forked from extern/shorewall_code
Clarify PORT columns in /etc/shorewall/routes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2127 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
08a3c1d95d
commit
2279aa7f0f
@ -1008,6 +1008,8 @@ validate_interfaces_file() {
|
|||||||
|
|
||||||
for option in $options; do
|
for option in $options; do
|
||||||
case $option in
|
case $option in
|
||||||
|
-)
|
||||||
|
;;
|
||||||
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
|
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
|
||||||
;;
|
;;
|
||||||
detectnets)
|
detectnets)
|
||||||
@ -1017,15 +1019,21 @@ validate_interfaces_file() {
|
|||||||
routeback)
|
routeback)
|
||||||
[ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
|
[ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
|
||||||
;;
|
;;
|
||||||
|
mark=*)
|
||||||
|
[ -n "$ROUTE_TARGET" ] || \
|
||||||
|
startup_error "Interface marks require ROUTE Target support in your kernel and iptables: $option"
|
||||||
|
eval ${iface}_mark=${option#*=}
|
||||||
|
MARK_INTERFACES="$MARK_INTERFACES $interface"
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
error_message "Warning: Invalid option ($option) in record \"$r\""
|
error_message "Warning: Invalid option ($option) in record \"$r\""
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
||||||
[ -z "$ALL_INTERFACES" ] && startup_error "No Interfaces Defined"
|
|
||||||
|
|
||||||
done < $TMP_DIR/interfaces
|
done < $TMP_DIR/interfaces
|
||||||
|
|
||||||
|
[ -z "$ALL_INTERFACES" ] && startup_error "No Interfaces Defined"
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -6048,6 +6056,7 @@ determine_capabilities() {
|
|||||||
OWNER_MATCH=
|
OWNER_MATCH=
|
||||||
IPSET_MATCH=
|
IPSET_MATCH=
|
||||||
ROUTE_TARGET=
|
ROUTE_TARGET=
|
||||||
|
XMARK=
|
||||||
|
|
||||||
qt $IPTABLES -N fooX1234
|
qt $IPTABLES -N fooX1234
|
||||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||||
@ -6061,6 +6070,7 @@ determine_capabilities() {
|
|||||||
|
|
||||||
qt $IPTABLES -t mangle -N fooX1234
|
qt $IPTABLES -t mangle -N fooX1234
|
||||||
qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0 && ROUTE_TARGET=Yes
|
qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0 && ROUTE_TARGET=Yes
|
||||||
|
qt $IPTABLES -t mangle -A fooX1234 -j MARK --or-mark 2 && XMARK=Yes
|
||||||
qt $IPTABLES -t mangle -F fooX1234
|
qt $IPTABLES -t mangle -F fooX1234
|
||||||
qt $IPTABLES -t mangle -X fooX1234
|
qt $IPTABLES -t mangle -X fooX1234
|
||||||
|
|
||||||
@ -6106,7 +6116,8 @@ report_capabilities() {
|
|||||||
report_capability "Recent Match" $RECENT_MATCH
|
report_capability "Recent Match" $RECENT_MATCH
|
||||||
report_capability "Owner Match" $OWNER_MATCH
|
report_capability "Owner Match" $OWNER_MATCH
|
||||||
report_capability "Ipset Match" $IPSET_MATCH
|
report_capability "Ipset Match" $IPSET_MATCH
|
||||||
report_capability "Route Target" $ROUTE_TARGET
|
report_capability "ROUTE Target" $ROUTE_TARGET
|
||||||
|
report_capability "Extended MARK Target" $XMARK
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -7057,6 +7068,17 @@ activate_rules()
|
|||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
|
||||||
|
for interface in $MARK_INTERFACES ; do
|
||||||
|
iface=$(chain_base $interface)
|
||||||
|
chain=$(input_chain $interface)
|
||||||
|
eval mark_value=\$${iface}_mark
|
||||||
|
|
||||||
|
run_iptables -t mangle -N $chain
|
||||||
|
run_iptables -t mangle -A PREROUTING -i $interface -j $chain
|
||||||
|
|
||||||
|
eval run_iptables -t mangle -A PREROUTING -i $interface -j MARK --set-mark
|
||||||
|
done
|
||||||
|
|
||||||
for interface in $ALL_INTERFACES ; do
|
for interface in $ALL_INTERFACES ; do
|
||||||
run_iptables -A FORWARD -i $interface -j $(forward_chain $interface)
|
run_iptables -A FORWARD -i $interface -j $(forward_chain $interface)
|
||||||
run_iptables -A INPUT -i $interface -j $(input_chain $interface)
|
run_iptables -A INPUT -i $interface -j $(input_chain $interface)
|
||||||
@ -7772,6 +7794,7 @@ do_initialize() {
|
|||||||
RESTOREBASE=
|
RESTOREBASE=
|
||||||
TMP_DIR=
|
TMP_DIR=
|
||||||
ALL_INTERFACES=
|
ALL_INTERFACES=
|
||||||
|
MARK_INTERFACES=
|
||||||
|
|
||||||
stopping=
|
stopping=
|
||||||
have_mutex=
|
have_mutex=
|
||||||
|
@ -9,7 +9,8 @@
|
|||||||
# I M P O R T A N T ! ! ! !
|
# I M P O R T A N T ! ! ! !
|
||||||
#
|
#
|
||||||
# In order to use entries in this file, your kernel and iptables must
|
# In order to use entries in this file, your kernel and iptables must
|
||||||
# have ROUTE target support.
|
# have ROUTE target support (see the output of "shorewall show
|
||||||
|
# capabilities").
|
||||||
#
|
#
|
||||||
# To omit any column, enter "-" in that column.
|
# To omit any column, enter "-" in that column.
|
||||||
#
|
#
|
||||||
@ -47,15 +48,22 @@
|
|||||||
# ranges; if the protocol is "icmp", this column is
|
# ranges; if the protocol is "icmp", this column is
|
||||||
# interpreted as the destination icmp-type(s).
|
# interpreted as the destination icmp-type(s).
|
||||||
#
|
#
|
||||||
|
# Port ranges are allowed in a list only if your
|
||||||
|
# kernel and iptables support Extended Multi-port
|
||||||
|
# match (see the output of "shorewall show capabilities").
|
||||||
|
#
|
||||||
# If the protocol is ipp2p, this column is interpreted
|
# If the protocol is ipp2p, this column is interpreted
|
||||||
# as an ipp2p option without the leading "--" (example "bit"
|
# as an ipp2p option without the leading "--" (example "bit"
|
||||||
# for bit-torrent). If no PORT is given, "ipp2p" is
|
# for bit-torrent). If no PORT is given, "ipp2p" is
|
||||||
# assumed.
|
# assumed.
|
||||||
#
|
#
|
||||||
# SOURCE PORT(S) (Optional) Source port(s). If omitted,
|
# SOURCE PORT(S) Source port(s). If omitted, any source port is acceptable.
|
||||||
# any source port is acceptable. Specified as a comma-
|
# Specified as a comma-separated list of port names, port
|
||||||
# separated list of port names, port numbers or port
|
# numbers or port ranges.
|
||||||
# ranges.
|
#
|
||||||
|
# Port ranges are allowed in a list only if your
|
||||||
|
# kernel and iptables support Extended Multi-port
|
||||||
|
# match (see the output of "shorewall show capabilities").
|
||||||
#
|
#
|
||||||
# TEST Defines a test on the existing packet or connection mark.
|
# TEST Defines a test on the existing packet or connection mark.
|
||||||
# The rule will match only if the test returns true. Tests
|
# The rule will match only if the test returns true. Tests
|
||||||
@ -71,6 +79,8 @@
|
|||||||
# the packet mark's value is tested.
|
# the packet mark's value is tested.
|
||||||
#
|
#
|
||||||
# INTERFACE The interface that the packet is to be routed out of.
|
# INTERFACE The interface that the packet is to be routed out of.
|
||||||
|
# If you specify "-" here, then you must enter the IP address
|
||||||
|
# of a gateway in the GATEWAY column.
|
||||||
#
|
#
|
||||||
# GATEWAY The gateway that the packet is to be forewarded through.
|
# GATEWAY The gateway that the packet is to be forewarded through.
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user