Generate warning for zone names beginning with digit; pretty up add_a_rule()

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2110 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-05-14 00:30:03 +00:00
parent 9350da941e
commit d12d88afcd
3 changed files with 60 additions and 22 deletions

View File

@ -4288,8 +4288,8 @@ add_a_rule()
if [ -n "$natrule" ]; then if [ -n "$natrule" ]; then
add_nat_rule add_nat_rule
elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then elif [ -n "$servport" -a "$servport" != "$port" ]; then
fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination mapping; rule \"$rule\"" fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination port mapping; rule \"$rule\""
fi fi
if [ -z "$dnat_only" ]; then if [ -z "$dnat_only" ]; then
@ -4312,14 +4312,16 @@ add_a_rule()
$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
fi fi
[ -n "$nonat" ] && \ if [ -n "$nonat" ]; then
addnatrule $(dnat_chain $source) $proto $multiport \ addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j RETURN $cli $sports $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j RETURN
fi
[ "$logtarget" != NONAT ] && \ if [ "$logtarget" != NONAT ]; then
run_iptables2 -A $chain $proto $multiport $cli $sports \ run_iptables2 -A $chain $proto $multiport $cli $sports \
$(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target
fi fi
fi
done done
done done
else else
@ -4342,27 +4344,46 @@ add_a_rule()
# Destination is a simple zone # Destination is a simple zone
[ -n "$addr" ] && fatal_error \
"An ORIGINAL DESTINATION ($addr) is only allowed in" \
" a DNAT, SAME or REDIRECT: \"$rule\""
if [ $COMMAND != check ]; then if [ $COMMAND != check ]; then
if [ -n "$addr" ]; then
for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr)
fi
if [ "$logtarget" != LOG ]; then
if [ -n "$nonat" ]; then
addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $userandgroup -m conntrack --ctorigdst $adr -j RETURN
fi
if [ "$logtarget" != NONAT ]; then
run_iptables2 -A $chain $proto $multiport $cli $dest_interface \
$sports $dports $ratelimit $userandgroup -m conntrack --ctorigdst $adr -j $target
fi
fi
done
else
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports) $(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
fi fi
if [ "$logtarget" != LOG ]; then if [ "$logtarget" != LOG ]; then
[ -n "$nonat" ] && \ if [ -n "$nonat" ]; then
addnatrule $(dnat_chain $source) $proto $multiport \ addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $userandgroup -j RETURN $cli $sports $dports $ratelimit $userandgroup -j RETURN
fi
[ "$logtarget" != NONAT ] && \ if [ "$logtarget" != NONAT ]; then
run_iptables2 -A $chain $proto $multiport $cli $dest_interface \ run_iptables2 -A $chain $proto $multiport $cli $dest_interface \
$sports $dports $ratelimit $userandgroup -j $target $sports $dports $ratelimit $userandgroup -j $target
fi fi
fi fi
fi fi
fi
fi
} }
# #

View File

@ -269,6 +269,9 @@ find_zones() # $1 = name of the zone file
{ {
while read zone display comments; do while read zone display comments; do
[ -n "$zone" ] && case "$zone" in [ -n "$zone" ] && case "$zone" in
[0-9*])
echo " Warning: Illegal zone name \"$zone\" in zones file ignored" 2>&2
;;
\#*) \#*)
;; ;;
$FW|all|none) $FW|all|none)

View File

@ -263,8 +263,8 @@
# Otherwise, a separate rule will be generated for each # Otherwise, a separate rule will be generated for each
# port. # port.
# #
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or # ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] then
# REDIRECT[-]) If included and different from the IP # if included and different from the IP
# address given in the SERVER column, this is an address # address given in the SERVER column, this is an address
# on some interface on the firewall and connections to # on some interface on the firewall and connections to
# that address will be forwarded to the IP and port # that address will be forwarded to the IP and port
@ -280,6 +280,20 @@
# destination address in the connection request does not # destination address in the connection request does not
# match any of the addresses listed. # match any of the addresses listed.
# #
# For other actions, this column may be included and may
# contain one or more addresses (host or network)
# separated by commas. Address ranges are not allowed.
# When this column is supplied, rules are generated
# that require that the original destination address matches
# one of the listed addresses. This feature is most useful when
# you want to generate a filter rule that corresponds to a
# DNAT- or REDIRECT- rule. In this usage, the list of
# addresses should not begin with "!".
#
# See http://shorewall.net/PortKnocking.html for an
# example of using an entry in this column with a
# user-defined action rule.
#
# RATE LIMIT You may rate-limit the rule by placing a value in # RATE LIMIT You may rate-limit the rule by placing a value in
# this colume: # this colume:
# #