Export smarter ip_range() with the /sbin/shorewall iprange command

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@644 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -37,3 +37,7 @@ Changes since 1.4.5
 15. Added ipcalc command.
 
 16. Fixed handling of destination DNS names containing a "-"
+
+17. Make ip_range() smarter.
+
+18. Added /sbin/shorewall iprange command.

Shorewall/functions

@@ -270,11 +270,10 @@ encodeaddr() {
 # 32-bit signed arithmetic, the range cannot span 128.0.0.0.
 #
 ip_range() {
-    local first
-    local last
+    local first last l x y z vlsm
 
     case $1 in 
-    *.*.*.*-*.*.*.*)
+    [0-9]*.*.*.*-*.*.*.*)
 	;;
     *)
 	echo $1
@@ -285,13 +284,27 @@ ip_range() {
     first=`decodeaddr ${1%-*}`
     last=`decodeaddr ${1#*-}`
 
-    if [ $first -gt $last -o $(($last - $first)) -gt 256 ]; then
+    if [ $first -gt $last ]; then
 	fatal_error "Invalid IP address range: $1"
     fi
 
+    l=$(( $last + 1 ))
+
     while [ $first -le $last ]; do
-	echo `encodeaddr $first`
-	first=$(($first + 1))
+	vlsm=
+	x=31
+	y=2
+	z=1
+
+	while [ $(( $first % $y )) -eq 0 -a $(( $first + $y )) -le $l ]; do
+	    vlsm=$x
+	    x=$(( $x - 1 ))
+	    z=$y
+	    y=$(( $y * 2 ))
+	done
+
+	[ -n "$vlsm" ] && echo `encodeaddr $first`/$vlsm || echo `encodeaddr $first`
+	first=$(($first + $z))
     done
 }
 

Shorewall/releasenotes.txt

@@ -28,19 +28,14 @@ New Features:
    one on an interface.
 
 4) DNAT[-] rules may now be used to load balance (round-robin) over a
-   set of servers. Up to 256 servers may be specified in a range of
-   addresses given as <first address>-<last address>.
+   set of servers. Any number of servers may be specified in a range of
+   addresses given as <first address>-<last address> and multiple
+   ranges or individual servers may be specified in a comma-separated
+   list.
 
    Example:
 
-	DNAT net loc:192.168.10.2-192.168.10.5 tcp 80
-
-   Note that this capability has previously been available using a
-   combination of a DNAT- rule and one or more ACCEPT rules. That
-   technique is still preferable for load-balancing over a large number
-   of servers (> 16) since specifying a range in the DNAT rule causes
-   one filter table ACCEPT rule to be generated for each IP address in
-   the range.
+	DNAT net loc:192.168.10.2-192.168.10.5,192.168.10.44 tcp 80
 
 5) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
    have been removed and have been replaced by code that detects
@@ -113,3 +108,28 @@ New Features:
       dash), then the ipcalc command produces incorrect information for
       IP addresses 128.0.0.0-1 and for /1 networks. Bash should produce
       correct information for all valid IP addresses.
+
+9) An 'iprange' command has been added to /sbin/shorewall. 
+
+      iprange <address>-<address>
+
+   This command decomposes a range of IP addressses into a list of
+   network and host addresses. The command can be useful if you need to
+   construct an efficient set of rules that accept connections from a
+   range of network addresses.
+
+   Example:
+
+      [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9
+      192.168.1.4/30
+      192.168.1.8/29
+      192.168.1.16/28
+      192.168.1.32/27
+      192.168.1.64/26
+      192.168.1.128/25
+      192.168.2.0/23
+      192.168.4.0/22
+      192.168.8.0/22
+      192.168.12.0/29
+      192.168.12.8/31
+      [root@gateway root]#

Shorewall/shorewall

@@ -86,6 +86,18 @@
 #
 #                                                  Displays information about the network
 #                                                  defined by the argument[s]
+#
+#          shorewall iprange <address>-<address>   Decomposes a range of IP addresses into
+#                                                  a list of network/host addresses.
+#
+# Fatal Error
+#
+fatal_error() # $@ = Message
+{
+    echo "   $@" >&2
+    exit 2
+}
+
 # Display a chain if it exists
 #
 
@@ -533,6 +545,7 @@ usage() # $1 = exit status
     echo "   allow <address> ..."
     echo "   save"
     echo "   ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
+    echo "   iprange <address>-<address>"
     exit $1
 }
 
@@ -897,6 +910,16 @@ case "$1" in
 	temp=`broadcastaddress $address`; echo "   BROADCAST=$temp"
 	;;
 
+    iprange)
+	case $2 in
+	    *.*.*.*-*.*.*.*)
+		ip_range $2
+		;;
+	    *)
+		usage 1
+		;;
+	esac
+	;;
     call) 
 	#
 	# Undocumented way to call functions in /usr/share/shorewall/functions directly