Add DNAT- action; 'shorewall check' prints policies

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@390 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2002-12-31 01:10:28 +00:00 · 2002-12-31 01:10:28 +00:00 · 144c9ab576
commit 144c9ab576
parent 2565081ff9
4 changed files with 67 additions and 76 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -1,43 +1,6 @@
-Changes since 1.3.11
+Changes since 1.3.12
-1. Fixed DNAT/REDIRECT bug with excluded sub-zones.
+1. Added 'DNAT-' target.
-2. "shorewall refresh" now refreshes the traffic shaping rules
+2. Print policies in 'check' command.
 3. Turned off debugging after error.
 4. Removed drop of INVALID state output ICMP packets. 
 5. Replaced 'sed' invocation in separate_list() by shell code (speedup).
 6. Replaced 'wc' invocation in list_count() by shell code (speedup)
 7. Replaced 'sed' invocation in run_iptables() by shell code and
   optomized (speedup)
 8. Only read the interfaces file once (speedup)
 9. Only read the policy file once (speedup)
 10. Removed redundant function input_chains() (duplicate of first_chains()) 
 11. Generated an error if 'lo' is defined in the interfaces file.
 12. Clarified error message where ORIGINAL DEST is specified on an
    ACCEPT, DROP or REJECT rule.
 13. Added "shorewall show classifiers" command and added packet
    classification filter display to "shorewall monitor"
 14. Added an error message when the destination in a rule contained a
    MAC address.
 15. Added ULOG target support.
 16. Add MARK_IN_FORWARD option.
 17. General Cleanup for Release
 18. Release changes and add init, start, stop and stopped files.
 19. Add headings to NAT and Mangle tables in "shorewall status" output
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -833,6 +833,11 @@ validate_rule() {
 	target=ACCEPT
 	address=${address:=detect}
 	;;
    DNAT-)
 	target=ACCEPT
 	address=${address:=detect}
 	logtarget=DNAT
 	;;
    REDIRECT)
 	target=ACCEPT
 	address=${address:=all}
@ -983,6 +988,17 @@ validate_policy()
    local zone1
    local pc
    local chain
    local policy
    local loglevel
    local synparams
    print_policy() # $1 = source zone, $2 = destination zone
    {
 	[ $command != check ] || \
 	    [ $1 = all ] || \
 	    [ $2 = all ] || \
 	    echo "   Policy for $1 to $2 is $policy"
    }
    all_policy_chains=
@ -1048,27 +1064,34 @@ validate_policy()
 		    for zone1 in $zones $FW all; do
 			eval pc=\$${zone}2${zone1}_policychain
-			[ -n "$pc" ] || \
+			if [ -z "$pc" ]; then
 			    eval ${zone}2${zone1}_policychain=$chain
 			    print_policy $zone $zone1
 			fi
 		    done
 		done
 	    else
 		for zone in $zones $FW all; do
 		    eval pc=\$${zone}2${server}_policychain
-		    [ -n "$pc" ] || \
+		    if [ -z "$pc" ]; then
 			eval ${zone}2${server}_policychain=$chain
 			print_policy $zone $server
 		    fi
 		done
 	    fi
 	elif [ -n "$serverwild" ]; then
 	    for zone in $zones $FW all; do
 		eval pc=\$${client}2${zone}_policychain
-		    [ -n "$pc" ] || \
+		    if [ -z "$pc" ]; then
-			eval ${client}2${zone}_policychain=$chain
+			eval ${client}2${zone}_policychain=$chain 
 			print_policy $client $zone
 		    fi
 	    done
 	else
 	    eval ${chain}_policychain=${chain}
 	    print_policy $client $server
 	fi	    
    done < $TMP_DIR/policy
@ -2152,7 +2175,7 @@ add_a_rule()
 	    add_nat_rule
 	fi
-	if [ $chain != ${FW}2${FW} ]; then
+	if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
 	    serv="${serv:+-d $serv}"
 	    if [ -n "$loglevel" ]; then
@ -2229,6 +2252,7 @@ process_rule() # $1 = target
    fi
    logtarget="$target"
    dnat_only=
    # Convert 1.3 Rule formats to 1.2 format
@ -2237,6 +2261,12 @@ process_rule() # $1 = target
 	target=ACCEPT
 	address=${address:=detect}
 	;;
    DNAT-)
 	target=ACCEPT
 	address=${address:=detect}
 	dnat_only=Yes
 	logtarget=DNAT
 	;;
    REDIRECT)
 	target=ACCEPT
 	address=${address:=all}
@ -2379,7 +2409,7 @@ process_rules() # $1 = name of rules file
    while read xtarget xclients xservers xprotocol xports xcports xaddress; do
 	case "$xtarget" in
-	    ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT:*|REDIRECT|REDIRECT:*)
+	    ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*)
 		expandv xclients xservers xprotocol xports xcports xaddress
 		if [ "x$xclients" = xall ]; then
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -2,39 +2,33 @@ This is a minor release of Shorewall that has a couple of new features.
 New features include:
-1) "shorewall refresh" now reloads the traffic shaping rules (tcrules
+1) A new 'DNAT-' action has been added for entries in the
-   and tcstart).
+   /etc/shorewall/rules file. DNAT- is intended for advanced users who
   wish to minimize the number of rules that connection requests must
   traverse.
   A Shorewall DNAT rule actually generates two iptables rules: an
   address rewriting rule in the 'nat' table and an ACCEPT rule in the
   'filter' table. A DNAT- rule only generates the first of these
   rules. This is handy when you have several DNAT rules that would
   generate the same ACCEPT rule.
-2) "shorewall debug [re]start" now turns off debugging after an error
+   Here are three rules from my previous rules file:
-   occurs. This places the point of the failure near the end of the
+   
-   trace rather than up in the middle of it.
+	DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178
 	DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179
 	ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...
-3) "shorewall [re]start" has been speeded up by more than 40% with
+   These three rules ended up generating _three_ copies of 
   my configuration. Your milage may vary. 
-4) A "shorewall show classifiers" command has been added which shows
+	 ACCEPT net  dmz:206.124.146.177 tcp smtp
   the current packet classification filters. The output from this
   command is also added as a separate page in "shorewall monitor"
-5) ULOG (must be all caps) is now accepted as a valid syslog level and
+   By writing the rules this way, I end up with only one copy of the
-   causes the subject packets to be logged using the ULOG target rather
+   ACCEPT rule.
   than the LOG target. This allows you to run ulogd (available from
   www.gnumonks.org/projects/ulogd) and log all Shorewall messages to
   a separate log file.
-6) If you are running a kernel that has a FORWARD chain in the mangle
+	DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178
-   table ("shorewall show mangle" will show you the chains in the
+	DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179
-   mangle table), you can set MARK_IN_FORWARD=Yes in
+	ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...
   shorewall.conf. This allows for marking inbound packets based on
   their destination even when you are using Masquerading or SNAT.
-7) I have cluttered up the /etc/shorewall directory with empty 'init',
+2) The 'shorewall check' command now prints out the applicable policy
-   'start', 'stop' and 'stopped' files. If you already have a file with
+   between each pair of zones.
   one of these names, don't worry -- the upgrade process won't
   overwrite your file.
 8) I have added a new RFC1918_LOG_LEVEL variable to
   shorewall.conf. This variable specifies the syslog level at which
   packets are logged as a result of entries in the
   /etc/shorewall/rfc1918 file. Previously, these packets were always
   logged at the 'info' level.
--- a/Shorewall/rules
+++ b/Shorewall/rules
@ -24,6 +24,10 @@
 #				DNAT     -- Forward the request to another
 #					    system (and optionally another
 #					    port).
 #				DNAT-    -- Advanced users only. 
 #					    Like DNAT but only generates the
 #					    DNAT iptables rule and not
 #					    the companion ACCEPT rule.
 #				REDIRECT -- Redirect the request to a local
 #					    port on the firewall.
 #