From bd18cf79c091049a49af1fee6f73d68c00289dd5 Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 15 May 2005 20:18:30 +0000 Subject: [PATCH] Add support for ROUTE target git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2120 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/changelog.txt | 12 +++- Shorewall2/firewall | 108 ++++++++++++++++++++++++++++++++++++ Shorewall2/releasenotes.txt | 73 +++++++++++++++++++++++- Shorewall2/shorewall | 1 + 4 files changed, 191 insertions(+), 3 deletions(-) diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 4f26c389b..d227f3f54 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -1,8 +1,16 @@ +Changes in 2.3.2 + +1) Add support for -j ROUTE + +Changes in 2.3.1 + +1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in + Shorewall configuration directories. + Changes in 2.3.0 1) Implement support for --cmd-owner 2) Implement support for ipsets. -3) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in - Shorewall configuration directories. + diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 7552c66d9..23a83d6df 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -5248,6 +5248,103 @@ get_routed_networks() # $1 = interface name done } +# +# Add a route from /etc/shorewall/routes +# +add_a_route() +{ + local r= + local chain=routefwd + + if [ "x$source" != "x-" ]; then + case ${source} in + $FW:*) + chain=routeout + r="$(source_ip_range ${source%:*}) " + ;; + *:*) + r="$(match_source_dev ${source%:*}) $(source_ip_range ${source#*:}) " + ;; + *.*.*|+*|!+*) + r="$(source_ip_range $source) " + ;; + ~*) + r="$(mac_match $source) " + ;; + $FW) + chain=routeout + ;; + *) + verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" + r="$(match_source_dev) $source " + ;; + esac + fi + + if [ "x$dest" != "x-" ]; then + case $dest in + *:*) + verify_interface ${dest%:*} || fatal_error "Unknown interface ${dest%:*} in rule \"$rule\"" + r="$(match_dest_dev ${dest%:*}) $(dest_ip_range ${dest#*:}) " + ;; + *.*.*|+*|!+*) + r="${r}$(dest_ip_range $dest) " + ;; + *) + verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\"" + r="${r}$(match_dest_dev $dest) " + ;; + esac + fi + + if [ "x$proto" = xipp2p ]; then + [ "x$port" = "x-" ] && port="ipp2p" + r="${r}-p tcp -m ipp2p --${port} " + else + [ "x$proto" = "x-" ] && proto=all + [ "x$proto" = "x" ] && proto=all + [ "$proto" = "all" ] || r="${r}-p $proto " + [ "x$port" = "x-" ] || r="${r}--dport $port " + fi + + [ "x${sport:--}" = "x-" ] || r="${r}--sport $sport " + + r="${r}-j ROUTE " + + [ "x${interface:--}" != x- ] && r="${r}--oif $interface " + + [ "x${gateway:--}" != x- ] && r="${r}--gw $gateway" + + run_iptables2 -t mangle -A $chain $r --continue + + progress_message " Routing Rule \"$rule\" Added." +} + +# +# Set up Routing +# +setup_routes() # $1 = file name +{ + strip_file routes $1 + + if [ -s $TMP_DIR/routes ]; then + echo "Processing $1..." + [ -n "$ROUTE_TARGET" ] || \ + fatal_error "Entries in /etc/shorewall/routes requires that your kernel and iptables have ROUTE target support" + run_iptables -t mangle -N routefwd + run_iptables -t mangle -A FORWARD -j routefwd + run_iptables -t mangle -N routeout + run_iptables -t mangle -A OUTPUT -j routeout + + while read source dest proto port sport interface gateway; do + + expandv source dest proto port sport interface gateway + rule="$source $dest $proto $port $sport $interface $gateway" + add_a_route + done < $TMP_DIR/routes + fi +} + # # Set up Source NAT (including masquerading) # @@ -5923,6 +6020,7 @@ determine_capabilities() { RECENT_MATCH= OWNER_MATCH= IPSET_MATCH= + ROUTE_TARGET= qt $IPTABLES -N fooX1234 qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes @@ -5933,6 +6031,12 @@ determine_capabilities() { qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes + + qt $IPTABLES -t mangle -N fooX1234 + qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0 && ROUTE_TARGET=Yes + qt $IPTABLES -t mangle -F fooX1234 + qt $IPTABLES -t mangle -X fooX1234 + qt ipset -X fooX1234 # Just in case something went wrong the last time @@ -5975,6 +6079,7 @@ report_capabilities() { report_capability "Recent Match" $RECENT_MATCH report_capability "Owner Match" $OWNER_MATCH report_capability "Ipset Match" $IPSET_MATCH + report_capability "Route Target" $ROUTE_TARGET } # @@ -7072,6 +7177,9 @@ define_firewall() # $1 = Command (Start or Restart) [ -n "$TC_ENABLED" ] && setup_tc + routes=$(find_file routes) + [ -f $routes ] && setup_routes $routes + echo "Activating Rules..."; activate_rules [ -n "$aliases_to_add" ] && \ diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 3a19cbd43..10ffb4ece 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -1,5 +1,76 @@ -Shorewall 2.3.1 +Shorewall 2.3.3 +----------------------------------------------------------------------- +Problems corrected in version 2.3.2 + +None. +----------------------------------------------------------------------- +New Features in version 2.3.2 + +1) Shorewall 2.3.2 can now configure routing if your kernel and + iptables support the ROUTE target extension. This extension is + available in Patch-O-Matic-ng. + + Routing is configured using the /etc/shorewall/routes file. Columns + in the file are as follows: + + SOURCE Source of the packet. May be any of the + following: + + + - A host or network address + - A network interface name. + - The name of an ipset prefaced with "+" + - $FW (for packets originating on the firewall) + - A MAC address in Shorewall format + - A range of IP addresses (assuming that your + kernel and iptables support range match) + - A network interface name followed by ":" + and an address or address range. + + DEST Destination of the packet. May be any of the + following: + + - A host or network address + - A network interface name (determined from + routing table(s)) + - The name of an ipset prefaced with "+" + - A network interface name followed by ":" + and an address or address range. + + PROTO Protocol - Must be "tcp", "udp", "icmp", + "ipp2p", a number, or "all". "ipp2p" requires + ipp2p match support in your kernel and + iptables. + + PORT(S) Destination Ports. A comma-separated list of + Port names (from /etc/services), port numbers + or port ranges; if the protocol is "icmp", this + column is interpreted as the destination + icmp-type(s). + + If the protocol is ipp2p, this column is + interpreted as an ipp2p option without the + leading "--" (example "bit" for bit-torrent). + If no PORT is given, "ipp2p" is assumed. + + This column is ignored if PROTOCOL = all but + must be entered if any of the following field + is supplied. In that case, it is suggested that + this field contain "-" + + SOURCE PORT(S) (Optional) Source port(s). If omitted, + any source port is acceptable. Specified as a + comma-separated list of port names, port + numbers or port ranges. + + INTERFACE The interface that the packet is to be routed + out of. If you do not specify this field then + you must place "-" in this column and enter an + IP address in the GATEWAY column. + + GATEWAY The gateway that the packet is to be forewarded + through. ----------------------------------------------------------------------- Problems corrected in version 2.3.1 diff --git a/Shorewall2/shorewall b/Shorewall2/shorewall index 295e4cc3c..07c304edf 100755 --- a/Shorewall2/shorewall +++ b/Shorewall2/shorewall @@ -723,6 +723,7 @@ show_reset() { echo "Counters reset $(cat $STATEDIR/restarted)" && \ echo } + # # Display's the passed file name followed by "=" and the file's contents. #