Add support for SAME target

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2051 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-04-12 20:37:11 +00:00
parent ca0daa689f
commit d5752af95d
5 changed files with 108 additions and 21 deletions

View File

@ -13,6 +13,8 @@ Changes in 2.2.4
6) Allow startup options to be overridden in /etc/sysconfig/shorewall 6) Allow startup options to be overridden in /etc/sysconfig/shorewall
or /etc/default/shorewall. or /etc/default/shorewall.
7) Add support for SAME
Changes in 2.2.3 Changes in 2.2.3
1) Added the 'continue' extension script. 1) Added the 'continue' extension script.

View File

@ -3832,7 +3832,14 @@ add_nat_rule() {
# Select target # Select target
if [ -n "$serv" ]; then if [ "$logtarget" = SAME ]; then
[ -n "$servport" ] && fatal_error "Port mapping not allowed in SAME rules"
serv1=
for srv in $(separate_list $serv); do
serv1="$serv1 --to ${srv}"
done
target1="SAME $serv1"
elif [ -n "$serv" ]; then
servport="${servport:+:$servport}" servport="${servport:+:$servport}"
serv1= serv1=
for srv in $(separate_list $serv); do for srv in $(separate_list $serv); do
@ -4095,9 +4102,9 @@ add_a_rule()
servport=${servport:=$port} servport=${servport:=$port}
natrule=Yes natrule=Yes
;; ;;
DNAT) DNAT|SAME)
[ -n "$serv" ] || \ [ -n "$serv" ] || \
fatal_error "DNAT rules require a server address; rule: \"$rule\"" fatal_error "$logtarget rules require a server address; rule: \"$rule\""
natrule=Yes natrule=Yes
;; ;;
LOG) LOG)
@ -4114,7 +4121,7 @@ add_a_rule()
if [ -n "$natrule" ]; then if [ -n "$natrule" ]; then
add_nat_rule add_nat_rule
elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then
fatal_error "Only DNAT and REDIRECT rules may specify destination mapping; rule \"$rule\"" fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination mapping; rule \"$rule\""
fi fi
if [ -z "$dnat_only" ]; then if [ -z "$dnat_only" ]; then
@ -4169,7 +4176,7 @@ add_a_rule()
[ -n "$addr" ] && fatal_error \ [ -n "$addr" ] && fatal_error \
"An ORIGINAL DESTINATION ($addr) is only allowed in" \ "An ORIGINAL DESTINATION ($addr) is only allowed in" \
" a DNAT or REDIRECT: \"$rule\"" " a DNAT, SAME or REDIRECT: \"$rule\""
if [ $COMMAND != check ]; then if [ $COMMAND != check ]; then
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
@ -4319,7 +4326,7 @@ process_rule() # $1 = target
CONTINUE) CONTINUE)
target=RETURN target=RETURN
;; ;;
DNAT*) DNAT*|SAME*)
target=ACCEPT target=ACCEPT
address=${address:=detect} address=${address:=detect}
;; ;;
@ -4352,8 +4359,13 @@ process_rule() # $1 = target
excludezones="${clientzone#*!}" excludezones="${clientzone#*!}"
clientzone="${clientzone%!*}" clientzone="${clientzone%!*}"
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ case $logtarget in
fatal_error "Exclude list only allowed with DNAT or REDIRECT" DNAT|REDIRECT|SAME)
;;
*)
fatal_error "Exclude list only allowed with DNAT, SAME or REDIRECT"
;;
esac
fi fi
validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\"" validate_zone $clientzone || fatal_error "Undefined Client Zone in rule \"$rule\""
@ -4416,7 +4428,7 @@ process_rule() # $1 = target
protocol=${protocol:=all} protocol=${protocol:=all}
case $logtarget in case $logtarget in
DNAT*) DNAT*|SAME)
if [ -n "$XMULTIPORT" ] && \ if [ -n "$XMULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP" "1" && \ ! list_search $protocol "icmp" "ICMP" "1" && \
[ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \
@ -4595,7 +4607,7 @@ process_rules()
expandv xtarget expandv xtarget
case "${xtarget%%:*}" in case "${xtarget%%:*}" in
ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE) ACCEPT|ACCEPT+|NONAT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE|SAME|SAME-)
do_it do_it
;; ;;
*) *)
@ -5146,6 +5158,8 @@ setup_masq()
[ "x$addresses" = x- ] && addresses= [ "x$addresses" = x- ] && addresses=
if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then
for address in $(separate_list $addresses); do for address in $(separate_list $addresses); do
address=${address%:)} address=${address%:)}
@ -5292,17 +5306,35 @@ setup_masq()
target=MASQUERADE target=MASQUERADE
if [ -n "$addresses" ]; then if [ -n "$addresses" ]; then
for address in $(separate_list $addresses); do case "$addresses" in
case $address in SAME:nodst:*)
*.*.*.*) target="SAME --nodst"
target=SNAT addresses=${addresses#SAME:nodst:}
addrlist="$addrlist --to-source $address" for address in $(separate_list $addresses); do
;; addrlist="$addrlist --to $address";
*) done
addrlist="$addrlist --to-ports ${address#:}" ;;
;; SAME:*)
esac target="SAME"
done addresses=${addresses#SAME:}
for address in $(separate_list $addresses); do
addrlist="$addrlist --to $address";
done
;;
*)
for address in $(separate_list $addresses); do
case $address in
*.*.*.*)
target=SNAT
addrlist="$addrlist --to-source $address"
;;
*)
addrlist="$addrlist --to-ports ${address#:}"
;;
esac
done
;;
esac
fi fi
if [ -n "$networks" ]; then if [ -n "$networks" ]; then

View File

@ -86,6 +86,20 @@
# 192.0.2.4:5000-6000 # 192.0.2.4:5000-6000
# :4000-5000 # :4000-5000
# #
# You can invoke the SAME target using the
# following in this column:
#
# SAME:[nodst:]<address-range>[,<address-range>...]
#
# The <address-ranges> may be single addresses.
#
# SAME works like SNAT with the exception that the
# same local IP address is assigned to each connection
# from a local address to a given remote address. If
# the 'nodst:' option is included, then the same source
# address is used for a given internal system regardless
# of which remote system is involved.
#
# If you want to leave this column empty # If you want to leave this column empty
# but you need to specify the next column then # but you need to specify the next column then
# place a hyphen ("-") here. # place a hyphen ("-") here.

View File

@ -98,6 +98,35 @@ New Features in version 2.2.4
OPTIONS="" OPTIONS=""
4) Shorewall now has support for the SAME target. This change affects
the /etc/shorewall/masq and /etc/shorewall/rules file.
SAME is useful when you specify multiple target IP addresses (in the
ADDRESSES column of /etc/shorewall/masq or in the DEST column of
/etc/shorewall/rules).
If you use normal SNAT then multiple connections from a given local
host to hosts on the internet can be assigned different source IP
addresses. This confuses some applications that use multiple
connections. To correct this problem, prefix the list of address
ranges in the ADDRESS column with "SAME:"
Example: SAME:206.124.146.176-206.124.146.180
If you want each internal system to use the same IP address from the
list regardless of which internet host it is talking to then prefix
the rages with "SAME:nodst:".
Example: SAME:nodst:206.124.146.176-206.124.146.180
Note that it is not possible to map port numbers when using SAME.
In the rules file, when multiple connections from an internet host
match a SAME rule then all of the connections will be sent to the
same internal server. SAME rules are very similar to DNAT rules with
the keyword SAME replacing DNAT. As in the masq file, changing the
port number is not supported.
----------------------------------------------------------------------- -----------------------------------------------------------------------
Problems corrected in version 2.2.3 Problems corrected in version 2.2.3

View File

@ -42,6 +42,16 @@
# Like DNAT but only generates the # Like DNAT but only generates the
# DNAT iptables rule and not # DNAT iptables rule and not
# the companion ACCEPT rule. # the companion ACCEPT rule.
# SAME -- Similar to DNAT except that the
# port may not be remapped and when
# multiple server addresses are
# listed, all requests from a given
# remote system go to the same
# server.
# SAME- -- Advanced users only.
# Like SAME but only generates the
# NAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local # REDIRECT -- Redirect the request to a local
# port on the firewall. # port on the firewall.
# REDIRECT- # REDIRECT-