extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-27 16:49:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Take care of oversights in the Stateless NAT implementation

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-08-16 14:10:07 -07:00
parent c597eb25fc
commit e5886abed1
1 changed files with 2 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -442,6 +442,8 @@ sub setup_netmap() {
my $table = 'raw'; my $table = 'raw';
my @match = (); my @match = ();
require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
unless ( $interfaceref->{root} ) { unless ( $interfaceref->{root} ) {
@match = imatch_dest_dev( $interface ); @match = imatch_dest_dev( $interface );
$interface = $interfaceref->{name}; $interface = $interfaceref->{name};
@ -485,83 +487,6 @@ sub setup_netmap() {
} }
#
# Setup Raw NAT
#
sub setup_rawnat() {
if ( my $fn = open_file 'rawnat' ) {
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'RAWPOST_TABLE' , 'a non-empty rawnat file' , 's'; } );
while ( read_a_line ) {
my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'rawnat file';
validate_net $net1, 0;
validate_net $net2, 0;
$net3 = ALLIP if $net3 eq '-';
for my $interface ( split_list $interfacelist, 'interface' ) {
my @rulein;
my @ruleout;
my $iface = $interface;
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
unless ( $interfaceref->{root} ) {
@rulein = imatch_source_dev( $interface );
@ruleout = imatch_dest_dev( $interface );
$interface = $interfaceref->{name};
}
if ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
my ( $target , $chain ) = ( $1, $2 );
my $table = 'raw';
my $match = 'o';
if ( $chain eq 'P' ) {
$chain = prerouting_chain $interface;
$match = 'i';
} elsif ( $chain eq 'O' ) {
$chain = output_chain $interface;
} else {
$chain = postrouting_chain $interface;
$table = 'rawpost';
}
if ( $target eq 'DNAT' ) {
add_ijump( ensure_chain( $table, $chain ) ,
j => 'RAWDNAT',
targetopts => "--to-dest $net2",
imatch_source_net( $net3 ) ,
imatch_dest_net( $net1 ) ,
$match => $interface,
$interfaceref->{root} ? () : @rulein );
} else {
add_ijump( ensure_chain( $table, $chain ) ,
j => 'RAWSNAT',
targetopts => "--to-source $net2",
imatch_dest_net( $net3 ) ,
imatch_source_net( $net1 ) ,
$match => $interface,
$interfaceref->{root} ? () : @ruleout );
}
} else {
fatal_error "Invalid type ($type)";
}
progress_message " $net1 on $iface mapped to $net2 ($type)";
}
}
clear_comment;
}
}
sub add_addresses () { sub add_addresses () {
if ( @addresses_to_add ) { if ( @addresses_to_add ) {
my @addrs = @addresses_to_add; my @addrs = @addresses_to_add;