extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-06 04:49:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix several bugs in NAT rule processing

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5739 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-29 03:07:48 +00:00
parent 70682ad40d
commit 18170d7fd5
3 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
New/Shorewall/Chains.pm
View File

@ -1243,6 +1243,7 @@ sub expand_rule( $$$$$$$$$$ )
$oexcl = $2; $oexcl = $2;
} else { } else {
$oexcl = ''; $oexcl = '';
$onets = $origdest;
} }
unless ( $onets ) { unless ( $onets ) {

7
New/Shorewall/Providers.pm
View File

@ -56,12 +56,15 @@ my %providers = ( 'local' => { number => LOCAL_NUMBER , mark => 0 } ,
my @providers; my @providers;
# #
# Set up marking for 'tracked' interfaces. Unline in Shorewall 3.x, we add these rules inconditionally, even if the associated interface isn't up. # Set up marking for 'tracked' interfaces. Unline in Shorewall 3.x, we add these rules unconditionally, even if the associated interface isn't up.
# #
sub setup_route_marking() { sub setup_route_marking() {
my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFFFF' : '0xFF'; my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFFFF' : '0xFF';
my $mark_op = $config{HIGH_ROUTE_MARKS} ? '--or-mark' : '--set-mark'; my $mark_op = $config{HIGH_ROUTE_MARKS} ? '--or-mark' : '--set-mark';
require_capability( 'CONNMARK_MATCH' , 'the provider \'track\' option' );
require_capability( 'CONNMARK' , 'the provider \'track\' option' );
add_rule $mangle_table->{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask"; add_rule $mangle_table->{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
add_rule $mangle_table->{OUTPUT} , " -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask"; add_rule $mangle_table->{OUTPUT} , " -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
@ -145,8 +148,6 @@ sub setup_providers() {
my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy) = @_; my ($table, $number, $mark, $duplicate, $interface, $gateway, $options, $copy) = @_;
fatal_error 'Providers require mangle support in your kernel and iptables' unless $capabilities{MANGLE_ENABLED};
fatal_error "Duplicate provider ( $table )" if $providers{$table}; fatal_error "Duplicate provider ( $table )" if $providers{$table};
for my $provider ( keys %providers ) { for my $provider ( keys %providers ) {

7
New/Shorewall/Rules.pm
View File

@ -980,10 +980,11 @@ sub process_rule1 ( $$$$$$$$$ ) {
} }
$serverport = $ports; $serverport = $ports;
} elsif ( $action eq ' -j DNAT' ) { } elsif ( $action eq 'DNAT' ) {
$target = '-j DNAT ';
$serverport = ":$serverport" if $serverport; $serverport = ":$serverport" if $serverport;
for my $serv ( split /,/, $server ) { for my $serv ( split /,/, $server ) {
$target .= "--to ${serv}${serverport} "; $target .= "--to-destination ${serv}${serverport} ";
} }
} }
@ -1019,6 +1020,8 @@ sub process_rule1 ( $$$$$$$$$ ) {
unless ( $actiontype & NATONLY ) { unless ( $actiontype & NATONLY ) {
$rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit ), do_user $user ); $rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit ), do_user $user );
$loglevel = ''; $loglevel = '';
$dest = $server;
$action = 'ACCEPT';
} }
} else { } else {
if ( $actiontype & NONAT ) { if ( $actiontype & NONAT ) {