extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-02 10:59:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

Apply Luigi's MARK patches

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6181 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-05-01 21:08:33 +00:00
parent a275d33cd2
commit 58678ec18f
8 changed files with 127 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-common/accounting
View File

@ -7,6 +7,6 @@
# additional information about how to use this file. # additional information about how to use this file.
# #
##################################################################################### #####################################################################################
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ #ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK
# PORT(S) PORT(S) GROUP # PORT(S) PORT(S) GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Shorewall-common/masq
View File

@ -6,5 +6,5 @@
# For additional information, see http://shorewall.net/Documentation.htm#Masq # For additional information, see http://shorewall.net/Documentation.htm#Masq
# #
############################################################################### ###############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

2
Shorewall-common/rules
View File

@ -6,7 +6,7 @@
# See http://shorewall.net/Documentation.htm#Rules for additional information. # See http://shorewall.net/Documentation.htm#Rules for additional information.
# #
############################################################################################################# #############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED #SECTION ESTABLISHED
#SECTION RELATED #SECTION RELATED

2
Shorewall-common/tos
View File

@ -4,6 +4,6 @@
# For information about entries in this file, type "man shorewall-tos" # For information about entries in this file, type "man shorewall-tos"
# #
############################################################################### ###############################################################################
#SOURCE DEST PROTOCOL SOURCE DEST TOS #SOURCE DEST PROTOCOL SOURCE DEST TOS MARK
# PORTS PORTS # PORTS PORTS
#LAST LINE -- Add your entries above -- DO NOT REMOVE #LAST LINE -- Add your entries above -- DO NOT REMOVE

100
Shorewall-shell/compiler
View File

@ -1621,6 +1621,7 @@ __EOF__
# ratelimit = Optional rate limiting clause # ratelimit = Optional rate limiting clause
# userandgroup = -m owner clause # userandgroup = -m owner clause
# userspec = User name # userspec = User name
# mark = Packet mark
# logtag = Log tag # logtag = Log tag
# policy = Applicable Policy # policy = Applicable Policy
# #
@ -1762,6 +1763,7 @@ add_a_rule() {
servport=$serverport servport=$serverport
multiport= multiport=
user="$userandgroup" user="$userandgroup"
mrk="$mark"
# Restore $chain to the canonical chain. # Restore $chain to the canonical chain.
@ -1808,7 +1810,7 @@ add_a_rule() {
# #
# This function is called from process_default_macro() after rules are DONE # This function is called from process_default_macro() after rules are DONE
# #
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$user" -a -z "$excludesource" -a -z "$excludedest" ] ; then if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$user" -a -z "$excludesource" -a -z "$excludedest" -a -z "$mark" ] ; then
error_message "WARNING -- Rule \"$rule\" is a POLICY" error_message "WARNING -- Rule \"$rule\" is a POLICY"
error_message " -- and should be moved to the policy file" error_message " -- and should be moved to the policy file"
fi fi
@ -1867,7 +1869,7 @@ add_a_rule() {
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
if [ "$addr" = detect ]; then if [ "$addr" = detect ]; then
indent >&3 << __EOF__ indent >&3 << __EOF__
run_iptables -A $chain $state $proto $ratelimit $multiport $cli $sports $(dest_ip_range $srv) $dports -m conntrack --ctorigdst \$adr $user -j $target run_iptables -A $chain $state $proto $ratelimit $multiport $cli $sports $(dest_ip_range $srv) $dports -m conntrack --ctorigdst \$adr $user $mrk -j $target
done done
__EOF__ __EOF__
@ -1875,44 +1877,44 @@ __EOF__
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \
$user $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state $user $mrk $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state
fi fi
run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \ run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \
$(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $user -j $target $(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $user $mrk -j $target
done done
fi fi
else else
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \
$state $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
fi fi
if [ -n "$nonat" ]; then if [ -n "$nonat" ]; then
addnatrule $(dnat_chain $source) $proto $multiport \ addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $(dest_ip_range $srv) $dports $ratelimit $user -j RETURN $cli $sports $(dest_ip_range $srv) $dports $ratelimit $user $mrk -j RETURN
fi fi
if [ "$logtarget" != NONAT ]; then if [ "$logtarget" != NONAT ]; then
run_iptables2 -A $chain $state $proto $multiport $cli $sports \ run_iptables2 -A $chain $state $proto $multiport $cli $sports \
$(dest_ip_range $srv) $dports $ratelimit $user -j $target $(dest_ip_range $srv) $dports $ratelimit $user $mrk -j $target
fi fi
fi fi
done done
done done
else else
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \
$state $(fix_bang $proto $sports $multiport $cli $dports) $state $(fix_bang $proto $sports $multiport $cli $dports)
fi fi
[ -n "$nonat" ] && \ [ -n "$nonat" ] && \
addnatrule $(dnat_chain $source) $proto $multiport \ addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $user -j RETURN $cli $sports $dports $ratelimit $user $mrk -j RETURN
[ "$logtarget" != NONAT ] && \ [ "$logtarget" != NONAT ] && \
run_iptables2 -A $chain $state $proto $multiport $cli $sports \ run_iptables2 -A $chain $state $proto $multiport $cli $sports \
$dports $ratelimit $user -j $target $dports $ratelimit $user $mrk -j $target
fi fi
fi fi
else else
@ -1926,37 +1928,37 @@ __EOF__
if [ -n "$addr" ]; then if [ -n "$addr" ]; then
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \
$state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr) $state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr)
fi fi
if [ "$logtarget" != LOG ]; then if [ "$logtarget" != LOG ]; then
if [ -n "$nonat" ]; then if [ -n "$nonat" ]; then
addnatrule $(dnat_chain $source) $proto $multiport \ addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $user -m conntrack --ctorigdst $adr -j RETURN $cli $sports $dports $ratelimit $user $mrk -m conntrack --ctorigdst $adr -j RETURN
fi fi
if [ "$logtarget" != NONAT ]; then if [ "$logtarget" != NONAT ]; then
run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \ run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \
$sports $dports $ratelimit $user -m conntrack --ctorigdst $adr -j $target $sports $dports $ratelimit $user $mrk -m conntrack --ctorigdst $adr -j $target
fi fi
fi fi
done done
else else
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \
$state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports) $state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
fi fi
if [ "$logtarget" != LOG ]; then if [ "$logtarget" != LOG ]; then
if [ -n "$nonat" ]; then if [ -n "$nonat" ]; then
addnatrule $(dnat_chain $source) $proto $multiport \ addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $user -j RETURN $cli $sports $dports $ratelimit $user $mrk -j RETURN
fi fi
if [ "$logtarget" != NONAT ]; then if [ "$logtarget" != NONAT ]; then
run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \ run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \
$sports $dports $ratelimit $user -j $target $sports $dports $ratelimit $user $mrk -j $target
fi fi
fi fi
fi fi
@ -2037,6 +2039,21 @@ process_ratelimit() {
fi fi
} }
#
# Process the MARK column contents
#
process_mark() {
[ "x$mark" = "x-" ] && mark=
if [ -n "$mark" ]; then
if [ "$mark" = "${mark%!*}" ]; then
mark="-m mark --mark $mark"
else
mark="-m mark ! --mark ${mark#*!}"
fi
fi
}
# #
# Combine a source/dest from the macro body with one from the macro invocation # Combine a source/dest from the macro body with one from the macro invocation
# #
@ -2070,6 +2087,7 @@ process_rule() # $1 = target
# $7 = address # $7 = address
# $8 = ratelimit # $8 = ratelimit
# $9 = userspec # $9 = userspec
# $10= mark
{ {
local target="$1" local target="$1"
local clients="$2" local clients="$2"
@ -2080,12 +2098,15 @@ process_rule() # $1 = target
local address="$7" local address="$7"
local ratelimit="$8" local ratelimit="$8"
local userspec="$9" local userspec="$9"
local mark="${10}"
local userandgroup= local userandgroup=
local logtag= local logtag=
local nonat= local nonat=
# # # # # F u n c t i o n B o d y # # # # # # # # # # F u n c t i o n B o d y # # # # #
process_mark
process_ratelimit process_ratelimit
# Isolate log level # Isolate log level
@ -2427,6 +2448,7 @@ process_macro() # $1 = target
# $7 = address # $7 = address
# $8 = ratelimit # $8 = ratelimit
# $9 = userspec # $9 = userspec
# $10= mark
{ {
local itarget="$1" local itarget="$1"
local param="$2" local param="$2"
@ -2438,6 +2460,7 @@ process_macro() # $1 = target
local iaddress="$8" local iaddress="$8"
local iratelimit="$9" local iratelimit="$9"
local iuserspec="${10}" local iuserspec="${10}"
local imark="${11}"
progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..." progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..."
@ -2506,7 +2529,7 @@ process_macro() # $1 = target
[ -n "$iuserspec" ] && [ "x${iuserspec}" != x- ] && muserspec=$iuserspec [ -n "$iuserspec" ] && [ "x${iuserspec}" != x- ] && muserspec=$iuserspec
rule="$mtarget ${mclients=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${xaddress:=-} ${mratelimit:=-} ${muserspec:=-}" rule="$mtarget ${mclients=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${xaddress:=-} ${mratelimit:=-} ${muserspec:=-}"
process_rule $mtarget $mclients $mservers $mprotocol $mports $mcports ${iaddress:=-} $mratelimit $muserspec process_rule $mtarget $mclients $mservers $mprotocol $mports $mcports ${iaddress:=-} $mratelimit $muserspec $imark
done < $TMP_DIR/macro.${itarget%%:*} done < $TMP_DIR/macro.${itarget%%:*}
@ -2545,10 +2568,10 @@ process_rules()
fi fi
fi fi
if [ "$1" = Yes ]; then if [ "$1" = Yes ]; then
process_macro $xtarget "$xparam" $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec process_macro $xtarget "$xparam" $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark
else else
rule="$xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec" rule="$xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark"
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark
fi fi
fi fi
fi fi
@ -2612,16 +2635,16 @@ process_rules()
esac esac
if [ "$1" = Yes ]; then if [ "$1" = Yes ]; then
process_macro $xtarget "$xparam" $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec process_macro $xtarget "$xparam" $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark
else else
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec" rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark"
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark
fi fi
} }
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec xmark; do
if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec" rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark"
progress_message " Rule \"$rule\" ignored." progress_message " Rule \"$rule\" ignored."
continue continue
fi fi
@ -2638,7 +2661,7 @@ process_rules()
;; ;;
COMMENT) COMMENT)
if [ -n "$COMMENTS" ]; then if [ -n "$COMMENTS" ]; then
comment=$(echo $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec) comment=$(echo $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark)
save_command COMMENT=\"$comment\" save_command COMMENT=\"$comment\"
else else
error_message "COMMENT ignored -- requires comment support in iptables/Netfilter" error_message "COMMENT ignored -- requires comment support in iptables/Netfilter"
@ -2703,7 +2726,7 @@ process_rules()
strip_file $f $fn strip_file $f $fn
do_it Yes do_it Yes
else else
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec" rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark"
fatal_error "Invalid Action in rule \"$rule\"" fatal_error "Invalid Action in rule \"$rule\""
fi fi
fi fi
@ -2942,6 +2965,15 @@ process_tos_rule() {
protocol="${protocol:+-p $protocol}" protocol="${protocol:+-p $protocol}"
[ "x$mark" = x- ] && mark=
if [ -n "$mark" ]; then
if [ "$mark" = "${mark%!*}" ]; then
mark="-m mark --mark $mark"
else
mark="-m mark ! --mark ${mark#*!}"
fi
fi
tos="-j TOS --set-tos $tos" tos="-j TOS --set-tos $tos"
case "$dstzone" in case "$dstzone" in
@ -2964,24 +2996,24 @@ process_tos_rule() {
case $srczone in case $srczone in
$FW) $FW)
run_iptables2 -t mangle -A outtos \ run_iptables2 -t mangle -A outtos \
$protocol $dest $dports $sports $tos $protocol $dest $dports $sports $mark $tos
;; ;;
all|ALL) all|ALL)
run_iptables2 -t mangle -A outtos \ run_iptables2 -t mangle -A outtos \
$protocol $dest $dports $sports $tos $protocol $dest $dports $sports $mark $tos
run_iptables2 -t mangle -A $chain \ run_iptables2 -t mangle -A $chain \
$protocol $dest $dports $sports $tos $protocol $dest $dports $sports $mark $tos
;; ;;
*) *)
if [ -n "$src" ]; then if [ -n "$src" ]; then
run_iptables2 -t mangle -A $chain $src \ run_iptables2 -t mangle -A $chain $src \
$protocol $dest $dports $sports $tos $protocol $dest $dports $sports $mark $tos
else else
eval hosts=\$${srczone}_hosts eval hosts=\$${srczone}_hosts
for host in $hosts; do for host in $hosts; do
run_iptables2 -t mangle -A $chain $(match_source $host) \ run_iptables2 -t mangle -A $chain $(match_source $host) \
$protocol $dest $dports $sports $tos $protocol $dest $dports $sports $mark $tos
done done
fi fi
;; ;;
@ -3013,8 +3045,8 @@ process_tos() # $1 = name of tos file
createmanglechain $chain createmanglechain $chain
createmanglechain outtos createmanglechain outtos
while read src dst protocol sport dport tos; do while read src dst protocol sport dport tos mark; do
rule="$(echo $src $dst $protocol $sport $dport $tos)" rule="$(echo $src $dst $protocol $sport $dport $tos $mark)"
process_tos_rule process_tos_rule
done < $TMP_DIR/tos done < $TMP_DIR/tos

18
Shorewall-shell/lib.accounting
View File

@ -35,11 +35,11 @@ process_accounting_rule() {
user1= user1=
accounting_error() { accounting_error() {
error_message "WARNING: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user error_message "WARNING: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user $mark
} }
accounting_interface_error() { accounting_interface_error() {
error_message "WARNING: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport $user error_message "WARNING: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport $user $mark
} }
accounting_interface_verify() { accounting_interface_verify() {
@ -195,6 +195,18 @@ process_accounting_rule() {
;; ;;
esac esac
[ -n "$mark" ] && case $mark in
-|any|all)
mark=
;;
!*)
rule="$rule -m mark ! --mark ${mark#*!}"
;;
*)
rule="$rule -m mark --mark $mark"
;;
esac
case $action in case $action in
COUNT) COUNT)
;; ;;
@ -239,7 +251,7 @@ setup_accounting() # $1 = Name of accounting file
save_progress_message "Setting up Accounting..." save_progress_message "Setting up Accounting..."
while read action chain source dest proto port sport user ; do while read action chain source dest proto port sport user mark ; do
process_accounting_rule process_accounting_rule
done < $TMP_DIR/accounting done < $TMP_DIR/accounting

30
Shorewall-shell/lib.actions
View File

@ -245,6 +245,7 @@ process_action() # $1 = chain (Chain to add the rules to)
# $8 = cports # $8 = cports
# $9 = ratelimit # $9 = ratelimit
# $10 = userspec # $10 = userspec
# $11 = mark
{ {
local chain="$1" local chain="$1"
local action="$2" local action="$2"
@ -256,6 +257,7 @@ process_action() # $1 = chain (Chain to add the rules to)
local cports="$8" local cports="$8"
local ratelimit="$9" local ratelimit="$9"
local userspec="${10}" local userspec="${10}"
local mark="${11}"
local userandgroup= local userandgroup=
local logtag= local logtag=
@ -322,6 +324,16 @@ process_action() # $1 = chain (Chain to add the rules to)
[ "$userandgroup" = "-m owner" ] && userandgroup= [ "$userandgroup" = "-m owner" ] && userandgroup=
fi fi
[ "x$mark" = "x-" ] && mark=
if [ -n "$mark" ]; then
if [ "$mark" = "${mark%!*}" ]; then
mark="-m mark --mark $mark"
else
mark="-m mark ! --mark ${mark#*!}"
fi
fi
# Isolate log level # Isolate log level
if [ "$target" = "${target%:*}" ]; then if [ "$target" = "${target%:*}" ]; then
@ -579,7 +591,7 @@ process_actions1() {
if [ -f $fn ]; then if [ -f $fn ]; then
progress_message2 " Pre-processing $fn..." progress_message2 " Pre-processing $fn..."
strip_file $f $fn strip_file $f $fn
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec $xmark; do
temp="${xtarget%%:*}" temp="${xtarget%%:*}"
case "$temp" in case "$temp" in
ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE) ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE)
@ -600,7 +612,7 @@ process_actions1() {
ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE) ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE)
;; ;;
*) *)
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec" rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark"
fatal_error "Invalid Macro Parameter in rule \"$rule\"" fatal_error "Invalid Macro Parameter in rule \"$rule\""
;; ;;
esac esac
@ -633,7 +645,7 @@ process_actions1() {
progress_message " ..End Macro" progress_message " ..End Macro"
else else
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec" rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark"
fatal_error "Invalid TARGET in rule \"$rule\"" fatal_error "Invalid TARGET in rule \"$rule\""
fi fi
fi fi
@ -715,7 +727,7 @@ process_action3() {
progress_message2 "$DOING $(find_file $f) for Chain $xchain..." progress_message2 "$DOING $(find_file $f) for Chain $xchain..."
while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec; do while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec xmark; do
# #
# Generate the target:level:tag to pass to process_action() # Generate the target:level:tag to pass to process_action()
# #
@ -734,7 +746,7 @@ process_action3() {
;; ;;
COMMENT) COMMENT)
if [ -n "$COMMENTS" ]; then if [ -n "$COMMENTS" ]; then
comment=$(echo $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec) comment=$(echo $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark)
save_command COMMENT=\"$comment\" save_command COMMENT=\"$comment\"
else else
error_message "COMMENT ignored -- requires comment support in iptables/Netfilter" error_message "COMMENT ignored -- requires comment support in iptables/Netfilter"
@ -817,13 +829,13 @@ process_action3() {
[ -n "$xratelimit" ] && [ "x${xratelimit}" != x- ] && mratelimit=$xratelimit [ -n "$xratelimit" ] && [ "x${xratelimit}" != x- ] && mratelimit=$xratelimit
[ -n "$xuserspec" ] && [ "x${xuserspec}" != x- ] && muserspec=$xuserspec [ -n "$xuserspec" ] && [ "x${xuserspec}" != x- ] && muserspec=$xuserspec
rule="$mtarget ${mclients:=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${mratelimit:-} ${muserspec:=-}" rule="$mtarget ${mclients:=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${mratelimit:-} ${muserspec:=-} $xmark"
process_action $xchain $xaction1 $mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec process_action $xchain $xaction1 $mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec $xmark
done < $TMP_DIR/macro.$xtarget1 done < $TMP_DIR/macro.$xtarget1
progress_message "..End Macro" progress_message "..End Macro"
else else
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec" rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark"
process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark
fi fi
done < $TMP_DIR/$f done < $TMP_DIR/$f

31
Shorewall-shell/lib.nat
View File

@ -154,6 +154,8 @@ setup_masq()
[ "x$proto" = x- ] && proto= [ "x$proto" = x- ] && proto=
[ "x$ports" = x- ] && ports= [ "x$ports" = x- ] && ports=
[ "x$mark" = x- ] && mark=
if [ -n "$proto" ]; then if [ -n "$proto" ]; then
displayproto="($proto)" displayproto="($proto)"
@ -203,6 +205,15 @@ setup_masq()
[ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)" [ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)"
fi fi
if [ -n "$mark" ]; then
displaymark="($mark)"
if [ "$mark" = "${mark%!*}" ]; then
mark="-m mark --mark $mark"
else
mark="-m mark ! --mark ${mark#*!}"
fi
fi
destination=${destnets:=0.0.0.0/0} destination=${destnets:=0.0.0.0/0}
[ -z "$pre_nat" ] && chain=$(masq_chain $interface) || chain=$(snat_chain $interface) [ -z "$pre_nat" ] && chain=$(masq_chain $interface) || chain=$(snat_chain $interface)
@ -217,7 +228,7 @@ setup_masq()
if [ -n "$networks" ]; then if [ -n "$networks" ]; then
for s in $networks; do for s in $networks; do
addnatrule $chain $(source_ip_range $s) $proto $ports $policy -j $newchain addnatrule $chain $(source_ip_range $s) $proto $ports $mark $policy -j $newchain
done done
networks= networks=
elif [ -n "$detectinterface" ]; then elif [ -n "$detectinterface" ]; then
@ -228,7 +239,7 @@ networks="\$(get_routed_networks $detectinterface)"
[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\"" [ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\""
for network in \$networks; do for network in \$networks; do
run_iptables -t nat -A $chain -s \$network $proto $ports $policy -j $newchain run_iptables -t nat -A $chain -s \$network $proto $ports $mark $policy -j $newchain
done done
__EOF__ __EOF__
@ -252,7 +263,7 @@ __EOF__
if [ -n "$networks" ]; then if [ -n "$networks" ]; then
for s in $networks; do for s in $networks; do
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports $policy -j $newchain addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports $mark $policy -j $newchain
done done
done done
elif [ -n "$detectinterface" ]; then elif [ -n "$detectinterface" ]; then
@ -266,7 +277,7 @@ for network in \$networks; do
__EOF__ __EOF__
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
indent >&3 << __EOF__ indent >&3 << __EOF__
run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $newchain run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $mark $policy -j $newchain
__EOF__ __EOF__
done done
indent >&3 << __EOF__ indent >&3 << __EOF__
@ -275,7 +286,7 @@ done
__EOF__ __EOF__
else else
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $newchain addnatrule $chain $(dest_ip_range $destnet) $proto $ports $mark $policy -j $newchain
done done
fi fi
@ -379,7 +390,7 @@ __EOF__
if [ -n "$networks" ]; then if [ -n "$networks" ]; then
for network in $networks; do for network in $networks; do
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
addnatrule $chain $(both_ip_ranges $network $destnet) $proto $ports $policy -j $target $addrlist addnatrule $chain $(both_ip_ranges $network $destnet) $proto $ports $mark $policy -j $target $addrlist
done done
if [ -n "$addresses" ]; then if [ -n "$addresses" ]; then
@ -399,7 +410,7 @@ for network in \$networks; do
__EOF__ __EOF__
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
indent >&3 << __EOF__ indent >&3 << __EOF__
run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $mark $policy -j $target $addrlist
__EOF__ __EOF__
done done
@ -417,7 +428,7 @@ __EOF__
else else
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist addnatrule $chain $(dest_ip_range $destnet) $proto $ports $mark $policy -j $target $addrlist
done done
if [ -n "$addresses" ]; then if [ -n "$addresses" ]; then
@ -433,11 +444,11 @@ __EOF__
progress_message2 "$DOING Masquerading/SNAT" progress_message2 "$DOING Masquerading/SNAT"
save_progress_message "Setting up Masquerading/SNAT..." save_progress_message "Setting up Masquerading/SNAT..."
while read fullinterface networks addresses proto ports ipsec; do while read fullinterface networks addresses proto ports ipsec mark; do
if [ -n "$NAT_ENABLED" ]; then if [ -n "$NAT_ENABLED" ]; then
if [ "x$fullinterface" = xCOMMENT ]; then if [ "x$fullinterface" = xCOMMENT ]; then
if [ -n "$COMMENTS" ]; then if [ -n "$COMMENTS" ]; then
comment=$(echo $networks $addresses $proto $ports $ipsec) comment=$(echo $networks $addresses $proto $ports $ipsec $mark)
save_command COMMENT=\"$comment\" save_command COMMENT=\"$comment\"
else else
error_message "COMMENT ignored -- requires comment support in iptables/Netfilter" error_message "COMMENT ignored -- requires comment support in iptables/Netfilter"