Extend the 'loose' routestopped option into separate 'source' and 'dest' options; remove extended mark requirement

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2152 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-05-21 02:25:43 +00:00
parent fd437ec6fd
commit a56f954283
2 changed files with 22 additions and 8 deletions

View File

@ -1642,7 +1642,7 @@ disable_ipv6_1() {
process_routestopped() # $1 = command process_routestopped() # $1 = command
{ {
local hosts= interface host host1 options networks loose= local hosts= interface host host1 options networks source= dest= matched
while read interface host options; do while read interface host options; do
expandv interface host options expandv interface host options
@ -1666,9 +1666,13 @@ process_routestopped() # $1 = command
done done
fi fi
;; ;;
loose) source)
for h in $(separate_list $host); do for h in $(separate_list $host); do
loose="$loose $interface:$h" source="$source $interface:$h"
done
dest)
for h in $(separate_list $host); do
dest="$dest $interface:$h"
done done
;; ;;
*) *)
@ -1688,9 +1692,19 @@ process_routestopped() # $1 = command
[ -z "$ADMINISABSENTMINDED" ] && \ [ -z "$ADMINISABSENTMINDED" ] && \
run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
if list_search $host $loose ; then matched=
if list_search $host $source ; then
run_iptables $1 FORWARD -i $interface $(source_ip_range $networks) -j ACCEPT run_iptables $1 FORWARD -i $interface $(source_ip_range $networks) -j ACCEPT
else matched=Yes
fi
if list_search $host $dest ; then
run_iptables $1 FORWARD -o $interface $(dest_ip_range $networks) -j ACCEPT
matched=Yes
fi
if [ -z "$matched" ]; then
for host1 in $hosts; do for host1 in $hosts; do
[ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT [ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
done done
@ -5638,7 +5652,7 @@ setup_routes() # $1 = file name
eval mark_value=\$${iface}_routemark eval mark_value=\$${iface}_routemark
run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0 -j routemark run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0 -j routemark
run_iptables -t mangle -A routemark -i $interface -j MARK --or-mark $mark_value run_iptables -t mangle -A routemark -i $interface -j MARK --set-mark $mark_value
done done

View File

@ -79,8 +79,8 @@ New Features in version 2.4.0
Squid 1 1 - eth2 192.168.2.99 - Squid 1 1 - eth2 192.168.2.99 -
Use of this feature requires that your kernel and iptables Use of this feature requires that your kernel and iptables
support CONNMARK target and conntrack match as well as extended support CONNMARK target and conntrack match support. It does NOT
MARK support. It does NOT require the ROUTE target extension. require the ROUTE target extension.
WARNING: The current version of iptables (1.3.1) is broken with WARNING: The current version of iptables (1.3.1) is broken with
respect to CONNMARK and iptables-save/iptables-restore. This means respect to CONNMARK and iptables-save/iptables-restore. This means