Add new capability for persistent SNAT

2024-11-22 15:43:30 +01:00 · 2009-08-15 08:35:54 -07:00 · 2009-08-15 08:35:54 -07:00 · c908edab34
commit c908edab34
parent 55f75604b3
5 changed files with 38 additions and 9 deletions
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -241,6 +241,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 LOG_TARGET      => 'LOG Target',
 		 LOGMARK_TARGET  => 'LOGMARK Target',
 		 IPMARK_TARGET   => 'IPMARK Target',
+		 PERSISTENT_SNAT => 'Persistent SNAT',
 		 CAPVERSION      => 'Capability Version',
 	       );
 #
@ -328,7 +329,7 @@ sub initialize( $ ) {
 		    EXPORT => 0,
 		    UNTRACKED => 0,
 		    VERSION => "4.4.1",
-		    CAPVERSION => 40310 ,
+		    CAPVERSION => 40401 ,
 		  );

    #
@ -613,6 +614,7 @@ sub initialize( $ ) {
 	       LOGMARK_TARGET => undef,
 	       IPMARK_TARGET => undef,
 	       LOG_TARGET => 1,         # Assume that we have it.
+	       PERSISTENT_SNAT => undef,
 	       CAPVERSION => undef,
 	       );
    #
@ -1923,6 +1925,14 @@ sub determine_capabilities( $ ) {

    $capabilities{NAT_ENABLED}    = qt1( "$iptables -t nat -L -n" ) if $family == F_IPV4;

+    if ( $capabilities{NAT_ENABLED} ) {
+	if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
+	    $capabilities{PERSISTENT_SNAT} = qt1( "$iptables -t nat -A $sillyname -j SNAT --to source 1.2.3.4 --persistent" );
+	    qt1( "$iptables -t NAT -F $sillyname" );
+	    qt1( "$iptables -t NAT -X $sillyname" );
+	}
+    }
+
    $capabilities{MANGLE_ENABLED} = qt1( "$iptables -t mangle -L -n" );

    qt1( "$iptables -N $sillyname" );
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@ -225,6 +225,8 @@ sub process_one_masq( )
 		$addresses =~ s/:persistent$// and $persistent = '--persistent ';
 		$addresses =~ s/:random$//     and $randomize  = '--random ';

+		require_capability 'PERSISTENT_SNAT', ':random', 's' if $randomize;
+
 		if ( $addresses =~ /^SAME/ ) {
 		    fatal_error "The SAME target is no longer supported";
 		} elsif ( $addresses eq 'detect' ) {
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@ -30,7 +30,7 @@
 #

 SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=40310
+SHOREWALL_CAPVERSION=40401

 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@ -777,6 +777,13 @@ set_state () # $1 = state
 # Determine which optional facilities are supported by iptables/netfilter
 #
 determine_capabilities() {
+    [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
+
+    if [ -z "$IPTABLES" ]; then
+	echo "   ERROR: No executable iptables binary can be found on your PATH" >&2
+	exit 1
+    fi
+
    qt $IPTABLES -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
    qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=

@ -820,14 +827,16 @@ determine_capabilities() {
    LOGMARK_TARGET=
    IPMARK_TARGET=
    LOG_TARGET=Yes
+    PERSISTENT_SNAT=

    chain=fooX$$

-    [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
-
-    if [ -z "$IPTABLES" ]; then
-	echo "   ERROR: No executable iptables binary can be found on your PATH" >&2
-	exit 1
+    if [ -n "$NAT_ENABLED" ]; then
+	if qt $IPTABLES -t nat -N $chain; then
+	    qt $IPTABLES -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
+	    $IPTABLES -t nat -F $chain
+	    $IPTABLES -t nat -X $chain
+	fi
    fi

    qt $IPTABLES -F $chain
@ -1011,6 +1020,7 @@ report_capabilities() {
 	report_capability "LOGMARK Target" $LOGMARK_TARGET
 	report_capability "IPMARK Target" $IPMARK_TARGET
 	report_capability "LOG Target" $LOG_TARGET
+	report_capability "Persistent SNAT" $PERSISTENT_SNAT
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1068,6 +1078,7 @@ report_capabilities1() {
    report_capability1 LOGMARK_TARGET
    report_capability1 IPMARK_TARGET
    report_capability1 LOG_TARGET
+    report_capability1 PERSISTENT_SNAT
    
    echo CAPVERSION=$SHOREWALL_CAPVERSION
 }
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -179,7 +179,13 @@ None.
    Example:

    #INTERFACE	SOURCE	   ADDRESS
-    eth0	0.0.0.0/0  206.124.146.177-206.124.146.179:persistent	
+    eth0	0.0.0.0/0  206.124.146.177-206.124.146.179:persistent
+
+    This feature requires Persistent SNAT support in your kernel and
+    iptables. 
+
+    If you use a capabilities file, you will need to create a new one
+    as a result of this feature.	

 ----------------------------------------------------------------------------
                 N E W   F E A T U R E S   I N   4 . 4
--- a/Shorewall6/lib.base
+++ b/Shorewall6/lib.base
@ -33,7 +33,7 @@
 #

 SHOREWALL_LIBVERSION=40300
-SHOREWALL_CAPVERSION=40310
+SHOREWALL_CAPVERSION=40401

 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]