mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
Add new capability for persistent SNAT
This commit is contained in:
parent
55f75604b3
commit
c908edab34
@ -241,6 +241,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
||||
LOG_TARGET => 'LOG Target',
|
||||
LOGMARK_TARGET => 'LOGMARK Target',
|
||||
IPMARK_TARGET => 'IPMARK Target',
|
||||
PERSISTENT_SNAT => 'Persistent SNAT',
|
||||
CAPVERSION => 'Capability Version',
|
||||
);
|
||||
#
|
||||
@ -328,7 +329,7 @@ sub initialize( $ ) {
|
||||
EXPORT => 0,
|
||||
UNTRACKED => 0,
|
||||
VERSION => "4.4.1",
|
||||
CAPVERSION => 40310 ,
|
||||
CAPVERSION => 40401 ,
|
||||
);
|
||||
|
||||
#
|
||||
@ -613,6 +614,7 @@ sub initialize( $ ) {
|
||||
LOGMARK_TARGET => undef,
|
||||
IPMARK_TARGET => undef,
|
||||
LOG_TARGET => 1, # Assume that we have it.
|
||||
PERSISTENT_SNAT => undef,
|
||||
CAPVERSION => undef,
|
||||
);
|
||||
#
|
||||
@ -1923,6 +1925,14 @@ sub determine_capabilities( $ ) {
|
||||
|
||||
$capabilities{NAT_ENABLED} = qt1( "$iptables -t nat -L -n" ) if $family == F_IPV4;
|
||||
|
||||
if ( $capabilities{NAT_ENABLED} ) {
|
||||
if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
|
||||
$capabilities{PERSISTENT_SNAT} = qt1( "$iptables -t nat -A $sillyname -j SNAT --to source 1.2.3.4 --persistent" );
|
||||
qt1( "$iptables -t NAT -F $sillyname" );
|
||||
qt1( "$iptables -t NAT -X $sillyname" );
|
||||
}
|
||||
}
|
||||
|
||||
$capabilities{MANGLE_ENABLED} = qt1( "$iptables -t mangle -L -n" );
|
||||
|
||||
qt1( "$iptables -N $sillyname" );
|
||||
|
@ -225,6 +225,8 @@ sub process_one_masq( )
|
||||
$addresses =~ s/:persistent$// and $persistent = '--persistent ';
|
||||
$addresses =~ s/:random$// and $randomize = '--random ';
|
||||
|
||||
require_capability 'PERSISTENT_SNAT', ':random', 's' if $randomize;
|
||||
|
||||
if ( $addresses =~ /^SAME/ ) {
|
||||
fatal_error "The SAME target is no longer supported";
|
||||
} elsif ( $addresses eq 'detect' ) {
|
||||
|
@ -30,7 +30,7 @@
|
||||
#
|
||||
|
||||
SHOREWALL_LIBVERSION=40000
|
||||
SHOREWALL_CAPVERSION=40310
|
||||
SHOREWALL_CAPVERSION=40401
|
||||
|
||||
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
||||
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
||||
@ -777,6 +777,13 @@ set_state () # $1 = state
|
||||
# Determine which optional facilities are supported by iptables/netfilter
|
||||
#
|
||||
determine_capabilities() {
|
||||
[ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
|
||||
|
||||
if [ -z "$IPTABLES" ]; then
|
||||
echo " ERROR: No executable iptables binary can be found on your PATH" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
|
||||
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
|
||||
|
||||
@ -820,14 +827,16 @@ determine_capabilities() {
|
||||
LOGMARK_TARGET=
|
||||
IPMARK_TARGET=
|
||||
LOG_TARGET=Yes
|
||||
PERSISTENT_SNAT=
|
||||
|
||||
chain=fooX$$
|
||||
|
||||
[ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
|
||||
|
||||
if [ -z "$IPTABLES" ]; then
|
||||
echo " ERROR: No executable iptables binary can be found on your PATH" >&2
|
||||
exit 1
|
||||
if [ -n "$NAT_ENABLED" ]; then
|
||||
if qt $IPTABLES -t nat -N $chain; then
|
||||
qt $IPTABLES -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
|
||||
$IPTABLES -t nat -F $chain
|
||||
$IPTABLES -t nat -X $chain
|
||||
fi
|
||||
fi
|
||||
|
||||
qt $IPTABLES -F $chain
|
||||
@ -1011,6 +1020,7 @@ report_capabilities() {
|
||||
report_capability "LOGMARK Target" $LOGMARK_TARGET
|
||||
report_capability "IPMARK Target" $IPMARK_TARGET
|
||||
report_capability "LOG Target" $LOG_TARGET
|
||||
report_capability "Persistent SNAT" $PERSISTENT_SNAT
|
||||
fi
|
||||
|
||||
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
||||
@ -1068,6 +1078,7 @@ report_capabilities1() {
|
||||
report_capability1 LOGMARK_TARGET
|
||||
report_capability1 IPMARK_TARGET
|
||||
report_capability1 LOG_TARGET
|
||||
report_capability1 PERSISTENT_SNAT
|
||||
|
||||
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
||||
}
|
||||
|
@ -179,7 +179,13 @@ None.
|
||||
Example:
|
||||
|
||||
#INTERFACE SOURCE ADDRESS
|
||||
eth0 0.0.0.0/0 206.124.146.177-206.124.146.179:persistent
|
||||
eth0 0.0.0.0/0 206.124.146.177-206.124.146.179:persistent
|
||||
|
||||
This feature requires Persistent SNAT support in your kernel and
|
||||
iptables.
|
||||
|
||||
If you use a capabilities file, you will need to create a new one
|
||||
as a result of this feature.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
N E W F E A T U R E S I N 4 . 4
|
||||
|
@ -33,7 +33,7 @@
|
||||
#
|
||||
|
||||
SHOREWALL_LIBVERSION=40300
|
||||
SHOREWALL_CAPVERSION=40310
|
||||
SHOREWALL_CAPVERSION=40401
|
||||
|
||||
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
|
||||
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
|
||||
|
Loading…
Reference in New Issue
Block a user