Extend the 'loose' routestopped option into separate 'source' and 'dest' options; remove extended mark requirement

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2152 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-01-12 08:38:14 +01:00 · 2005-05-21 02:25:43 +00:00 · 2005-05-21 02:25:43 +00:00 · a56f954283
commit a56f954283
parent fd437ec6fd
2 changed files with 22 additions and 8 deletions
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -1642,7 +1642,7 @@ disable_ipv6_1() {

 process_routestopped() # $1 = command
 {
-    local hosts= interface host host1 options networks loose=
+    local hosts= interface host host1 options networks source= dest= matched

    while read interface host options; do
 	expandv interface host options
@ -1666,9 +1666,13 @@ process_routestopped() # $1 = command
 			    done
 			fi
 			;;
-		    loose)
+		    source)
 			for h in $(separate_list $host); do
-			    loose="$loose $interface:$h"
+			    source="$source $interface:$h"
+			done
+		    dest)
+			for h in $(separate_list $host); do
+			    dest="$dest $interface:$h"
 			done
 			;;
 		    *)
@ -1688,9 +1692,19 @@ process_routestopped() # $1 = command
 	[ -z "$ADMINISABSENTMINDED" ] && \
 	    run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT

-	if list_search $host $loose ; then
+	matched=
+
+	if list_search $host $source ; then
 	    run_iptables $1 FORWARD -i $interface $(source_ip_range $networks) -j ACCEPT
-	else
+	    matched=Yes
+	fi
+
+	if list_search $host $dest ; then
+	    run_iptables $1 FORWARD -o $interface $(dest_ip_range $networks) -j ACCEPT
+	    matched=Yes
+	fi
+	
+	if [ -z "$matched" ]; then
 	    for host1 in $hosts; do
 		[ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
 	    done
@ -5638,7 +5652,7 @@ setup_routes() # $1 = file name
 	    eval mark_value=\$${iface}_routemark

 	    run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0 -j routemark
-	    run_iptables -t mangle -A routemark  -i $interface                  -j MARK --or-mark $mark_value
+	    run_iptables -t mangle -A routemark  -i $interface                  -j MARK --set-mark $mark_value

 	done

--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -79,8 +79,8 @@ New Features in version 2.4.0
       Squid   1       1    -          eth2      192.168.2.99  -

   Use of this feature requires that your kernel and iptables 
-   support CONNMARK target and conntrack match as well as extended
-   MARK support. It does NOT require the ROUTE target extension.
+   support CONNMARK target and conntrack match support. It does NOT
+   require the ROUTE target extension.

   WARNING: The current version of iptables (1.3.1) is broken with
   respect to CONNMARK and iptables-save/iptables-restore. This means