Add TEST column to /etc/shorewall/routes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2126 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-05-16 13:52:30 +00:00
parent 0e8d1e958f
commit 08a3c1d95d
4 changed files with 70 additions and 12 deletions

View File

@ -2,6 +2,8 @@ Changes in 2.3.2
1) Add support for -j ROUTE
2) Add TEST column to /etc/shorewall/routes
Changes in 2.3.1
1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in

View File

@ -5255,6 +5255,7 @@ add_a_route()
{
local r=
local chain=routefwd
local marktest=
if [ "x$source" != "x-" ]; then
case ${source} in
@ -5304,10 +5305,36 @@ add_a_route()
[ "x$proto" = "x-" ] && proto=all
[ "x$proto" = "x" ] && proto=all
[ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port "
[ "x$port" = "x-" ] || r="${r}-m multiport --dports $port "
fi
[ "x${sport:--}" = "x-" ] || r="${r}--sport $sport "
if [ "x${sport:--}" != "x-" ]; then
[ "x$port" = "x-" ] && r="${r}-m multiport "
r="${r}--sports $sport "
fi
case $testval in
-)
;;
!*:C)
marktest="connmark ! "
testval=${testval%:*}
testval=${testval#!}
;;
*:C)
marktest="connmark "
testval=${testval%:*}
;;
!*)
marktest="mark ! "
testval=${testval#!}
;;
*)
[ -n "$testval" ] && marktest="mark "
;;
esac
[ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval "
r="${r}-j ROUTE "
@ -5336,10 +5363,10 @@ setup_routes() # $1 = file name
run_iptables -t mangle -N routeout
run_iptables -t mangle -A OUTPUT -j routeout
while read source dest proto port sport interface gateway; do
while read source dest proto port sport testval interface gateway; do
expandv source dest proto port sport interface gateway
rule="$source $dest $proto $port $sport $interface $gateway"
expandv source dest proto port sport testval interface gateway
rule="$source $dest $proto $port $sport testval $interface $gateway"
add_a_route
done < $TMP_DIR/routes
fi

View File

@ -64,6 +64,25 @@ New Features in version 2.3.2
comma-separated list of port names, port
numbers or port ranges.
TEST Defines a test on the existing packet or
connection mark.
The rule will match only if the test returns
true. Tests have the format
[!]<value>[/<mask>][:C]
Where:
! Inverts the test (not equal)
<value> Value of the packet or
connection mark.
<mask> A mask to be applied to the
mark before testing
:C Designates a connection
mark. If omitted, the packet
mark's value is tested.
INTERFACE The interface that the packet is to be routed
out of. If you do not specify this field then
you must place "-" in this column and enter an

View File

@ -11,6 +11,8 @@
# In order to use entries in this file, your kernel and iptables must
# have ROUTE target support.
#
# To omit any column, enter "-" in that column.
#
# Columns are:
#
#
@ -50,22 +52,30 @@
# for bit-torrent). If no PORT is given, "ipp2p" is
# assumed.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following field is supplied.
# In that case, it is suggested that this field contain
# "-"
#
# SOURCE PORT(S) (Optional) Source port(s). If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# TEST Defines a test on the existing packet or connection mark.
# The rule will match only if the test returns true. Tests
# have the format [!]<value>[/<mask>][:C]
#
# Where:
#
# ! Inverts the test (not equal)
# <value> Value of the packet or connection mark.
# <mask> A mask to be applied to the mark before
# testing
# :C Designates a connection mark. If omitted,
# the packet mark's value is tested.
#
# INTERFACE The interface that the packet is to be routed out of.
#
# GATEWAY The gateway that the packet is to be forewarded through.
#
# See http://shorewall.net/Shorewall_and_Routing.html for additional information.
#######################################################################################
#SOURCE DEST PROTO PORT(S) SOURCE INTERFACE GATEWAY
# PORT(S)
#SOURCE DEST PROTO PORT(S) SOURCE TEST INTERFACE GATEWAY
# PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE