From b10218e77373ae99fbb7db95fe9e45f43e25c5a3 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 10 Mar 2013 10:07:52 -0700
Subject: [PATCH] Add a 'UDPLITE Port Redirection' capability.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall-core/lib.cli             |  5 +++++
 Shorewall/Perl/Shorewall/Config.pm | 21 +++++++++++++++++++++
 Shorewall/Perl/Shorewall/Nat.pm    |  2 +-
 3 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index 3b229c613..30a60bc3c 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -2199,6 +2199,8 @@ determine_capabilities() {
     CHECKSUM_TARGET=
     ARPTABLESJF=
     MASQUERADE_TGT=
+    UDPLITEREDIRECT=
+
     AMANDA_HELPER=
     FTP_HELPER=
     FTP0_HELPER=
@@ -2231,6 +2233,7 @@ determine_capabilities() {
 		qt $g_tool -t nat -A $chain -j SNAT --to-source 2001::1 --persistent && PERSISTENT_SNAT=Yes
 	    fi
 	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
+	    qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
 	    qt $g_tool -t nat -F $chain
 	    qt $g_tool -t nat -X $chain
 	fi
@@ -2608,6 +2611,7 @@ report_capabilities_unsorted() {
     report_capability "Checksum Target" $CHECKSUM_TARGET
     report_capability "Arptables JF" $ARPTABLESJF
     report_capability "MASQUERADE Target" $MASQUERADE_TGT
+    report_capability "UDPLITE Port Redirection" $UDPLITEREDIRECT
 
     report_capability "Amanda Helper" $AMANDA_HELPER
     report_capability "FTP Helper" $FTP_HELPER
@@ -2728,6 +2732,7 @@ report_capabilities_unsorted1() {
     report_capability1 CHECKSUM_TARGET
     report_capability1 ARPTABLESJF
     report_capability1 MASQUERADE_TGT
+    report_capability1 UDPLITEREDIRECT
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index fdb953381..8e9344a07 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -359,6 +359,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 CHECKSUM_TARGET => 'Checksum Target',
 		 ARPTABLESJF     => 'Arptables JF',
 		 MASQUERADE_TGT  => 'MASQUERADE Target',
+		 UDPLITEREDIRECT => 'UDPLITE Port Redirection',
 
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -906,6 +907,7 @@ sub initialize( $;$$) {
 	       CHECKSUM_TARGET => undef,
 	       ARPTABLESJF => undef,
 	       MASQUERADE_TGT => undef,
+	       UDPLITEREDIRECT => undef,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -3582,6 +3584,22 @@ sub Masquerade_Tgt() {
     $result;
 }
 
+sub Udpliteredirect() {
+    have_capability( 'NAT_ENABLED' ) || return '';
+
+    my $result = '';
+    my $address = $family == F_IPV4 ? '1.2.3.4' : '2001::1';
+
+    if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
+	$result = qt1( "$iptables -t nat -A $sillyname -p udplite -m multiport --dports 33 -j REDIRECT --to-port 22" );
+	qt1( "$iptables -t nat -F $sillyname" );
+	qt1( "$iptables -t nat -X $sillyname" );
+
+    }
+
+    $result;
+}
+
 sub Mangle_Enabled() {
     if ( qt1( "$iptables -t mangle -L -n" ) ) {
 	system( "$iptables -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
@@ -4134,6 +4152,7 @@ our %detect_capability =
       TFTP0_HELPER => \&TFTP0_Helper,
       TIME_MATCH => \&Time_Match,
       TPROXY_TARGET => \&Tproxy_Target,
+      UDPLITEREDIRECT => \&Udpliteredirect,
       USEPKTTYPE => \&Usepkttype,
       XCONNMARK_MATCH => \&Xconnmark_Match,
       XCONNMARK => \&Xconnmark,
@@ -4273,6 +4292,8 @@ sub determine_capabilities() {
 	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
 	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
 	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
+	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
+	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
 	
 	if ( have_capability 'CT_TARGET' ) {
 	    $capabilities{$_} = detect_capability $_ for ( values( %helpers_map ) );
diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm
index 97eb90a47..46dbf9f7f 100644
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -643,7 +643,7 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
 
 	my ( $p ) = split( ':', $proto ); # Might be "tcp:syn"
 
-	fatal_error "Port-redirection is not supported for UDPLITE" if resolve_proto( $p ) == UDPLITE; 
+	require_capability( 'UDPLITEREDIRECT', 'UDPLITE Port Redirection', 's' ) if resolve_proto( $p ) == UDPLITE; 
 
 	$origdstports = validate_port( $proto, $ports )	if $ports && $ports ne '-' && port_count( $ports ) == 1;