mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-12 08:38:14 +01:00
Interface lists in masq and nat files
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8068 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
3eb254c0b6
commit
545dd7dbc3
@ -115,56 +115,45 @@ sub do_ipsec_options($)
|
||||
#
|
||||
sub setup_one_masq($$$$$$$)
|
||||
{
|
||||
my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec, $mark) = @_;
|
||||
my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark) = @_;
|
||||
|
||||
my $rule = '';
|
||||
my $pre_nat;
|
||||
my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
|
||||
my $destnets = '';
|
||||
my $target = '-j MASQUERADE ';
|
||||
|
||||
#
|
||||
# Handle IPSEC options, if any
|
||||
#
|
||||
if ( $ipsec ne '-' ) {
|
||||
fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless $globals{ORIGINAL_POLICY_MATCH};
|
||||
|
||||
if ( $ipsec =~ /^yes$/i ) {
|
||||
$rule .= '-m policy --pol ipsec --dir out ';
|
||||
} elsif ( $ipsec =~ /^no$/i ) {
|
||||
$rule .= '-m policy --pol none --dir out ';
|
||||
} else {
|
||||
$rule .= do_ipsec_options $ipsec;
|
||||
}
|
||||
} elsif ( $capabilities{POLICY_MATCH} ) {
|
||||
$rule .= '-m policy --pol none --dir out ';
|
||||
}
|
||||
|
||||
#
|
||||
# Leading '+'
|
||||
#
|
||||
$pre_nat = 1 if $fullinterface =~ s/^\+//;
|
||||
$pre_nat = 1 if $interfacelist =~ s/^\+//;
|
||||
#
|
||||
# Parse the remaining part of the INTERFACE column
|
||||
#
|
||||
if ( $fullinterface =~ /^([^:]+)::([^:]*)$/ ) {
|
||||
if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) {
|
||||
$add_snat_aliases = 0;
|
||||
$destnets = $2;
|
||||
$fullinterface = $1;
|
||||
} elsif ( $fullinterface =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
|
||||
$interfacelist = $1;
|
||||
} elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
|
||||
$destnets = $2;
|
||||
$fullinterface = $1;
|
||||
} elsif ( $fullinterface =~ /^([^:]+):$/ ) {
|
||||
$interfacelist = $1;
|
||||
} elsif ( $interfacelist =~ /^([^:]+):$/ ) {
|
||||
$add_snat_aliases = 0;
|
||||
$fullinterface = $1;
|
||||
} elsif ( $fullinterface =~ /^([^:]+):([^:]*)$/ ) {
|
||||
$interfacelist = $1;
|
||||
} elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
|
||||
my ( $one, $two ) = ( $1, $2 );
|
||||
if ( $2 =~ /\./ ) {
|
||||
$fullinterface = $one;
|
||||
$interfacelist = $one;
|
||||
$destnets = $two;
|
||||
}
|
||||
}
|
||||
#
|
||||
# If there is no source or destination then allow all addresses
|
||||
#
|
||||
$networks = ALLIPv4 if $networks eq '-';
|
||||
$destnets = ALLIPv4 if $destnets eq '-';
|
||||
|
||||
for my $fullinterface (split /,/, $interfacelist ) {
|
||||
my $rule = '';
|
||||
my $target = '-j MASQUERADE ';
|
||||
#
|
||||
# Isolate and verify the interface part
|
||||
#
|
||||
@ -183,10 +172,22 @@ sub setup_one_masq($$$$$$$)
|
||||
|
||||
my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
|
||||
#
|
||||
# If there is no source or destination then allow all addresses
|
||||
# Handle IPSEC options, if any
|
||||
#
|
||||
$networks = ALLIPv4 if $networks eq '-';
|
||||
$destnets = ALLIPv4 if $destnets eq '-';
|
||||
if ( $ipsec ne '-' ) {
|
||||
fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless $globals{ORIGINAL_POLICY_MATCH};
|
||||
|
||||
if ( $ipsec =~ /^yes$/i ) {
|
||||
$rule .= '-m policy --pol ipsec --dir out ';
|
||||
} elsif ( $ipsec =~ /^no$/i ) {
|
||||
$rule .= '-m policy --pol none --dir out ';
|
||||
} else {
|
||||
$rule .= do_ipsec_options $ipsec;
|
||||
}
|
||||
} elsif ( $capabilities{POLICY_MATCH} ) {
|
||||
$rule .= '-m policy --pol none --dir out ';
|
||||
}
|
||||
|
||||
#
|
||||
# Handle Protocol and Ports
|
||||
#
|
||||
@ -295,6 +296,7 @@ sub setup_one_masq($$$$$$$)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
progress_message " Masq record \"$currentline\" $done";
|
||||
|
||||
@ -399,7 +401,6 @@ sub do_one_nat( $$$$$ )
|
||||
}
|
||||
}
|
||||
|
||||
progress_message " NAT entry \"$currentline\" $done";
|
||||
}
|
||||
|
||||
#
|
||||
@ -413,12 +414,20 @@ sub setup_nat() {
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $external, $interface, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
|
||||
my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
|
||||
|
||||
if ( $external eq 'COMMENT' ) {
|
||||
process_comment;
|
||||
} else {
|
||||
do_one_nat $external, $interface, $internal, $allints, $localnat;
|
||||
( $interfacelist, my $digit ) = split /:/, $interfacelist;
|
||||
|
||||
$digit = defined $digit ? ":$digit" : '';
|
||||
|
||||
for my $interface ( split /,/, $interfacelist ) {
|
||||
do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
|
||||
}
|
||||
|
||||
progress_message " NAT entry \"$currentline\" $done";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user