mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 22:58:52 +01:00
Allow labels for aliases added under ADD_SNAT_ALIASES; improve masquerade algorithm
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@417 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
5b101f3a81
commit
4964497aa3
@ -2921,12 +2921,32 @@ setup_masq()
|
||||
setup_one() {
|
||||
local using
|
||||
|
||||
if [ "$interface" = "${interface%:*}" ]; then
|
||||
destnet="0.0.0.0/0"
|
||||
else
|
||||
destnet="${interface#*:}"
|
||||
interface="${interface%:*}"
|
||||
fi
|
||||
case $fullinterface in
|
||||
*:*:*)
|
||||
# Both alias name and subnet
|
||||
destnet="${fullinterface##*:}"
|
||||
fullinterface="${fullinterface%:*}"
|
||||
;;
|
||||
*:*)
|
||||
# Alias name OR subnet
|
||||
case ${fullinterface#*:} in
|
||||
*.*)
|
||||
# It's a subnet
|
||||
destnet="${fullinterface#*:}"
|
||||
fullinterface="${fullinterface%:*}"
|
||||
;;
|
||||
*)
|
||||
#it's an alias name
|
||||
destnet="0.0.0.0/0"
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
*)
|
||||
destnet="0.0.0.0/0"
|
||||
;;
|
||||
esac
|
||||
|
||||
interface=${fullinterface%:*}
|
||||
|
||||
if ! list_search $interface $all_interfaces; then
|
||||
fatal_error "Error: Unknown interface $interface"
|
||||
@ -2966,7 +2986,7 @@ setup_masq()
|
||||
|
||||
if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then
|
||||
list_search $address $aliases_to_add || \
|
||||
aliases_to_add="$aliases_to_add $address $interface"
|
||||
aliases_to_add="$aliases_to_add $address $fullinterface"
|
||||
fi
|
||||
|
||||
destination=$destnet
|
||||
@ -2998,23 +3018,19 @@ setup_masq()
|
||||
destnet="-d $destnet"
|
||||
fi
|
||||
|
||||
if [ -n "$address" ]; then
|
||||
if [ -n "$subnet" ]; then
|
||||
for s in $subnet; do
|
||||
addnatrule $chain -s $s $destnet $iface \
|
||||
-j SNAT --to-source $address
|
||||
echo " To $destination from $s through ${interface} using $address"
|
||||
done
|
||||
else
|
||||
addnatrule $chain $destnet $iface \
|
||||
-j SNAT --to-source $address
|
||||
echo " To $destination from $source through ${interface} using $address"
|
||||
fi
|
||||
elif [ -n "$subnet" ]; then
|
||||
if [ -n "$subnet" ]; then
|
||||
for s in $subnet; do
|
||||
addnatrule $chain -s $s $destnet $iface -j MASQUERADE
|
||||
echo " To $destination from $s through ${interface}"
|
||||
if [ -n "$address" ]; then
|
||||
addnatrule $chain -s $s $destnet $iface -j SNAT --to-source $address
|
||||
echo " To $destination from $s through ${interface} using $address"
|
||||
else
|
||||
addnatrule $chain -s $s $destnet $iface -j MASQUERADE
|
||||
echo " To $destination from $s through ${interface}"
|
||||
fi
|
||||
done
|
||||
elif [ -n "$address" ]; then
|
||||
addnatrule $chain $destnet $iface -j SNAT --to-source $address
|
||||
echo " To $destination from $source through ${interface} using $address"
|
||||
else
|
||||
addnatrule $chain $destnet $iface -j MASQUERADE
|
||||
echo " To $destination from $source through ${interface}"
|
||||
@ -3026,8 +3042,8 @@ setup_masq()
|
||||
|
||||
[ -n "$NAT_ENABLED" ] && echo "Masqueraded Subnets and Hosts:"
|
||||
|
||||
while read interface subnet address; do
|
||||
expandv interface subnet address
|
||||
while read fullinterface subnet address; do
|
||||
expandv fullinterface subnet address
|
||||
[ -n "$NAT_ENABLED" ] && setup_one || \
|
||||
error_message "Warning: NAT disabled; masq rule ignored"
|
||||
done < $TMP_DIR/masq
|
||||
|
@ -9,7 +9,15 @@
|
||||
# Columns are:
|
||||
#
|
||||
# INTERFACE -- Outgoing interface. This is usually your internet
|
||||
# interface. This may be qualified by adding the character
|
||||
# interface. If ADD_SNAT_ALIASES=Yes in
|
||||
# /etc/shorewall/shorewall.conf, you may add ":" and
|
||||
# a digit to indicate that you want the alias added with
|
||||
# that name (e.g., eth0:0). This will allow the alias to
|
||||
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
|
||||
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
|
||||
# PLACE IN YOUR SHOREWALL CONFIGURATION.
|
||||
#
|
||||
# This may be qualified by adding the character
|
||||
# ":" followed by a destination host or subnet.
|
||||
#
|
||||
#
|
||||
@ -74,13 +82,12 @@
|
||||
# Example 4:
|
||||
#
|
||||
# You want all outgoing traffic from 192.168.1.0/24 through
|
||||
# eth0 to use source address 206.124.146.176.
|
||||
# eth0 to use source address 206.124.146.176 which is NOT the
|
||||
# primary address of eth0. You want 206.124.146.176 added to
|
||||
# be added to eth0 with name eth0:0.
|
||||
#
|
||||
# eth0 192.168.1.0/24 206.124.146.176
|
||||
# eth0:0 192.168.1.0/24 206.124.146.176
|
||||
#
|
||||
# This would normally be done when you have a static external
|
||||
# IP address since it makes the processing of outgoing
|
||||
# packets somewhat faster.
|
||||
##############################################################################
|
||||
#INTERFACE SUBNET ADDRESS
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
Loading…
Reference in New Issue
Block a user