mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-26 07:29:05 +01:00
Extend the 'loose' routestopped option into separate 'source' and 'dest' options; remove extended mark requirement
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2152 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
fd437ec6fd
commit
a56f954283
@ -1642,7 +1642,7 @@ disable_ipv6_1() {
|
|||||||
|
|
||||||
process_routestopped() # $1 = command
|
process_routestopped() # $1 = command
|
||||||
{
|
{
|
||||||
local hosts= interface host host1 options networks loose=
|
local hosts= interface host host1 options networks source= dest= matched
|
||||||
|
|
||||||
while read interface host options; do
|
while read interface host options; do
|
||||||
expandv interface host options
|
expandv interface host options
|
||||||
@ -1666,9 +1666,13 @@ process_routestopped() # $1 = command
|
|||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
loose)
|
source)
|
||||||
for h in $(separate_list $host); do
|
for h in $(separate_list $host); do
|
||||||
loose="$loose $interface:$h"
|
source="$source $interface:$h"
|
||||||
|
done
|
||||||
|
dest)
|
||||||
|
for h in $(separate_list $host); do
|
||||||
|
dest="$dest $interface:$h"
|
||||||
done
|
done
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
@ -1688,9 +1692,19 @@ process_routestopped() # $1 = command
|
|||||||
[ -z "$ADMINISABSENTMINDED" ] && \
|
[ -z "$ADMINISABSENTMINDED" ] && \
|
||||||
run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
|
||||||
|
|
||||||
if list_search $host $loose ; then
|
matched=
|
||||||
|
|
||||||
|
if list_search $host $source ; then
|
||||||
run_iptables $1 FORWARD -i $interface $(source_ip_range $networks) -j ACCEPT
|
run_iptables $1 FORWARD -i $interface $(source_ip_range $networks) -j ACCEPT
|
||||||
else
|
matched=Yes
|
||||||
|
fi
|
||||||
|
|
||||||
|
if list_search $host $dest ; then
|
||||||
|
run_iptables $1 FORWARD -o $interface $(dest_ip_range $networks) -j ACCEPT
|
||||||
|
matched=Yes
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$matched" ]; then
|
||||||
for host1 in $hosts; do
|
for host1 in $hosts; do
|
||||||
[ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
|
[ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
|
||||||
done
|
done
|
||||||
@ -5638,7 +5652,7 @@ setup_routes() # $1 = file name
|
|||||||
eval mark_value=\$${iface}_routemark
|
eval mark_value=\$${iface}_routemark
|
||||||
|
|
||||||
run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0 -j routemark
|
run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0 -j routemark
|
||||||
run_iptables -t mangle -A routemark -i $interface -j MARK --or-mark $mark_value
|
run_iptables -t mangle -A routemark -i $interface -j MARK --set-mark $mark_value
|
||||||
|
|
||||||
done
|
done
|
||||||
|
|
||||||
|
@ -79,8 +79,8 @@ New Features in version 2.4.0
|
|||||||
Squid 1 1 - eth2 192.168.2.99 -
|
Squid 1 1 - eth2 192.168.2.99 -
|
||||||
|
|
||||||
Use of this feature requires that your kernel and iptables
|
Use of this feature requires that your kernel and iptables
|
||||||
support CONNMARK target and conntrack match as well as extended
|
support CONNMARK target and conntrack match support. It does NOT
|
||||||
MARK support. It does NOT require the ROUTE target extension.
|
require the ROUTE target extension.
|
||||||
|
|
||||||
WARNING: The current version of iptables (1.3.1) is broken with
|
WARNING: The current version of iptables (1.3.1) is broken with
|
||||||
respect to CONNMARK and iptables-save/iptables-restore. This means
|
respect to CONNMARK and iptables-save/iptables-restore. This means
|
||||||
|
Loading…
Reference in New Issue
Block a user