Add DNAT- action; 'shorewall check' prints policies

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@390 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2002-12-31 01:10:28 +00:00 · 2002-12-31 01:10:28 +00:00 · 144c9ab576
commit 144c9ab576
parent 2565081ff9
4 changed files with 67 additions and 76 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -1,43 +1,6 @@
-Changes since 1.3.11
+Changes since 1.3.12

-1. Fixed DNAT/REDIRECT bug with excluded sub-zones.
+1. Added 'DNAT-' target.

-2. "shorewall refresh" now refreshes the traffic shaping rules
+2. Print policies in 'check' command.

-3. Turned off debugging after error.
-
-4. Removed drop of INVALID state output ICMP packets. 
-
-5. Replaced 'sed' invocation in separate_list() by shell code (speedup).
-
-6. Replaced 'wc' invocation in list_count() by shell code (speedup)
-
-7. Replaced 'sed' invocation in run_iptables() by shell code and
-   optomized (speedup)
-
-8. Only read the interfaces file once (speedup)
-
-9. Only read the policy file once (speedup)
-
-10. Removed redundant function input_chains() (duplicate of first_chains()) 
-
-11. Generated an error if 'lo' is defined in the interfaces file.
-
-12. Clarified error message where ORIGINAL DEST is specified on an
-    ACCEPT, DROP or REJECT rule.
-
-13. Added "shorewall show classifiers" command and added packet
-    classification filter display to "shorewall monitor"
-
-14. Added an error message when the destination in a rule contained a
-    MAC address.
-
-15. Added ULOG target support.
- 
-16. Add MARK_IN_FORWARD option.
-
-17. General Cleanup for Release
-
-18. Release changes and add init, start, stop and stopped files.
-
-19. Add headings to NAT and Mangle tables in "shorewall status" output
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -833,6 +833,11 @@ validate_rule() {
 	target=ACCEPT
 	address=${address:=detect}
 	;;
+    DNAT-)
+	target=ACCEPT
+	address=${address:=detect}
+	logtarget=DNAT
+	;;
    REDIRECT)
 	target=ACCEPT
 	address=${address:=all}
@ -983,6 +988,17 @@ validate_policy()
    local zone1
    local pc
    local chain
+    local policy
+    local loglevel
+    local synparams
+
+    print_policy() # $1 = source zone, $2 = destination zone
+    {
+	[ $command != check ] || \
+	    [ $1 = all ] || \
+	    [ $2 = all ] || \
+	    echo "   Policy for $1 to $2 is $policy"
+    }

    all_policy_chains=

@ -1048,27 +1064,34 @@ validate_policy()
 		    for zone1 in $zones $FW all; do
 			eval pc=\$${zone}2${zone1}_policychain

-			[ -n "$pc" ] || \
+			if [ -z "$pc" ]; then
 			    eval ${zone}2${zone1}_policychain=$chain
+			    print_policy $zone $zone1
+			fi
 		    done
 		done
 	    else
 		for zone in $zones $FW all; do
 		    eval pc=\$${zone}2${server}_policychain
 		    
-		    [ -n "$pc" ] || \
+		    if [ -z "$pc" ]; then
 			eval ${zone}2${server}_policychain=$chain
+			print_policy $zone $server
+		    fi
 		done
 	    fi
 	elif [ -n "$serverwild" ]; then
 	    for zone in $zones $FW all; do
 		eval pc=\$${client}2${zone}_policychain
 		    
-		    [ -n "$pc" ] || \
-			eval ${client}2${zone}_policychain=$chain
+		    if [ -z "$pc" ]; then
+			eval ${client}2${zone}_policychain=$chain 
+			print_policy $client $zone
+		    fi
 	    done
 	else
 	    eval ${chain}_policychain=${chain}
+	    print_policy $client $server
 	fi	    

    done < $TMP_DIR/policy
@ -2152,7 +2175,7 @@ add_a_rule()
 	    add_nat_rule
 	fi

-	if [ $chain != ${FW}2${FW} ]; then
+	if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
 	    serv="${serv:+-d $serv}"

 	    if [ -n "$loglevel" ]; then
@ -2229,6 +2252,7 @@ process_rule() # $1 = target
    fi

    logtarget="$target"
+    dnat_only=

    # Convert 1.3 Rule formats to 1.2 format

@ -2237,6 +2261,12 @@ process_rule() # $1 = target
 	target=ACCEPT
 	address=${address:=detect}
 	;;
+    DNAT-)
+	target=ACCEPT
+	address=${address:=detect}
+	dnat_only=Yes
+	logtarget=DNAT
+	;;
    REDIRECT)
 	target=ACCEPT
 	address=${address:=all}
@ -2379,7 +2409,7 @@ process_rules() # $1 = name of rules file
    while read xtarget xclients xservers xprotocol xports xcports xaddress; do
 	case "$xtarget" in

-	    ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT:*|REDIRECT|REDIRECT:*)
+	    ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*)
 		expandv xclients xservers xprotocol xports xcports xaddress

 		if [ "x$xclients" = xall ]; then
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -2,39 +2,33 @@ This is a minor release of Shorewall that has a couple of new features.

 New features include:

-1) "shorewall refresh" now reloads the traffic shaping rules (tcrules
-   and tcstart).
+1) A new 'DNAT-' action has been added for entries in the
+   /etc/shorewall/rules file. DNAT- is intended for advanced users who
+   wish to minimize the number of rules that connection requests must
+   traverse.
+   
+   A Shorewall DNAT rule actually generates two iptables rules: an
+   address rewriting rule in the 'nat' table and an ACCEPT rule in the
+   'filter' table. A DNAT- rule only generates the first of these
+   rules. This is handy when you have several DNAT rules that would
+   generate the same ACCEPT rule.

-2) "shorewall debug [re]start" now turns off debugging after an error
-   occurs. This places the point of the failure near the end of the
-   trace rather than up in the middle of it.
+   Here are three rules from my previous rules file:
+   
+	DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178
+	DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179
+	ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...

-3) "shorewall [re]start" has been speeded up by more than 40% with
-   my configuration. Your milage may vary. 
+   These three rules ended up generating _three_ copies of 

-4) A "shorewall show classifiers" command has been added which shows
-   the current packet classification filters. The output from this
-   command is also added as a separate page in "shorewall monitor"
+	 ACCEPT net  dmz:206.124.146.177 tcp smtp

-5) ULOG (must be all caps) is now accepted as a valid syslog level and
-   causes the subject packets to be logged using the ULOG target rather
-   than the LOG target. This allows you to run ulogd (available from
-   www.gnumonks.org/projects/ulogd) and log all Shorewall messages to
-   a separate log file.
+   By writing the rules this way, I end up with only one copy of the
+   ACCEPT rule.

-6) If you are running a kernel that has a FORWARD chain in the mangle
-   table ("shorewall show mangle" will show you the chains in the
-   mangle table), you can set MARK_IN_FORWARD=Yes in
-   shorewall.conf. This allows for marking inbound packets based on
-   their destination even when you are using Masquerading or SNAT.
+	DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178
+	DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179
+	ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...

-7) I have cluttered up the /etc/shorewall directory with empty 'init',
-   'start', 'stop' and 'stopped' files. If you already have a file with
-   one of these names, don't worry -- the upgrade process won't
-   overwrite your file.
-
-8) I have added a new RFC1918_LOG_LEVEL variable to
-   shorewall.conf. This variable specifies the syslog level at which
-   packets are logged as a result of entries in the
-   /etc/shorewall/rfc1918 file. Previously, these packets were always
-   logged at the 'info' level.
+2) The 'shorewall check' command now prints out the applicable policy
+   between each pair of zones.
--- a/Shorewall/rules
+++ b/Shorewall/rules
@ -24,6 +24,10 @@
 #				DNAT     -- Forward the request to another
 #					    system (and optionally another
 #					    port).
+#				DNAT-    -- Advanced users only. 
+#					    Like DNAT but only generates the
+#					    DNAT iptables rule and not
+#					    the companion ACCEPT rule.
 #				REDIRECT -- Redirect the request to a local
 #					    port on the firewall.
 #