Add support for exclusion lists in /etc/shorewall/tcrules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2509 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-08-16 18:54:11 +00:00
parent 7f459362d1
commit 6a087fd50e
3 changed files with 77 additions and 13 deletions

View File

@ -1,3 +1,21 @@
Changes in 2.5.3
1) Allow exclusion lists in /etc/shorewall/tcrules.
Changes in 2.5.2
1) Allow port lists in /etc/sorewall/accounting.
2) Fix PKTTYPE=No and packet type match capability reporting.
3) Add FASTACCEPT option.
4) Generate error if norfc1918 is specified on an interface with an RFC
1918 IP address.
5) Implement exclusion lists in /etc/shorewall/rules.
Changes in 2.5.1
1) Make "shorewall add" work with 'ipsec' in hosts file.

View File

@ -2941,7 +2941,7 @@ process_tc_rule()
if [ "x$source" != "x-" ]; then
case $source in
$FW:*)
chain=tcout
[ $chain = tcpost ] || chain=tcout
r="$(source_ip_range ${source#*:}) "
;;
*.*.*|+*|!+*)
@ -2951,7 +2951,7 @@ process_tc_rule()
r="$(mac_match $source) "
;;
$FW)
chain=tcout
[ $chain = tcpost ] || chain=tcout
;;
*)
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
@ -3016,14 +3016,15 @@ process_tc_rule()
[ "x$sport" = "x-" ] || r="${r}--sport $sport "
case $chain in
tcpost)
run_iptables2 -t mangle -A tcpost $r -j CLASSIFY --set-class $mark
;;
*)
if [ -n "${excludesources}${excludedests}" ]; then
build_exclusion_chain chain1 mangle "$excludesources" "$excludedests"
run_iptables2 -t mangle -A $chain $r -j $chain1
run_iptables -t mangle -A $chain1 -j $target $mark
else
run_iptables2 -t mangle -A $chain $r -j $target $mark
;;
esac
fi
}
@ -3049,6 +3050,7 @@ process_tc_rule()
;;
*)
chain=tcpost
target="CLASSIFY --set-class"
;;
esac
@ -3118,8 +3120,44 @@ process_tc_rule()
esac
fi
for source in $(separate_list ${sources:=-}); do
for dest in $(separate_list ${dests:=-}); do
excludesources=
case ${sources:=-} in
*!*!*)
fatal_error "Invalid SOURCE in rule \"$rule\""
;;
!*)
if [ $(list_count $sourcess) -gt 1 ]; then
excludesources=${sources#!}
sources=-
fi
;;
*!*)
excludesources=${sources#*!}
sources=${sources%!*}
;;
esac
excludedests=
case ${dests:=-} in
*!*!*)
fatal_error "Invalid DEST in rule \"$rule\""
;;
!*)
if [ $(list_count $dests) -gt 1 ]; then
excludedests=${dests#*!}
dests=-
fi
;;
*!*)
excludedests=${dests#*!}
dests=${dests%!*}
;;
esac
for source in $(separate_list $sources); do
for dest in $(separate_list $dests); do
for port in $(separate_list ${ports:=-}); do
for sport in $(separate_list ${sports:=-}); do
add_a_tc_rule

View File

@ -1,4 +1,12 @@
Shorewall 2.5.2
Shorewall 2.5.3
Problems Corrected in 2.5.3:
New Features in Shorewall 2.5.3
1) You may now specify "!" followed by a list of addresses in the
SOURCE and DEST columns of entries in /etc/shorewall/tcrules and
Shorewall will generate the rule that you expect.
Problems Corrected in 2.5.2: