Add load-balancing support

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@607 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -11,3 +11,5 @@ Changes since 1.4.5
 
 5) Allow Shorewall to add aliases to other than the first subnet on an
    interface.
+
+6) Add support for load-balancing.

Shorewall/firewall

@@ -831,6 +831,15 @@ find_interface_address() # $1 = interface
     echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
 }
 
+#
+# Find interface addresses--returns the set of addresses assigned to the passed
+# device
+#
+find_interface_addresses() # $1 = interface
+{
+    ip addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
+}
+
 #
 # Find interfaces that have the passed option specified
 #
@@ -2097,15 +2106,25 @@ add_a_rule()
 	    fi
 
 	    if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
-		serv="${serv:+-d $serv}"
+		if [ -n "$serv" ]; then
+		    for srv in `ip_range $serv`; do
+			if [ -n "$loglevel" -a -z "$natrule" ]; then
+			    log_rule $loglevel $chain $logtarget \
+				`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
+			fi
 
-		if [ -n "$loglevel" -a -z "$natrule" ]; then
-		    log_rule $loglevel $chain $logtarget \
-			`fix_bang $proto $sports $multiport $state $cli $serv $dports`
+			run_iptables2 -A $chain $proto $multiport $state $cli $sports \
+			    -d $srv $dports -j $target
+		    done
+		else
+		    if [ -n "$loglevel" -a -z "$natrule" ]; then
+		        log_rule $loglevel $chain $logtarget \
+			    `fix_bang $proto $sports $multiport $state $cli $dports`
+		    fi
+
+		    run_iptables2 -A $chain $proto $multiport $state $cli $sports \
+			$dports -j $target
 		fi
-
-		run_iptables2 -A $chain $proto $multiport $state $cli $sports \
-		    $serv $dports -j $target
 	    fi
 	fi
     else
@@ -3204,7 +3223,7 @@ verify_os_version() {
 #
 add_ip_aliases()
 {
-    local external interface inet cidr brd bcast rest
+    local addresses external interface inet cidr brd bcast rest
 
     do_one()
     {
@@ -3221,10 +3240,6 @@ add_ip_aliases()
 
 	ip addr show $interface 2> /dev/null | grep 'inet.*brd ' | while read inet cidr brd bcast rest ; do
 	    if in_subnet $external $cidr; then
-		if [ $external = ${cidr%/*} ]; then
-		    return
-		fi
-		
 		val="/${cidr#*/} brd $bcast"
 		break
 	    fi
@@ -3250,7 +3265,8 @@ add_ip_aliases()
 	fi
 
 	shift;shift
-	do_one
+
+	list_search $external `find_interface_addresses $interface` || do_one
     done
 }
 

Shorewall/releasenotes.txt

@@ -19,3 +19,10 @@ New Features:
 3) Shorewall can now add IP addresses to subnets on an interface other
    than the first one.
 
+4) DNAT[-] rules may now be used to round-robin over a set of
+   servers. Up to 256 servers may be specified in a range of addresses
+   given as <first address>-<last address>.
+
+   Example:
+
+	DNAT net loc:192.168.10.2-192.168.10.5 tcp 80

Shorewall/rules

@@ -107,6 +107,12 @@
 #				3. You may not specify both an interface and
 #				   an address.
 #
+#			Unlike in the SOURCE column, you may specify a range of
+#			up to 256 IP addresses using the syntax
+#			<first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
+#			the connections will be assigned to addresses in the
+#			range in a round-robin fashion.
+#
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by
 #			":". If omitted, the firewall will not modifiy the