mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-28 00:19:59 +01:00
Add support for SAME target
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2051 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
ca0daa689f
commit
d5752af95d
@ -13,6 +13,8 @@ Changes in 2.2.4
|
|||||||
6) Allow startup options to be overridden in /etc/sysconfig/shorewall
|
6) Allow startup options to be overridden in /etc/sysconfig/shorewall
|
||||||
or /etc/default/shorewall.
|
or /etc/default/shorewall.
|
||||||
|
|
||||||
|
7) Add support for SAME
|
||||||
|
|
||||||
Changes in 2.2.3
|
Changes in 2.2.3
|
||||||
|
|
||||||
1) Added the 'continue' extension script.
|
1) Added the 'continue' extension script.
|
||||||
|
@ -3832,7 +3832,14 @@ add_nat_rule() {
|
|||||||
|
|
||||||
# Select target
|
# Select target
|
||||||
|
|
||||||
if [ -n "$serv" ]; then
|
if [ "$logtarget" = SAME ]; then
|
||||||
|
[ -n "$servport" ] && fatal_error "Port mapping not allowed in SAME rules"
|
||||||
|
serv1=
|
||||||
|
for srv in $(separate_list $serv); do
|
||||||
|
serv1="$serv1 --to ${srv}"
|
||||||
|
done
|
||||||
|
target1="SAME $serv1"
|
||||||
|
elif [ -n "$serv" ]; then
|
||||||
servport="${servport:+:$servport}"
|
servport="${servport:+:$servport}"
|
||||||
serv1=
|
serv1=
|
||||||
for srv in $(separate_list $serv); do
|
for srv in $(separate_list $serv); do
|
||||||
@ -4095,9 +4102,9 @@ add_a_rule()
|
|||||||
servport=${servport:=$port}
|
servport=${servport:=$port}
|
||||||
natrule=Yes
|
natrule=Yes
|
||||||
;;
|
;;
|
||||||
DNAT)
|
DNAT|SAME)
|
||||||
[ -n "$serv" ] || \
|
[ -n "$serv" ] || \
|
||||||
fatal_error "DNAT rules require a server address; rule: \"$rule\""
|
fatal_error "$logtarget rules require a server address; rule: \"$rule\""
|
||||||
natrule=Yes
|
natrule=Yes
|
||||||
;;
|
;;
|
||||||
LOG)
|
LOG)
|
||||||
@ -4114,7 +4121,7 @@ add_a_rule()
|
|||||||
if [ -n "$natrule" ]; then
|
if [ -n "$natrule" ]; then
|
||||||
add_nat_rule
|
add_nat_rule
|
||||||
elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then
|
elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then
|
||||||
fatal_error "Only DNAT and REDIRECT rules may specify destination mapping; rule \"$rule\""
|
fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination mapping; rule \"$rule\""
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$dnat_only" ]; then
|
if [ -z "$dnat_only" ]; then
|
||||||
@ -4169,7 +4176,7 @@ add_a_rule()
|
|||||||
|
|
||||||
[ -n "$addr" ] && fatal_error \
|
[ -n "$addr" ] && fatal_error \
|
||||||
"An ORIGINAL DESTINATION ($addr) is only allowed in" \
|
"An ORIGINAL DESTINATION ($addr) is only allowed in" \
|
||||||
" a DNAT or REDIRECT: \"$rule\""
|
" a DNAT, SAME or REDIRECT: \"$rule\""
|
||||||
|
|
||||||
if [ $COMMAND != check ]; then
|
if [ $COMMAND != check ]; then
|
||||||
if [ -n "$loglevel" ]; then
|
if [ -n "$loglevel" ]; then
|
||||||
@ -4319,7 +4326,7 @@ process_rule() # $1 = target
|
|||||||
CONTINUE)
|
CONTINUE)
|
||||||
target=RETURN
|
target=RETURN
|
||||||
;;
|
;;
|
||||||
DNAT*)
|
DNAT*|SAME*)
|
||||||
target=ACCEPT
|
target=ACCEPT
|
||||||
address=${address:=detect}
|
address=${address:=detect}
|
||||||
;;
|
;;
|
||||||
@ -4352,8 +4359,13 @@ process_rule() # $1 = target
|
|||||||
excludezones="${clientzone#*!}"
|
excludezones="${clientzone#*!}"
|
||||||
clientzone="${clientzone%!*}"
|
clientzone="${clientzone%!*}"
|
||||||
|
|
||||||
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
|
case $logtarget in
|
||||||
fatal_error "Exclude list only allowed with DNAT or REDIRECT"
|
DNAT|REDIRECT|SAME)
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
fatal_error "Exclude list only allowed with DNAT, SAME or REDIRECT"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
fi
|
fi
|
||||||
|
|
||||||
validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\""
|
validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\""
|
||||||
@ -4416,7 +4428,7 @@ process_rule() # $1 = target
|
|||||||
protocol=${protocol:=all}
|
protocol=${protocol:=all}
|
||||||
|
|
||||||
case $logtarget in
|
case $logtarget in
|
||||||
DNAT*)
|
DNAT*|SAME)
|
||||||
if [ -n "$XMULTIPORT" ] && \
|
if [ -n "$XMULTIPORT" ] && \
|
||||||
! list_search $protocol "icmp" "ICMP" "1" && \
|
! list_search $protocol "icmp" "ICMP" "1" && \
|
||||||
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
|
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
|
||||||
@ -4595,7 +4607,7 @@ process_rules()
|
|||||||
expandv xtarget
|
expandv xtarget
|
||||||
|
|
||||||
case "${xtarget%%:*}" in
|
case "${xtarget%%:*}" in
|
||||||
ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
|
ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-)
|
||||||
do_it
|
do_it
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
@ -5146,6 +5158,8 @@ setup_masq()
|
|||||||
|
|
||||||
[ "x$addresses" = x- ] && addresses=
|
[ "x$addresses" = x- ] && addresses=
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then
|
if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then
|
||||||
for address in $(separate_list $addresses); do
|
for address in $(separate_list $addresses); do
|
||||||
address=${address%:)}
|
address=${address%:)}
|
||||||
@ -5292,17 +5306,35 @@ setup_masq()
|
|||||||
target=MASQUERADE
|
target=MASQUERADE
|
||||||
|
|
||||||
if [ -n "$addresses" ]; then
|
if [ -n "$addresses" ]; then
|
||||||
for address in $(separate_list $addresses); do
|
case "$addresses" in
|
||||||
case $address in
|
SAME:nodst:*)
|
||||||
*.*.*.*)
|
target="SAME --nodst"
|
||||||
target=SNAT
|
addresses=${addresses#SAME:nodst:}
|
||||||
addrlist="$addrlist --to-source $address"
|
for address in $(separate_list $addresses); do
|
||||||
;;
|
addrlist="$addrlist --to $address";
|
||||||
*)
|
done
|
||||||
addrlist="$addrlist --to-ports ${address#:}"
|
;;
|
||||||
;;
|
SAME:*)
|
||||||
esac
|
target="SAME"
|
||||||
done
|
addresses=${addresses#SAME:}
|
||||||
|
for address in $(separate_list $addresses); do
|
||||||
|
addrlist="$addrlist --to $address";
|
||||||
|
done
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
for address in $(separate_list $addresses); do
|
||||||
|
case $address in
|
||||||
|
*.*.*.*)
|
||||||
|
target=SNAT
|
||||||
|
addrlist="$addrlist --to-source $address"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
addrlist="$addrlist --to-ports ${address#:}"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
;;
|
||||||
|
esac
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "$networks" ]; then
|
if [ -n "$networks" ]; then
|
||||||
|
@ -86,6 +86,20 @@
|
|||||||
# 192.0.2.4:5000-6000
|
# 192.0.2.4:5000-6000
|
||||||
# :4000-5000
|
# :4000-5000
|
||||||
#
|
#
|
||||||
|
# You can invoke the SAME target using the
|
||||||
|
# following in this column:
|
||||||
|
#
|
||||||
|
# SAME:[nodst:]<address-range>[,<address-range>...]
|
||||||
|
#
|
||||||
|
# The <address-ranges> may be single addresses.
|
||||||
|
#
|
||||||
|
# SAME works like SNAT with the exception that the
|
||||||
|
# same local IP address is assigned to each connection
|
||||||
|
# from a local address to a given remote address. If
|
||||||
|
# the 'nodst:' option is included, then the same source
|
||||||
|
# address is used for a given internal system regardless
|
||||||
|
# of which remote system is involved.
|
||||||
|
#
|
||||||
# If you want to leave this column empty
|
# If you want to leave this column empty
|
||||||
# but you need to specify the next column then
|
# but you need to specify the next column then
|
||||||
# place a hyphen ("-") here.
|
# place a hyphen ("-") here.
|
||||||
|
@ -98,6 +98,35 @@ New Features in version 2.2.4
|
|||||||
|
|
||||||
OPTIONS=""
|
OPTIONS=""
|
||||||
|
|
||||||
|
4) Shorewall now has support for the SAME target. This change affects
|
||||||
|
the /etc/shorewall/masq and /etc/shorewall/rules file.
|
||||||
|
|
||||||
|
SAME is useful when you specify multiple target IP addresses (in the
|
||||||
|
ADDRESSES column of /etc/shorewall/masq or in the DEST column of
|
||||||
|
/etc/shorewall/rules).
|
||||||
|
|
||||||
|
If you use normal SNAT then multiple connections from a given local
|
||||||
|
host to hosts on the internet can be assigned different source IP
|
||||||
|
addresses. This confuses some applications that use multiple
|
||||||
|
connections. To correct this problem, prefix the list of address
|
||||||
|
ranges in the ADDRESS column with "SAME:"
|
||||||
|
|
||||||
|
Example: SAME:206.124.146.176-206.124.146.180
|
||||||
|
|
||||||
|
If you want each internal system to use the same IP address from the
|
||||||
|
list regardless of which internet host it is talking to then prefix
|
||||||
|
the rages with "SAME:nodst:".
|
||||||
|
|
||||||
|
Example: SAME:nodst:206.124.146.176-206.124.146.180
|
||||||
|
|
||||||
|
Note that it is not possible to map port numbers when using SAME.
|
||||||
|
|
||||||
|
In the rules file, when multiple connections from an internet host
|
||||||
|
match a SAME rule then all of the connections will be sent to the
|
||||||
|
same internal server. SAME rules are very similar to DNAT rules with
|
||||||
|
the keyword SAME replacing DNAT. As in the masq file, changing the
|
||||||
|
port number is not supported.
|
||||||
|
|
||||||
-----------------------------------------------------------------------
|
-----------------------------------------------------------------------
|
||||||
Problems corrected in version 2.2.3
|
Problems corrected in version 2.2.3
|
||||||
|
|
||||||
|
@ -42,6 +42,16 @@
|
|||||||
# Like DNAT but only generates the
|
# Like DNAT but only generates the
|
||||||
# DNAT iptables rule and not
|
# DNAT iptables rule and not
|
||||||
# the companion ACCEPT rule.
|
# the companion ACCEPT rule.
|
||||||
|
# SAME -- Similar to DNAT except that the
|
||||||
|
# port may not be remapped and when
|
||||||
|
# multiple server addresses are
|
||||||
|
# listed, all requests from a given
|
||||||
|
# remote system go to the same
|
||||||
|
# server.
|
||||||
|
# SAME- -- Advanced users only.
|
||||||
|
# Like SAME but only generates the
|
||||||
|
# NAT iptables rule and not
|
||||||
|
# the companion ACCEPT rule.
|
||||||
# REDIRECT -- Redirect the request to a local
|
# REDIRECT -- Redirect the request to a local
|
||||||
# port on the firewall.
|
# port on the firewall.
|
||||||
# REDIRECT-
|
# REDIRECT-
|
||||||
|
Loading…
Reference in New Issue
Block a user