forked from extern/shorewall_code
Clarify PORT columns in /etc/shorewall/routes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2127 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
08a3c1d95d
commit
2279aa7f0f
@ -1008,6 +1008,8 @@ validate_interfaces_file() {
|
||||
|
||||
for option in $options; do
|
||||
case $option in
|
||||
-)
|
||||
;;
|
||||
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
|
||||
;;
|
||||
detectnets)
|
||||
@ -1017,15 +1019,21 @@ validate_interfaces_file() {
|
||||
routeback)
|
||||
[ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
|
||||
;;
|
||||
mark=*)
|
||||
[ -n "$ROUTE_TARGET" ] || \
|
||||
startup_error "Interface marks require ROUTE Target support in your kernel and iptables: $option"
|
||||
eval ${iface}_mark=${option#*=}
|
||||
MARK_INTERFACES="$MARK_INTERFACES $interface"
|
||||
;;
|
||||
*)
|
||||
error_message "Warning: Invalid option ($option) in record \"$r\""
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
[ -z "$ALL_INTERFACES" ] && startup_error "No Interfaces Defined"
|
||||
|
||||
done < $TMP_DIR/interfaces
|
||||
|
||||
[ -z "$ALL_INTERFACES" ] && startup_error "No Interfaces Defined"
|
||||
}
|
||||
|
||||
#
|
||||
@ -6048,6 +6056,7 @@ determine_capabilities() {
|
||||
OWNER_MATCH=
|
||||
IPSET_MATCH=
|
||||
ROUTE_TARGET=
|
||||
XMARK=
|
||||
|
||||
qt $IPTABLES -N fooX1234
|
||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||
@ -6061,6 +6070,7 @@ determine_capabilities() {
|
||||
|
||||
qt $IPTABLES -t mangle -N fooX1234
|
||||
qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0 && ROUTE_TARGET=Yes
|
||||
qt $IPTABLES -t mangle -A fooX1234 -j MARK --or-mark 2 && XMARK=Yes
|
||||
qt $IPTABLES -t mangle -F fooX1234
|
||||
qt $IPTABLES -t mangle -X fooX1234
|
||||
|
||||
@ -6106,7 +6116,8 @@ report_capabilities() {
|
||||
report_capability "Recent Match" $RECENT_MATCH
|
||||
report_capability "Owner Match" $OWNER_MATCH
|
||||
report_capability "Ipset Match" $IPSET_MATCH
|
||||
report_capability "Route Target" $ROUTE_TARGET
|
||||
report_capability "ROUTE Target" $ROUTE_TARGET
|
||||
report_capability "Extended MARK Target" $XMARK
|
||||
}
|
||||
|
||||
#
|
||||
@ -7056,7 +7067,18 @@ activate_rules()
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
|
||||
for interface in $MARK_INTERFACES ; do
|
||||
iface=$(chain_base $interface)
|
||||
chain=$(input_chain $interface)
|
||||
eval mark_value=\$${iface}_mark
|
||||
|
||||
run_iptables -t mangle -N $chain
|
||||
run_iptables -t mangle -A PREROUTING -i $interface -j $chain
|
||||
|
||||
eval run_iptables -t mangle -A PREROUTING -i $interface -j MARK --set-mark
|
||||
done
|
||||
|
||||
for interface in $ALL_INTERFACES ; do
|
||||
run_iptables -A FORWARD -i $interface -j $(forward_chain $interface)
|
||||
run_iptables -A INPUT -i $interface -j $(input_chain $interface)
|
||||
@ -7772,6 +7794,7 @@ do_initialize() {
|
||||
RESTOREBASE=
|
||||
TMP_DIR=
|
||||
ALL_INTERFACES=
|
||||
MARK_INTERFACES=
|
||||
|
||||
stopping=
|
||||
have_mutex=
|
||||
|
||||
@ -9,7 +9,8 @@
|
||||
# I M P O R T A N T ! ! ! !
|
||||
#
|
||||
# In order to use entries in this file, your kernel and iptables must
|
||||
# have ROUTE target support.
|
||||
# have ROUTE target support (see the output of "shorewall show
|
||||
# capabilities").
|
||||
#
|
||||
# To omit any column, enter "-" in that column.
|
||||
#
|
||||
@ -47,15 +48,22 @@
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# Port ranges are allowed in a list only if your
|
||||
# kernel and iptables support Extended Multi-port
|
||||
# match (see the output of "shorewall show capabilities").
|
||||
#
|
||||
# If the protocol is ipp2p, this column is interpreted
|
||||
# as an ipp2p option without the leading "--" (example "bit"
|
||||
# for bit-torrent). If no PORT is given, "ipp2p" is
|
||||
# assumed.
|
||||
#
|
||||
# SOURCE PORT(S) (Optional) Source port(s). If omitted,
|
||||
# any source port is acceptable. Specified as a comma-
|
||||
# separated list of port names, port numbers or port
|
||||
# ranges.
|
||||
# SOURCE PORT(S) Source port(s). If omitted, any source port is acceptable.
|
||||
# Specified as a comma-separated list of port names, port
|
||||
# numbers or port ranges.
|
||||
#
|
||||
# Port ranges are allowed in a list only if your
|
||||
# kernel and iptables support Extended Multi-port
|
||||
# match (see the output of "shorewall show capabilities").
|
||||
#
|
||||
# TEST Defines a test on the existing packet or connection mark.
|
||||
# The rule will match only if the test returns true. Tests
|
||||
@ -71,6 +79,8 @@
|
||||
# the packet mark's value is tested.
|
||||
#
|
||||
# INTERFACE The interface that the packet is to be routed out of.
|
||||
# If you specify "-" here, then you must enter the IP address
|
||||
# of a gateway in the GATEWAY column.
|
||||
#
|
||||
# GATEWAY The gateway that the packet is to be forewarded through.
|
||||
#
|
||||
|
||||
Loading…
Reference in New Issue
Block a user