mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-21 10:18:58 +02:00
Add per-interface OUTPUT chains
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4728 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
60144960fc
commit
113058b78c
@ -6,6 +6,8 @@ Changes in 3.3.4
|
|||||||
|
|
||||||
3) Add COMBINE_JUMPS option.
|
3) Add COMBINE_JUMPS option.
|
||||||
|
|
||||||
|
4) Add an output chain for each interface.
|
||||||
|
|
||||||
Changes in 3.3.3
|
Changes in 3.3.3
|
||||||
|
|
||||||
1) Fix excluding in SUBNET column.
|
1) Fix excluding in SUBNET column.
|
||||||
|
@ -3629,7 +3629,7 @@ __EOF__
|
|||||||
do_iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 -j ACCEPT
|
do_iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 -j ACCEPT
|
||||||
fi
|
fi
|
||||||
run_iptables -A $(input_chain $interface) -p udp --dport 67:68 -j ACCEPT
|
run_iptables -A $(input_chain $interface) -p udp --dport 67:68 -j ACCEPT
|
||||||
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT
|
run_iptables -A $(out_chain $interface) -p udp --dport 67:68 -j ACCEPT
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
@ -3948,7 +3948,7 @@ __EOF__
|
|||||||
|
|
||||||
run_iptables -A $(input_chain $interface) -j $chain
|
run_iptables -A $(input_chain $interface) -j $chain
|
||||||
run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface)
|
run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface)
|
||||||
run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface)
|
run_iptables -A $(out_chain $interface) -j $(dynamic_out $interface)
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
@ -4232,10 +4232,10 @@ activate_rules()
|
|||||||
|
|
||||||
if [ -n "$chain1" ]; then
|
if [ -n "$chain1" ]; then
|
||||||
if [ -n "$exclusions" ]; then
|
if [ -n "$exclusions" ]; then
|
||||||
run_iptables2 -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j ${zone}_output
|
run_iptables2 -A $(out_chain $interface) $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j ${zone}_output
|
||||||
run_iptables -A ${zone}_output -j $chain1
|
run_iptables -A ${zone}_output -j $chain1
|
||||||
else
|
else
|
||||||
run_iptables2 -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1
|
run_iptables2 -A $(out_chain $interface) $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
@ -4269,8 +4269,8 @@ activate_rules()
|
|||||||
|
|
||||||
if [ -n "$chain1" ]; then
|
if [ -n "$chain1" ]; then
|
||||||
for interface in $need_broadcast ; do
|
for interface in $need_broadcast ; do
|
||||||
run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1
|
run_iptables -A $(out_chain $interface) -d 255.255.255.255 -j $chain1
|
||||||
run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4 -j $chain1
|
run_iptables -A $(out_chain $interface) -d 224.0.0.0/4 -j $chain1
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
@ -4507,6 +4507,7 @@ activate_rules()
|
|||||||
for interface in $ALL_INTERFACES ; do
|
for interface in $ALL_INTERFACES ; do
|
||||||
run_iptables -A FORWARD -i $interface -j $(forward_chain $interface)
|
run_iptables -A FORWARD -i $interface -j $(forward_chain $interface)
|
||||||
run_iptables -A INPUT -i $interface -j $(input_chain $interface)
|
run_iptables -A INPUT -i $interface -j $(input_chain $interface)
|
||||||
|
run_iptables -A OUTPUT -o $interface -j $(out_chain $interface)
|
||||||
addnatjump POSTROUTING $(masq_chain $interface) -o $interface
|
addnatjump POSTROUTING $(masq_chain $interface) -o $interface
|
||||||
done
|
done
|
||||||
#
|
#
|
||||||
@ -5386,6 +5387,8 @@ __EOF__
|
|||||||
createchain $chain no
|
createchain $chain no
|
||||||
run_iptables -A $chain $state -j dynamic
|
run_iptables -A $chain $state -j dynamic
|
||||||
done
|
done
|
||||||
|
|
||||||
|
createchain $(out_chain $interface) no
|
||||||
done
|
done
|
||||||
|
|
||||||
if strip_file_and_lib_load proxyarp proxyarp; then
|
if strip_file_and_lib_load proxyarp proxyarp; then
|
||||||
|
@ -782,6 +782,14 @@ first_chains() #$1 = interface
|
|||||||
echo ${c}_fwd ${c}_in
|
echo ${c}_fwd ${c}_in
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Out Chain to an interface
|
||||||
|
#
|
||||||
|
out_chain() # $1 = interface
|
||||||
|
{
|
||||||
|
echo $(chain_base $1)_out
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Horrible hack to work around an iptables limitation
|
# Horrible hack to work around an iptables limitation
|
||||||
#
|
#
|
||||||
|
Loading…
x
Reference in New Issue
Block a user