ports are listed - use multiport match. # 16 ports are listed - use multiport match.
# #
multioption="-m multiport" multioption="-m multiport"
for client in $(separate_list ${clients:=-}); do for clientrange in $(separate_list ${clients:=-}); do
for server in $(separate_list ${servers:=-}); do for client in $(ip_range $clientrange); do
# for server in $(separate_list ${servers:=-}); do
# add_a_rule() modifies these so we must set their values each time #
# # add_a_rule() modifies these so we must set their values each time
port=${ports:=-} #
cport=${cports:=-} port=${ports:=-}
add_a_rule cport=${cports:=-}
add_a_rule
done
done done
done done
else else
@ -4096,11 +4102,13 @@ process_rule() # $1 = target
# MULTIPORT is disabled or the rule isn't compatible with multiport match # MULTIPORT is disabled or the rule isn't compatible with multiport match
# #
multioption= multioption=
for client in $(separate_list ${clients:=-}); do for clientrange in $(separate_list ${clients:=-}); do
for server in $(separate_list ${servers:=-}); do for client in $(ip_range $clientrange); do
for port in $(separate_list ${ports:=-}); do for server in $(separate_list ${servers:=-}); do
for cport in $(separate_list ${cports:=-}); do for port in $(separate_list ${ports:=-}); do
add_a_rule for cport in $(separate_list ${cports:=-}); do
add_a_rule
done
done done
done done
done done

21
Shorewall2/functions
View File

@ -546,13 +546,20 @@ encodeaddr() {
ip_range() { ip_range() {
local first last l x y z vlsm local first last l x y z vlsm
case $1 in case $1 in
[0-9]*.*.*.*-*.*.*.*) !*)
;; #
*) # Let iptables complain if it's a range
echo $1 #
return echo $1
;; return
;;
[0-9]*.*.*.*-*.*.*.*)
;;
*)
echo $1
return
;;
esac esac
first=$(decodeaddr ${1%-*}) first=$(decodeaddr ${1%-*})

8
Shorewall2/releasenotes.txt
View File

@ -431,5 +431,11 @@ New Features:
13) Shorewall now verifies that your kernel and iptables have physdev 13) Shorewall now verifies that your kernel and iptables have physdev
match support if BRIDGING=Yes in shorewall.conf. match support if BRIDGING=Yes in shorewall.conf.
14) IP address ranges are now allowed in the SOURCE column of the
/etc/shorewall/rules file.
Example:
ACCEPT net:192.0.2.9-192.9.2.17 fw tcp 25

9
Shorewall2/rules
View File

@ -118,6 +118,9 @@
# address; mac addresses must begin with "~" and must use # address; mac addresses must begin with "~" and must use
# "-" as a separator. # "-" as a separator.
# #
# Hosts may be specified as an IP address range using the
# syntax <low address>-<high address>.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ # dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
# #
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the # net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
@ -129,6 +132,10 @@
# loc:~00-A0-C9-15-39-78 Host in the local zone with # loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78. # MAC address 00:A0:C9:15:39:78.
# #
# net:192.0.2.11-192.0.2.17
# Hosts 192.0.2.11-192.0.2.17 in
# the net zone.
#
# Alternatively, clients may be specified by interface # Alternatively, clients may be specified by interface
# by appending ":" to the zone name followed by the # by appending ":" to the zone name followed by the
# interface name. For example, loc:eth1 specifies a # interface name. For example, loc:eth1 specifies a
@ -159,7 +166,7 @@
# 3. You may not specify both an interface and # 3. You may not specify both an interface and
# an address. # an address.
# #
# Unlike in the SOURCE column, you may specify a range of # Like in the SOURCE column, you may specify a range of
# up to 256 IP addresses using the syntax # up to 256 IP addresses using the syntax
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-, # <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
# the connections will be assigned to addresses in the # the connections will be assigned to addresses in the