extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-22 20:51:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Implement run-time gateway variables.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-02-23 13:36:00 -08:00
parent 37a3dbb6f6
commit 7273f4d8d4
4 changed files with 126 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -4409,7 +4409,6 @@ sub get_set_flags( $$ ) {
$ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings $ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings
} }
fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z]\w*/; fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z]\w*/;
have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options "; have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options ";
@ -4422,11 +4421,26 @@ sub have_ipset_rules() {
sub get_interface_address( $ ); sub get_interface_address( $ );
sub record_runtime_address( $ ) { sub record_runtime_address( $$;$ ) {
my $interface = shift; my ( $addrtype, $interface, $protect ) = @_;
fatal_error "Unknown interface address variable (&$interface)" unless known_interface( $interface ); fatal_error "Unknown interface address variable (&$interface)" unless known_interface( $interface );
fatal_error "Invalid interface address variable (&$interface)" if $interface =~ /\+$/; fatal_error "Invalid interface address variable (&$interface)" if $interface =~ /\+$/;
get_interface_address( $interface ) . ' ';
my $addr;
if ( $addrtype eq '&' ) {
$addr = get_interface_address( $interface );
} else {
$addr = get_interface_gateway( $interface );
if ( $protect ) {
$addr =~ s/\$/\${/;
$addr .= ( NILIP . '}' );
}
}
$addr . ' ';
} }
# #
@ -4438,12 +4452,19 @@ sub record_runtime_address( $ ) {
sub conditional_rule( $$ ) { sub conditional_rule( $$ ) {
my ( $chainref, $address ) = @_; my ( $chainref, $address ) = @_;
if ( $address =~ /^!?&(.+)$/ ) { if ( $address =~ /^!?([&%])(.+)$/ ) {
my $interface = $1; my ($type, $interface) = ($1, $2);
if ( my $ref = known_interface $interface ) { if ( my $ref = known_interface $interface ) {
if ( $ref->{options}{optional} ) { if ( $ref->{options}{optional} ) {
my $variable = get_interface_address( $interface ); my $variable;
if ( $type eq '&' ) {
$variable = get_interface_address( $interface );
add_commands( $chainref , "if [ $variable != " . NILIP . ' ]; then' ); add_commands( $chainref , "if [ $variable != " . NILIP . ' ]; then' );
} else {
$variable = get_interface_gateway( $interface );
add_commands( $chainref , qq(if [ -n "$variable" ]; then) );
}
incr_cmd_level $chainref; incr_cmd_level $chainref;
return 1; return 1;
} }
@ -4507,16 +4528,16 @@ sub match_source_net( $;$\$ ) {
} }
if ( $net =~ s/^!// ) { if ( $net =~ s/^!// ) {
if ( $net =~ /^&(.+)/ ) { if ( $net =~ /^([&%])(.+)/ ) {
return '! -s ' . record_runtime_address $1; return '! -s ' . record_runtime_address $1, $2;
} }
validate_net $net, 1; validate_net $net, 1;
return "! -s $net "; return "! -s $net ";
} }
if ( $net =~ /^&(.+)/ ) { if ( $net =~ /^([&%])(.+)/ ) {
return '-s ' . record_runtime_address $1; return '-s ' . record_runtime_address $1, $2;
} }
validate_net $net, 1; validate_net $net, 1;
@ -4561,16 +4582,16 @@ sub imatch_source_net( $;$\$ ) {
} }
if ( $net =~ s/^!// ) { if ( $net =~ s/^!// ) {
if ( $net =~ /^&(.+)/ ) { if ( $net =~ /^([&%])(.+)/ ) {
return ( s => '! ' . record_runtime_address $1 ); return ( s => '! ' . record_runtime_address( $1, $2, 1 ) );
} }
validate_net $net, 1; validate_net $net, 1;
return ( s => "! $net " ); return ( s => "! $net " );
} }
if ( $net =~ /^&(.+)/ ) { if ( $net =~ /^([&%])(.+)/ ) {
return ( s => record_runtime_address $1 ); return ( s => record_runtime_address( $1, $2, 1 ) );
} }
validate_net $net, 1; validate_net $net, 1;
@ -4610,16 +4631,16 @@ sub match_dest_net( $ ) {
} }
if ( $net =~ s/^!// ) { if ( $net =~ s/^!// ) {
if ( $net =~ /^&(.+)/ ) { if ( $net =~ /^([&%])(.+)/ ) {
return '! -d ' . record_runtime_address $1; return '! -d ' . record_runtime_address $1, $2;
} }
validate_net $net, 1; validate_net $net, 1;
return "! -d $net "; return "! -d $net ";
} }
if ( $net =~ /^&(.+)/ ) { if ( $net =~ /^([&%])(.+)/ ) {
return '-d ' . record_runtime_address $1; return '-d ' . record_runtime_address $1, $2;
} }
validate_net $net, 1; validate_net $net, 1;
@ -4657,16 +4678,16 @@ sub imatch_dest_net( $ ) {
} }
if ( $net =~ s/^!// ) { if ( $net =~ s/^!// ) {
if ( $net =~ /^&(.+)/ ) { if ( $net =~ /^([&%])(.+)/ ) {
return ( d => '! ' . record_runtime_address $1 ); return ( d => '! ' . record_runtime_address( $1, $2, 1 ) );
} }
validate_net $net, 1; validate_net $net, 1;
return ( d => "! $net " ); return ( d => "! $net " );
} }
if ( $net =~ /^&(.+)/ ) { if ( $net =~ /^([&%])(.+)/ ) {
return ( d => record_runtime_address $1 ); return ( d => record_runtime_address( $1, $2, 1 ) );
} }
validate_net $net, 1; validate_net $net, 1;
@ -4684,7 +4705,7 @@ sub match_orig_dest ( $ ) {
if ( $net =~ s/^!// ) { if ( $net =~ s/^!// ) {
if ( $net =~ /^&(.+)/ ) { if ( $net =~ /^&(.+)/ ) {
$net = record_runtime_address $1; $net = record_runtime_address '&', $1;
} else { } else {
validate_net $net, 1; validate_net $net, 1;
} }
@ -4692,7 +4713,7 @@ sub match_orig_dest ( $ ) {
have_capability( 'OLD_CONNTRACK_MATCH' ) ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net "; have_capability( 'OLD_CONNTRACK_MATCH' ) ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
} else { } else {
if ( $net =~ /^&(.+)/ ) { if ( $net =~ /^&(.+)/ ) {
$net = record_runtime_address $1; $net = record_runtime_address '&', $1;
} else { } else {
validate_net $net, 1; validate_net $net, 1;
} }
@ -5468,7 +5489,7 @@ sub expand_rule( $$$$$$$$$$;$ )
} else { } else {
$inets = $source; $inets = $source;
} }
} elsif ( $source =~ /(?:\+|&|~|\..*\.)/ ) { } elsif ( $source =~ /(?:\+|&|%|~|\..*\.)/ ) {
$inets = $source; $inets = $source;
} else { } else {
$iiface = $source; $iiface = $source;
@ -5553,7 +5574,7 @@ sub expand_rule( $$$$$$$$$$;$ )
if ( $dest =~ /^(.+?):(.+)$/ ) { if ( $dest =~ /^(.+?):(.+)$/ ) {
$diface = $1; $diface = $1;
$dnets = $2; $dnets = $2;
} elsif ( $dest =~ /\+|&|~|\..*\./ ) { } elsif ( $dest =~ /\+|&|%|~|\..*\./ ) {
$dnets = $dest; $dnets = $dest;
} else { } else {
$diface = $dest; $diface = $dest;

4
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -88,7 +88,7 @@ sub process_one_masq( )
$interfacelist = $1; $interfacelist = $1;
} elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) { } elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
my ( $one, $two ) = ( $1, $2 ); my ( $one, $two ) = ( $1, $2 );
if ( $2 =~ /\./ ) { if ( $2 =~ /\./ || $2 =~ /^%/ ) {
$interfacelist = $one; $interfacelist = $one;
$destnets = $two; $destnets = $two;
} }
@ -195,7 +195,7 @@ sub process_one_masq( )
if ( $conditional = conditional_rule( $chainref, $addr ) ) { if ( $conditional = conditional_rule( $chainref, $addr ) ) {
$addrlist .= '--to-source ' . get_interface_address $1; $addrlist .= '--to-source ' . get_interface_address $1;
} else { } else {
$addrlist .= '--to-source ' . record_runtime_address $1; $addrlist .= '--to-source ' . record_runtime_address( '&', $1 );
} }
} elsif ( $addr =~ /^.*\..*\..*\./ ) { } elsif ( $addr =~ /^.*\..*\..*\./ ) {
$target = 'SNAT '; $target = 'SNAT ';

2
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -916,7 +916,7 @@ sub add_an_rtrule( ) {
if ( $source eq '-' ) { if ( $source eq '-' ) {
$source = 'from ' . ALLIP; $source = 'from ' . ALLIP;
} elsif ( $source =~ s/^&// ) { } elsif ( $source =~ s/^&// ) {
$source = 'from ' . record_runtime_address $source; $source = 'from ' . record_runtime_address '&', $source;
} elsif ( $family == F_IPV4 ) { } elsif ( $family == F_IPV4 ) {
if ( $source =~ /:/ ) { if ( $source =~ /:/ ) {
( my $interface, $source , my $remainder ) = split( /:/, $source, 3 ); ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );

79
docs/configuration_file_basics.xml
View File

@ -190,9 +190,9 @@
</listitem> </listitem>
<listitem> <listitem>
<para><filename>/etc/shorewall/rtrules</filename> - Defines <para><filename>/etc/shorewall/rtrules</filename> - Defines routing
routing rules to be used in conjunction with the routing tables rules to be used in conjunction with the routing tables defined in
defined in <filename>/etc/shorewall/providers</filename>.</para> <filename>/etc/shorewall/providers</filename>.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -1287,6 +1287,11 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
<para><ulink url="Macros.html">Macro</ulink> files</para> <para><ulink url="Macros.html">Macro</ulink> files</para>
</listitem> </listitem>
<listitem>
<para><ulink
url="manpages/shorewall-nat.html">shorewall-nat</ulink>(5)</para>
</listitem>
<listitem> <listitem>
<para><ulink <para><ulink
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para> url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
@ -1324,16 +1329,80 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
</itemizedlist> </itemizedlist>
<para>For optional interfaces, if the interface is not usable at the time <para>For optional interfaces, if the interface is not usable at the time
that the firewall starts the all-zero address will be used (0.0.0.0 in that the firewall starts, the all-zero address will be used (0.0.0.0 in
IPv4 and :: in IPv6), resulting in no packets matching the rule.</para> IPv4 and :: in IPv6), resulting in no packets matching the rule.</para>
<para>Beginning with Shorewall 4.5.1, <firstterm>Run-time Gateway
Variables</firstterm> in the form of a percent sign ('%') followed by a
logical interface name are also supported. These are expanded at run-time
to the gateway through the named interface. For optional interfaces, if
the interface is not usable at the time that the firewall starts, the
all-zero address will be used (0.0.0.0 in IPv4 and :: in IPv6), resulting
in no packets matching the rule. Run-time gateway variables may be used in
the SOURCE and DEST columns of the following configuration files:</para>
<itemizedlist>
<listitem>
<para><ulink
url="manapges/shorewall-accounting.html">shorewall-accounting</ulink>
(5)</para>
</listitem>
<listitem>
<para><ulink url="Actions.html">Action</ulink> files</para>
</listitem>
<listitem>
<para><ulink
url="manpages/shorewall-accounting.html">shorewall-blacklist</ulink>
(5)</para>
</listitem>
<listitem>
<para><ulink url="Macros.html">Macro</ulink> files</para>
</listitem>
<listitem>
<para><ulink
url="manpages/shorewall-nat.html">shorewall-nat</ulink>(5) (As a
qualifier to the INTERFACE).</para>
</listitem>
<listitem>
<para><ulink
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
</listitem>
<listitem>
<para><ulink
url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
(5)</para>
</listitem>
<listitem>
<para><ulink url="manpages/shorewall-tos.html">shorewall-tos</ulink>
(5)</para>
</listitem>
</itemizedlist>
<variablelist>
<varlistentry>
<term>Example:</term>
<listitem>
<para><emphasis role="bold">%eth0</emphasis> would represent the IP
address of the gateway out of eth0.</para>
</listitem>
</varlistentry>
</variablelist>
<para>Beginning with Shorewall 4.4.27, you may also use options in <ulink <para>Beginning with Shorewall 4.4.27, you may also use options in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) (e.g., url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) (e.g.,
$BLACKLIST_LOGLEVEL).</para> $BLACKLIST_LOGLEVEL).</para>
<note> <note>
<para>When an option is set to 'No' in shorewall.conf, the corresponding <para>When an option is set to 'No' in shorewall.conf, the corresponding
shell variable is will be empty.</para> shell variable will be empty.</para>
</note> </note>
<note> <note>