extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-07 02:07:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

Allow DETECT_DNAT_IPADDRS=Yes with -e

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3279 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-01-14 00:04:00 +00:00
parent 7ba6cf7200
commit ec9c3d3db9
3 changed files with 113 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

128
Shorewall/firewall
View File

@ -5569,12 +5569,28 @@ add_nat_rule() {
addr= addr=
;; ;;
detect) detect)
addr= eval interfaces=\$${source}_interfaces
if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then
eval interfaces=\$${source}_interfaces
for interface in $interfaces; do if [ $COMMAND = generate ]; then
addr=${addr:+$addr,}$(find_first_interface_address $interface) save_command ""
done if [ $(list_count1 $interfaces) -eq 1 ]; then
save_command "addr=\$(find_first_interface_address $interface)"
else
savecomment "addr="
for interface in $interfaces; do
cat >> $RESTOREBASE << __EOF__
addr="\$addr \$(find_first_interface_address $interface)"
__EOF__
done
fi
else
addr=
for interface in $interfaces; do
addr=${addr:+$addr,}$(find_first_interface_address $interface)
done
fi
fi fi
;; ;;
!*) !*)
@ -5641,9 +5657,19 @@ add_nat_rule() {
if [ -n "${excludesource}${excludedests}${excludezones}" ]; then if [ -n "${excludesource}${excludedests}${excludezones}" ]; then
build_exclusion_chain chain nat "$excludesource" $excludedests build_exclusion_chain chain nat "$excludesource" $excludedests
for adr in $(separate_list $addr); do if [ $addr = detect ]; then
addnatrule $(dnat_chain $source) $cli $proto $multiport $sports $dports $(dest_ip_range $adr) -j $chain ensurenatchain $(dnat_chain $source)
done
cat >> $RESTOREBASE << __EOF__
for adr in \$addr; do
$IPTABLES -t nat -A $(fix_bang $(dnat_chain $source) $cli $proto $multiport $sports $dports) -d \$adr -j $chain
__EOF__
else
for adr in $(separate_list $addr); do
addnatrule $(dnat_chain $source) $cli $proto $multiport $sports $dports $(dest_ip_range $adr) -j $chain
done
fi
for z in $(separate_list $excludezones); do for z in $(separate_list $excludezones); do
eval hosts=\$${z}_hosts eval hosts=\$${z}_hosts
@ -5659,16 +5685,35 @@ add_nat_rule() {
addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection
else else
chain=$(dnat_chain $source) chain=$(dnat_chain $source)
for adr in $(separate_list $addr); do
if [ $addr = detect ]; then
ensurenatchain $chain
cat >> $RESTOREBASE << __EOF__
for adr in \$addr; do
__EOF__
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
ensurenatchain $chain cat >> $RESTOREBASE << __EOF__
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat \ log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat $(fix_bang $proto $cli $sports $multiport $dports) -d \$adr
$(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports) __EOF__
fi fi
addnatrule $chain $proto $ratelimit $cli $sports \ cat >> $RESTOREBASE << __EOF__
-d $adr $multiport $dports -j $target1 $IPTABLES -t nat -A $chain $(fix_bang $proto $ratelimit $cli $sports $multiport $dports) -d \$adr -j $target1
done __EOF__
else
for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then
ensurenatchain $chain
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat \
$(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports)
fi
addnatrule $chain $proto $ratelimit $cli $sports \
-d $adr $multiport $dports -j $target1
done
fi
fi fi
fi fi
fi fi
@ -5968,15 +6013,23 @@ process_rule() # $1 = target
for serv1 in $(separate_list $serv); do for serv1 in $(separate_list $serv); do
for srv in $(firewall_ip_range $serv1); do for srv in $(firewall_ip_range $serv1); do
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
for adr in $(separate_list $addr); do if [ "$addr" = detect ]; then
if [ -n "$loglevel" -a -z "$natrule" ]; then cat >> $RESTOREBASE << __EOF__
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \ $IPTABLES -A $chain $state $proto $ratelimit $multiport $cli $sports $(dest_ip_range $srv) $dports -m conntrack --ctorigdst \$adr $user -j $target
$user $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state done
fi
run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \ __EOF__
$(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $user -j $target else
done for adr in $(separate_list $addr); do
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \
$user $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state
fi
run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \
$(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $user -j $target
done
fi
else else
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
@ -7143,25 +7196,6 @@ rules_chain() # $1 = source zone, $2 = destination zone
fi fi
} }
#
# echo the list of networks routed out of a given interface
#
get_routed_networks() # $1 = interface name
{
local address
local rest
ip route show dev $1 2> /dev/null |
while read address rest; do
if [ "x$address" = xdefault ]; then
error_message "WARNING: default route ignored on interface $1"
else
[ "$address" = "${address%/*}" ] && address="${address}/32"
echo $address
fi
done
}
# #
# Set up Routing # Set up Routing
# #
@ -7406,7 +7440,7 @@ setup_masq()
elif [ -n "$detectinterface" ]; then elif [ -n "$detectinterface" ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
networks ="\$(get_routed_networks $detectinterface)" networks="\$(get_routed_networks $detectinterface)"
[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\"" [ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\""
@ -7444,7 +7478,7 @@ __EOF__
elif [ -n "$detectinterface" ]; then elif [ -n "$detectinterface" ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
networks ="\$(get_routed_networks $detectinterface)" networks="\$(get_routed_networks $detectinterface)"
[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\"" [ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\""
@ -7529,7 +7563,7 @@ __EOF__
elif [ -n "$detectinterface" ]; then elif [ -n "$detectinterface" ]; then
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
networks ="\$(get_routed_networks $detectinterface)" networks="\$(get_routed_networks $detectinterface)"
[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\"" [ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\""
@ -7537,7 +7571,7 @@ for network in \$networks; do
__EOF__ __EOF__
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
cat >> $RESTOREBASE << __EOF__ cat >> $RESTOREBASE << __EOF__
$IPTABLES -t nat -A $CHAIN -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist $IPTABLES -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist
__EOF__ __EOF__
done done
@ -9892,8 +9926,6 @@ do_initialize() {
ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER) ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER)
LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS) LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS)
DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS) DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS)
[ -n "$DETECT_DNAT_IPADDRS" -a -n "$EXPORT" ] && \
startup_error "DETECT_DNAT_IPADDRS=Yes not allowed with the -e run-line option"
FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING) FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING)
[ -n "$FORWARDPING" ] && \ [ -n "$FORWARDPING" ] && \
startup_error "FORWARDPING=Yes is no longer supported" startup_error "FORWARDPING=Yes is no longer supported"

43
Shorewall/functions
View File

@ -119,16 +119,20 @@ expandv() # $* = list of variable names
fix_bang() { fix_bang() {
local i; local i;
for i in $@; do if [ $COMMAND = generate ]; then
case $i in echo $@ | sed 's/!/! /g'
!*) else
echo "! ${i#!}" for i in $@; do
;; case $i in
*) !*)
echo $i echo "! ${i#!}"
;; ;;
esac *)
done echo $i
;;
esac
done
fi
} }
# #
@ -907,6 +911,25 @@ find_interface_addresses() # $1 = interface
ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//' ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
} }
#
# echo the list of networks routed out of a given interface
#
get_routed_networks() # $1 = interface name
{
local address
local rest
ip route show dev $1 2> /dev/null |
while read address rest; do
if [ "x$address" = xdefault ]; then
error_message "WARNING: default route ignored on interface $1"
else
[ "$address" = "${address%/*}" ] && address="${address}/32"
echo $address
fi
done
}
# #
# Internal version of 'which' # Internal version of 'which'
# #

1
Shorewall/releasenotes.txt
View File

@ -79,7 +79,6 @@ New Features:
1) The same version of Shorewall must be running on the remote system 1) The same version of Shorewall must be running on the remote system
2) The 'detectnets' interface option is not allowed. 2) The 'detectnets' interface option is not allowed.
3) DETECT_DNAT_ADDRS=Yes is not allowed.
b) If you have extension scripts, they may need modification. The scripts b) If you have extension scripts, they may need modification. The scripts
will be run at generation time, rather than when the generated script will be run at generation time, rather than when the generated script