Generate warning for zone names beginning with digit; pretty up add_a_rule()

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2110 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-24 08:33:40 +01:00 · 2005-05-14 00:30:03 +00:00 · 2005-05-14 00:30:03 +00:00 · d12d88afcd
commit d12d88afcd
parent 9350da941e
3 changed files with 60 additions and 22 deletions
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -4288,8 +4288,8 @@ add_a_rule()

 	    if [ -n "$natrule" ]; then
 		add_nat_rule
-	    elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then
-		fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination mapping; rule \"$rule\""
+	    elif [ -n "$servport" -a "$servport" != "$port" ]; then
+		fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination port mapping; rule \"$rule\""
 	    fi

 	    if [ -z "$dnat_only" ]; then
@ -4312,13 +4312,15 @@ add_a_rule()
 					$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
 				fi
 				
-				[ -n "$nonat" ] && \
+				if [ -n "$nonat" ]; then
 				    addnatrule $(dnat_chain $source) $proto $multiport \
 				        $cli $sports $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j RETURN
-
-				[ "$logtarget" != NONAT ] && \
+				fi
+				
+				if [ "$logtarget" != NONAT ]; then
 				    run_iptables2 -A $chain $proto $multiport $cli $sports \
 					$(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target
+				fi
 			    fi
 			done
 		    done
@ -4342,24 +4344,43 @@ add_a_rule()

 	# Destination is a simple zone

-	[ -n "$addr" ] && fatal_error \
-	    "An ORIGINAL DESTINATION ($addr) is only allowed in" \
-	    " a DNAT, SAME or REDIRECT: \"$rule\""
-
 	if [ $COMMAND != check ]; then
-	    if [ -n "$loglevel" ]; then
-		log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
-		    $(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
-	    fi
+	    if [ -n "$addr" ]; then
+		for adr in $(separate_list $addr); do
+		    if [ -n "$loglevel" ]; then
+			log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
+			    $(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr)
+		    fi

-	    if [ "$logtarget" != LOG ]; then
-		[ -n "$nonat" ] && \
-		    addnatrule $(dnat_chain $source) $proto $multiport \
-		       $cli $sports $dports $ratelimit $userandgroup -j RETURN
+		    if [ "$logtarget" != LOG ]; then
+			if [ -n "$nonat" ]; then
+			    addnatrule $(dnat_chain $source) $proto $multiport \
+			        $cli $sports $dports $ratelimit $userandgroup  -m conntrack --ctorigdst $adr -j RETURN
+			fi
+			
+			if [ "$logtarget" != NONAT ]; then
+			    run_iptables2 -A $chain $proto $multiport $cli $dest_interface \
+				$sports $dports $ratelimit $userandgroup  -m conntrack --ctorigdst $adr -j $target
+			fi
+		    fi
+		done
+	    else
+		if [ -n "$loglevel" ]; then
+		    log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
+			$(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
+		fi

-		[ "$logtarget" != NONAT ] && \
-		    run_iptables2 -A $chain $proto $multiport $cli $dest_interface \
-			$sports $dports $ratelimit $userandgroup -j $target
+		if [ "$logtarget" != LOG ]; then
+		    if [ -n "$nonat" ]; then
+			addnatrule $(dnat_chain $source) $proto $multiport \
+			    $cli $sports $dports $ratelimit $userandgroup -j RETURN
+		    fi
+
+		    if [ "$logtarget" != NONAT ]; then
+			run_iptables2 -A $chain $proto $multiport $cli $dest_interface \
+			    $sports $dports $ratelimit $userandgroup -j $target
+		    fi
+		fi
 	    fi
 	fi
    fi
--- a/Shorewall2/functions
+++ b/Shorewall2/functions
@ -269,6 +269,9 @@ find_zones() # $1 = name of the zone file
 {
    while read zone display comments; do
 	[ -n "$zone" ] && case "$zone" in
+	    [0-9*])
+                echo "   Warning: Illegal zone name \"$zone\" in zones file ignored" 2>&2
+		;;
 	    \#*)
 		;;
            $FW|all|none)
--- a/Shorewall2/rules
+++ b/Shorewall2/rules
@ -263,8 +263,8 @@
 #			Otherwise, a separate rule will be generated for each
 #			port.
 #
-#	ORIGINAL DEST	(0ptional -- only allowed if ACTION is DNAT[-] or
-#                       REDIRECT[-]) If included and different from the IP
+#	ORIGINAL DEST	(0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] then 
+#			if included and different from the IP
 #			address given in the SERVER column, this is an address
 #			on some interface on the firewall and connections to
 #			that address will be forwarded to the IP and port
@ -280,6 +280,20 @@
 #			destination address in the connection request does not
 #			match any of the addresses listed.
 #
+#			For other actions, this column may be included and may
+#			contain one or more addresses (host or network)
+#			separated by commas. Address ranges are not allowed.
+#                       When this column is supplied, rules are generated
+#                       that require that the original destination address matches
+#                       one of the listed addresses. This feature is most useful when
+#                       you want to generate a filter rule that corresponds to a 
+#		        DNAT- or REDIRECT- rule. In this usage, the list of
+#			addresses should not begin with "!".
+#
+#			See http://shorewall.net/PortKnocking.html for an 
+#			example of using an entry in this column with a
+#			user-defined action rule.		
+#
 #	RATE LIMIT	You may rate-limit the rule by placing a value in 
 #			this colume:
 #