Add DNAT- action; 'shorewall check' prints policies

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@390 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-12-31 01:10:28 +00:00
parent 2565081ff9
commit 144c9ab576
4 changed files with 67 additions and 76 deletions

View File

@ -1,43 +1,6 @@
Changes since 1.3.11
Changes since 1.3.12
1. Fixed DNAT/REDIRECT bug with excluded sub-zones.
1. Added 'DNAT-' target.
2. "shorewall refresh" now refreshes the traffic shaping rules
2. Print policies in 'check' command.
3. Turned off debugging after error.
4. Removed drop of INVALID state output ICMP packets.
5. Replaced 'sed' invocation in separate_list() by shell code (speedup).
6. Replaced 'wc' invocation in list_count() by shell code (speedup)
7. Replaced 'sed' invocation in run_iptables() by shell code and
optomized (speedup)
8. Only read the interfaces file once (speedup)
9. Only read the policy file once (speedup)
10. Removed redundant function input_chains() (duplicate of first_chains())
11. Generated an error if 'lo' is defined in the interfaces file.
12. Clarified error message where ORIGINAL DEST is specified on an
ACCEPT, DROP or REJECT rule.
13. Added "shorewall show classifiers" command and added packet
classification filter display to "shorewall monitor"
14. Added an error message when the destination in a rule contained a
MAC address.
15. Added ULOG target support.
16. Add MARK_IN_FORWARD option.
17. General Cleanup for Release
18. Release changes and add init, start, stop and stopped files.
19. Add headings to NAT and Mangle tables in "shorewall status" output

View File

@ -833,6 +833,11 @@ validate_rule() {
target=ACCEPT
address=${address:=detect}
;;
DNAT-)
target=ACCEPT
address=${address:=detect}
logtarget=DNAT
;;
REDIRECT)
target=ACCEPT
address=${address:=all}
@ -983,6 +988,17 @@ validate_policy()
local zone1
local pc
local chain
local policy
local loglevel
local synparams
print_policy() # $1 = source zone, $2 = destination zone
{
[ $command != check ] || \
[ $1 = all ] || \
[ $2 = all ] || \
echo " Policy for $1 to $2 is $policy"
}
all_policy_chains=
@ -1048,27 +1064,34 @@ validate_policy()
for zone1 in $zones $FW all; do
eval pc=\$${zone}2${zone1}_policychain
[ -n "$pc" ] || \
if [ -z "$pc" ]; then
eval ${zone}2${zone1}_policychain=$chain
print_policy $zone $zone1
fi
done
done
else
for zone in $zones $FW all; do
eval pc=\$${zone}2${server}_policychain
[ -n "$pc" ] || \
if [ -z "$pc" ]; then
eval ${zone}2${server}_policychain=$chain
print_policy $zone $server
fi
done
fi
elif [ -n "$serverwild" ]; then
for zone in $zones $FW all; do
eval pc=\$${client}2${zone}_policychain
[ -n "$pc" ] || \
if [ -z "$pc" ]; then
eval ${client}2${zone}_policychain=$chain
print_policy $client $zone
fi
done
else
eval ${chain}_policychain=${chain}
print_policy $client $server
fi
done < $TMP_DIR/policy
@ -2152,7 +2175,7 @@ add_a_rule()
add_nat_rule
fi
if [ $chain != ${FW}2${FW} ]; then
if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
serv="${serv:+-d $serv}"
if [ -n "$loglevel" ]; then
@ -2229,6 +2252,7 @@ process_rule() # $1 = target
fi
logtarget="$target"
dnat_only=
# Convert 1.3 Rule formats to 1.2 format
@ -2237,6 +2261,12 @@ process_rule() # $1 = target
target=ACCEPT
address=${address:=detect}
;;
DNAT-)
target=ACCEPT
address=${address:=detect}
dnat_only=Yes
logtarget=DNAT
;;
REDIRECT)
target=ACCEPT
address=${address:=all}
@ -2379,7 +2409,7 @@ process_rules() # $1 = name of rules file
while read xtarget xclients xservers xprotocol xports xcports xaddress; do
case "$xtarget" in
ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT:*|REDIRECT|REDIRECT:*)
ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*)
expandv xclients xservers xprotocol xports xcports xaddress
if [ "x$xclients" = xall ]; then

View File

@ -2,39 +2,33 @@ This is a minor release of Shorewall that has a couple of new features.
New features include:
1) "shorewall refresh" now reloads the traffic shaping rules (tcrules
and tcstart).
1) A new 'DNAT-' action has been added for entries in the
/etc/shorewall/rules file. DNAT- is intended for advanced users who
wish to minimize the number of rules that connection requests must
traverse.
2) "shorewall debug [re]start" now turns off debugging after an error
occurs. This places the point of the failure near the end of the
trace rather than up in the middle of it.
A Shorewall DNAT rule actually generates two iptables rules: an
address rewriting rule in the 'nat' table and an ACCEPT rule in the
'filter' table. A DNAT- rule only generates the first of these
rules. This is handy when you have several DNAT rules that would
generate the same ACCEPT rule.
3) "shorewall [re]start" has been speeded up by more than 40% with
my configuration. Your milage may vary.
Here are three rules from my previous rules file:
4) A "shorewall show classifiers" command has been added which shows
the current packet classification filters. The output from this
command is also added as a separate page in "shorewall monitor"
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
5) ULOG (must be all caps) is now accepted as a valid syslog level and
causes the subject packets to be logged using the ULOG target rather
than the LOG target. This allows you to run ulogd (available from
www.gnumonks.org/projects/ulogd) and log all Shorewall messages to
a separate log file.
These three rules ended up generating _three_ copies of
6) If you are running a kernel that has a FORWARD chain in the mangle
table ("shorewall show mangle" will show you the chains in the
mangle table), you can set MARK_IN_FORWARD=Yes in
shorewall.conf. This allows for marking inbound packets based on
their destination even when you are using Masquerading or SNAT.
ACCEPT net dmz:206.124.146.177 tcp smtp
7) I have cluttered up the /etc/shorewall directory with empty 'init',
'start', 'stop' and 'stopped' files. If you already have a file with
one of these names, don't worry -- the upgrade process won't
overwrite your file.
By writing the rules this way, I end up with only one copy of the
ACCEPT rule.
8) I have added a new RFC1918_LOG_LEVEL variable to
shorewall.conf. This variable specifies the syslog level at which
packets are logged as a result of entries in the
/etc/shorewall/rfc1918 file. Previously, these packets were always
logged at the 'info' level.
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
2) The 'shorewall check' command now prints out the applicable policy
between each pair of zones.

View File

@ -24,6 +24,10 @@
# DNAT -- Forward the request to another
# system (and optionally another
# port).
# DNAT- -- Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local
# port on the firewall.
#