extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-23 16:13:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow <zone>::<serverport> in the rules file DEST column

Browse Source
This commit is contained in:
Tom Eastep 2009-11-23 09:33:16 -08:00
parent fedb26fe1e
commit 99a35c1bf0
3 changed files with 27 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1237,10 +1237,10 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$origdest = ALLIP;
}
}
} else {
fatal_error "A server must be specified in the DEST column in $action rules" if $server eq '';
if ( $server =~ /^(.+)-(.+)$/ ) {
} else {
if ( $server eq '' ) {
fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
} elsif ( $server =~ /^(.+)-(.+)$/ ) {
validate_range( $1, $2 );
} else {
my @servers = validate_address $server, 1;
@ -1249,9 +1249,13 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
if ( $action eq 'DNAT' ) {
$target = '-j DNAT ';
$serverport = ":$serverport" if $serverport;
for my $serv ( split /,/, $server ) {
$target .= "--to-destination ${serv}${serverport} ";
if ( $server ) {
$serverport = ":$serverport" if $serverport;
for my $serv ( split /,/, $server ) {
$target .= "--to-destination ${serv}${serverport} ";
}
} else {
$target .= "--to-destination :$serverport ";
}
}

2
Shorewall/changelog.txt
View File

@ -7,3 +7,5 @@ Changes in 4.5.0
3) Fix handling of interfaces with the 'bridge' option.
4) Flag port 0 as an error.
5) Allow zone::serverport in rules DEST column.

15
Shorewall/releasenotes.txt
View File

@ -40,5 +40,18 @@ None.
$FW dmz REJECT info
$FW all ACCEPT
2) Shorewall now allows DNAT rules that change only the destination
port.
Example:
DNAT loc net::456 udp 234
That rule will modify the destination port in UDP packets received
from the 'loc' zone from 456 to 234. Note that if the destination
is the firewall itself, then the destination port will be rewritten
but that no ACCEPT rule from the loc zone to the $FW zone will have
been created to handle the request. So such rules should probably
exclude the firewall's IP addresses in the ORIGINAL DEST column.