forked from extern/shorewall_code
Add DNAT- action; 'shorewall check' prints policies
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@390 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
2565081ff9
commit
144c9ab576
@ -1,43 +1,6 @@
|
||||
Changes since 1.3.11
|
||||
Changes since 1.3.12
|
||||
|
||||
1. Fixed DNAT/REDIRECT bug with excluded sub-zones.
|
||||
1. Added 'DNAT-' target.
|
||||
|
||||
2. "shorewall refresh" now refreshes the traffic shaping rules
|
||||
2. Print policies in 'check' command.
|
||||
|
||||
3. Turned off debugging after error.
|
||||
|
||||
4. Removed drop of INVALID state output ICMP packets.
|
||||
|
||||
5. Replaced 'sed' invocation in separate_list() by shell code (speedup).
|
||||
|
||||
6. Replaced 'wc' invocation in list_count() by shell code (speedup)
|
||||
|
||||
7. Replaced 'sed' invocation in run_iptables() by shell code and
|
||||
optomized (speedup)
|
||||
|
||||
8. Only read the interfaces file once (speedup)
|
||||
|
||||
9. Only read the policy file once (speedup)
|
||||
|
||||
10. Removed redundant function input_chains() (duplicate of first_chains())
|
||||
|
||||
11. Generated an error if 'lo' is defined in the interfaces file.
|
||||
|
||||
12. Clarified error message where ORIGINAL DEST is specified on an
|
||||
ACCEPT, DROP or REJECT rule.
|
||||
|
||||
13. Added "shorewall show classifiers" command and added packet
|
||||
classification filter display to "shorewall monitor"
|
||||
|
||||
14. Added an error message when the destination in a rule contained a
|
||||
MAC address.
|
||||
|
||||
15. Added ULOG target support.
|
||||
|
||||
16. Add MARK_IN_FORWARD option.
|
||||
|
||||
17. General Cleanup for Release
|
||||
|
||||
18. Release changes and add init, start, stop and stopped files.
|
||||
|
||||
19. Add headings to NAT and Mangle tables in "shorewall status" output
|
||||
|
@ -833,6 +833,11 @@ validate_rule() {
|
||||
target=ACCEPT
|
||||
address=${address:=detect}
|
||||
;;
|
||||
DNAT-)
|
||||
target=ACCEPT
|
||||
address=${address:=detect}
|
||||
logtarget=DNAT
|
||||
;;
|
||||
REDIRECT)
|
||||
target=ACCEPT
|
||||
address=${address:=all}
|
||||
@ -983,6 +988,17 @@ validate_policy()
|
||||
local zone1
|
||||
local pc
|
||||
local chain
|
||||
local policy
|
||||
local loglevel
|
||||
local synparams
|
||||
|
||||
print_policy() # $1 = source zone, $2 = destination zone
|
||||
{
|
||||
[ $command != check ] || \
|
||||
[ $1 = all ] || \
|
||||
[ $2 = all ] || \
|
||||
echo " Policy for $1 to $2 is $policy"
|
||||
}
|
||||
|
||||
all_policy_chains=
|
||||
|
||||
@ -1048,27 +1064,34 @@ validate_policy()
|
||||
for zone1 in $zones $FW all; do
|
||||
eval pc=\$${zone}2${zone1}_policychain
|
||||
|
||||
[ -n "$pc" ] || \
|
||||
if [ -z "$pc" ]; then
|
||||
eval ${zone}2${zone1}_policychain=$chain
|
||||
print_policy $zone $zone1
|
||||
fi
|
||||
done
|
||||
done
|
||||
else
|
||||
for zone in $zones $FW all; do
|
||||
eval pc=\$${zone}2${server}_policychain
|
||||
|
||||
[ -n "$pc" ] || \
|
||||
if [ -z "$pc" ]; then
|
||||
eval ${zone}2${server}_policychain=$chain
|
||||
print_policy $zone $server
|
||||
fi
|
||||
done
|
||||
fi
|
||||
elif [ -n "$serverwild" ]; then
|
||||
for zone in $zones $FW all; do
|
||||
eval pc=\$${client}2${zone}_policychain
|
||||
|
||||
[ -n "$pc" ] || \
|
||||
if [ -z "$pc" ]; then
|
||||
eval ${client}2${zone}_policychain=$chain
|
||||
print_policy $client $zone
|
||||
fi
|
||||
done
|
||||
else
|
||||
eval ${chain}_policychain=${chain}
|
||||
print_policy $client $server
|
||||
fi
|
||||
|
||||
done < $TMP_DIR/policy
|
||||
@ -2152,7 +2175,7 @@ add_a_rule()
|
||||
add_nat_rule
|
||||
fi
|
||||
|
||||
if [ $chain != ${FW}2${FW} ]; then
|
||||
if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
|
||||
serv="${serv:+-d $serv}"
|
||||
|
||||
if [ -n "$loglevel" ]; then
|
||||
@ -2229,6 +2252,7 @@ process_rule() # $1 = target
|
||||
fi
|
||||
|
||||
logtarget="$target"
|
||||
dnat_only=
|
||||
|
||||
# Convert 1.3 Rule formats to 1.2 format
|
||||
|
||||
@ -2237,6 +2261,12 @@ process_rule() # $1 = target
|
||||
target=ACCEPT
|
||||
address=${address:=detect}
|
||||
;;
|
||||
DNAT-)
|
||||
target=ACCEPT
|
||||
address=${address:=detect}
|
||||
dnat_only=Yes
|
||||
logtarget=DNAT
|
||||
;;
|
||||
REDIRECT)
|
||||
target=ACCEPT
|
||||
address=${address:=all}
|
||||
@ -2379,7 +2409,7 @@ process_rules() # $1 = name of rules file
|
||||
while read xtarget xclients xservers xprotocol xports xcports xaddress; do
|
||||
case "$xtarget" in
|
||||
|
||||
ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT:*|REDIRECT|REDIRECT:*)
|
||||
ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*)
|
||||
expandv xclients xservers xprotocol xports xcports xaddress
|
||||
|
||||
if [ "x$xclients" = xall ]; then
|
||||
|
@ -2,39 +2,33 @@ This is a minor release of Shorewall that has a couple of new features.
|
||||
|
||||
New features include:
|
||||
|
||||
1) "shorewall refresh" now reloads the traffic shaping rules (tcrules
|
||||
and tcstart).
|
||||
1) A new 'DNAT-' action has been added for entries in the
|
||||
/etc/shorewall/rules file. DNAT- is intended for advanced users who
|
||||
wish to minimize the number of rules that connection requests must
|
||||
traverse.
|
||||
|
||||
2) "shorewall debug [re]start" now turns off debugging after an error
|
||||
occurs. This places the point of the failure near the end of the
|
||||
trace rather than up in the middle of it.
|
||||
A Shorewall DNAT rule actually generates two iptables rules: an
|
||||
address rewriting rule in the 'nat' table and an ACCEPT rule in the
|
||||
'filter' table. A DNAT- rule only generates the first of these
|
||||
rules. This is handy when you have several DNAT rules that would
|
||||
generate the same ACCEPT rule.
|
||||
|
||||
3) "shorewall [re]start" has been speeded up by more than 40% with
|
||||
my configuration. Your milage may vary.
|
||||
Here are three rules from my previous rules file:
|
||||
|
||||
4) A "shorewall show classifiers" command has been added which shows
|
||||
the current packet classification filters. The output from this
|
||||
command is also added as a separate page in "shorewall monitor"
|
||||
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178
|
||||
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179
|
||||
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
|
||||
|
||||
5) ULOG (must be all caps) is now accepted as a valid syslog level and
|
||||
causes the subject packets to be logged using the ULOG target rather
|
||||
than the LOG target. This allows you to run ulogd (available from
|
||||
www.gnumonks.org/projects/ulogd) and log all Shorewall messages to
|
||||
a separate log file.
|
||||
These three rules ended up generating _three_ copies of
|
||||
|
||||
6) If you are running a kernel that has a FORWARD chain in the mangle
|
||||
table ("shorewall show mangle" will show you the chains in the
|
||||
mangle table), you can set MARK_IN_FORWARD=Yes in
|
||||
shorewall.conf. This allows for marking inbound packets based on
|
||||
their destination even when you are using Masquerading or SNAT.
|
||||
ACCEPT net dmz:206.124.146.177 tcp smtp
|
||||
|
||||
7) I have cluttered up the /etc/shorewall directory with empty 'init',
|
||||
'start', 'stop' and 'stopped' files. If you already have a file with
|
||||
one of these names, don't worry -- the upgrade process won't
|
||||
overwrite your file.
|
||||
By writing the rules this way, I end up with only one copy of the
|
||||
ACCEPT rule.
|
||||
|
||||
8) I have added a new RFC1918_LOG_LEVEL variable to
|
||||
shorewall.conf. This variable specifies the syslog level at which
|
||||
packets are logged as a result of entries in the
|
||||
/etc/shorewall/rfc1918 file. Previously, these packets were always
|
||||
logged at the 'info' level.
|
||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178
|
||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179
|
||||
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
|
||||
|
||||
2) The 'shorewall check' command now prints out the applicable policy
|
||||
between each pair of zones.
|
||||
|
@ -24,6 +24,10 @@
|
||||
# DNAT -- Forward the request to another
|
||||
# system (and optionally another
|
||||
# port).
|
||||
# DNAT- -- Advanced users only.
|
||||
# Like DNAT but only generates the
|
||||
# DNAT iptables rule and not
|
||||
# the companion ACCEPT rule.
|
||||
# REDIRECT -- Redirect the request to a local
|
||||
# port on the firewall.
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user