Allow list in the SUBNET column of the rfc1918 file

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1728 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-10-26 15:26:13 +00:00
parent dce7281692
commit b551db1f5e
4 changed files with 26 additions and 19 deletions

View File

@ -121,3 +121,4 @@ Changes since 2.0.3
58) Clarification of the 'ipsec' hosts file option.
59) Allow list in the SUBNET column of the rfc1918 file.

View File

@ -1986,7 +1986,6 @@ setup_mac_lists() {
#
# Process the maclist file producing the verification rules
#
while read interface mac addresses; do
expandv interface mac addresses
@ -5834,20 +5833,22 @@ add_common_rules() {
;;
esac
run_iptables2 -A norfc1918 $(source_ip_range $networks) -j $target
for network in $(separate_list $networks); do
run_iptables2 -A norfc1918 $(source_ip_range $network) -j $target
if [ -n "$CONNTRACK_MATCH" ]; then
#
# We have connection tracking match -- match on the original destination
#
run_iptables2 -A norfc1918 -m conntrack --ctorigdst $networks -j $target
run_iptables2 -A norfc1918 -m conntrack --ctorigdst $network -j $target
elif [ -n "$MANGLE_ENABLED" ]; then
#
# No connection tracking match but we have mangling -- add a rule to
# the mangle table
#
run_iptables2 -t mangle -A man1918 $(dest_ip_range $networks) -j $target
run_iptables2 -t mangle -A man1918 $(dest_ip_range $network) -j $target
fi
done
done < $TMP_DIR/rfc1918
for host in $hosts; do

View File

@ -640,3 +640,7 @@ New Features:
DANGER: DO NOT USE THIS OPTION IF THE RESULTING LOG MESSAGES WILL
BE SENT TO ANOTHER SYSTEM.
26) The SUBNET column in /etc/shorewall/rfc1918 has been renamed
SUBNETS and it is now possible to specify a list of addresses in
that column.

View File

@ -1,5 +1,5 @@
#
# Shorewall 2.1 -- RFC1918 File
# Shorewall 2.2 -- RFC1918 File
#
# /etc/shorewall/rfc1918
#
@ -12,7 +12,8 @@
#
# Columns are:
#
# SUBNET The subnet (host addresses also allowed as are IP
# SUBNETS A comma-separated list of subnet addresses
(host addresses also allowed as are IP
# address ranges provided that your kernel and iptables
# have iprange match support).
# TARGET Where to send packets to/from this subnet
@ -21,7 +22,7 @@
# logdrop - log then drop
#
###############################################################################
#SUBNET TARGET
#SUBNETS TARGET
172.16.0.0/12 logdrop # RFC 1918
192.168.0.0/16 logdrop # RFC 1918
10.0.0.0/8 logdrop # RFC 1918