Clarify PORT columns in /etc/shorewall/routes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2127 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-05-16 18:36:01 +00:00
parent 08a3c1d95d
commit 2279aa7f0f
2 changed files with 42 additions and 9 deletions

View File

@ -1008,6 +1008,8 @@ validate_interfaces_file() {
for option in $options; do for option in $options; do
case $option in case $option in
-)
;;
dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-) dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
;; ;;
detectnets) detectnets)
@ -1017,15 +1019,21 @@ validate_interfaces_file() {
routeback) routeback)
[ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface" [ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
;; ;;
mark=*)
[ -n "$ROUTE_TARGET" ] || \
startup_error "Interface marks require ROUTE Target support in your kernel and iptables: $option"
eval ${iface}_mark=${option#*=}
MARK_INTERFACES="$MARK_INTERFACES $interface"
;;
*) *)
error_message "Warning: Invalid option ($option) in record \"$r\"" error_message "Warning: Invalid option ($option) in record \"$r\""
;; ;;
esac esac
done done
[ -z "$ALL_INTERFACES" ] && startup_error "No Interfaces Defined"
done < $TMP_DIR/interfaces done < $TMP_DIR/interfaces
[ -z "$ALL_INTERFACES" ] && startup_error "No Interfaces Defined"
} }
# #
@ -6048,6 +6056,7 @@ determine_capabilities() {
OWNER_MATCH= OWNER_MATCH=
IPSET_MATCH= IPSET_MATCH=
ROUTE_TARGET= ROUTE_TARGET=
XMARK=
qt $IPTABLES -N fooX1234 qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
@ -6061,6 +6070,7 @@ determine_capabilities() {
qt $IPTABLES -t mangle -N fooX1234 qt $IPTABLES -t mangle -N fooX1234
qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0 && ROUTE_TARGET=Yes qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0 && ROUTE_TARGET=Yes
qt $IPTABLES -t mangle -A fooX1234 -j MARK --or-mark 2 && XMARK=Yes
qt $IPTABLES -t mangle -F fooX1234 qt $IPTABLES -t mangle -F fooX1234
qt $IPTABLES -t mangle -X fooX1234 qt $IPTABLES -t mangle -X fooX1234
@ -6106,7 +6116,8 @@ report_capabilities() {
report_capability "Recent Match" $RECENT_MATCH report_capability "Recent Match" $RECENT_MATCH
report_capability "Owner Match" $OWNER_MATCH report_capability "Owner Match" $OWNER_MATCH
report_capability "Ipset Match" $IPSET_MATCH report_capability "Ipset Match" $IPSET_MATCH
report_capability "Route Target" $ROUTE_TARGET report_capability "ROUTE Target" $ROUTE_TARGET
report_capability "Extended MARK Target" $XMARK
} }
# #
@ -7057,6 +7068,17 @@ activate_rules()
done done
done done
for interface in $MARK_INTERFACES ; do
iface=$(chain_base $interface)
chain=$(input_chain $interface)
eval mark_value=\$${iface}_mark
run_iptables -t mangle -N $chain
run_iptables -t mangle -A PREROUTING -i $interface -j $chain
eval run_iptables -t mangle -A PREROUTING -i $interface -j MARK --set-mark
done
for interface in $ALL_INTERFACES ; do for interface in $ALL_INTERFACES ; do
run_iptables -A FORWARD -i $interface -j $(forward_chain $interface) run_iptables -A FORWARD -i $interface -j $(forward_chain $interface)
run_iptables -A INPUT -i $interface -j $(input_chain $interface) run_iptables -A INPUT -i $interface -j $(input_chain $interface)
@ -7772,6 +7794,7 @@ do_initialize() {
RESTOREBASE= RESTOREBASE=
TMP_DIR= TMP_DIR=
ALL_INTERFACES= ALL_INTERFACES=
MARK_INTERFACES=
stopping= stopping=
have_mutex= have_mutex=

View File

@ -9,7 +9,8 @@
# I M P O R T A N T ! ! ! ! # I M P O R T A N T ! ! ! !
# #
# In order to use entries in this file, your kernel and iptables must # In order to use entries in this file, your kernel and iptables must
# have ROUTE target support. # have ROUTE target support (see the output of "shorewall show
# capabilities").
# #
# To omit any column, enter "-" in that column. # To omit any column, enter "-" in that column.
# #
@ -47,15 +48,22 @@
# ranges; if the protocol is "icmp", this column is # ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s). # interpreted as the destination icmp-type(s).
# #
# Port ranges are allowed in a list only if your
# kernel and iptables support Extended Multi-port
# match (see the output of "shorewall show capabilities").
#
# If the protocol is ipp2p, this column is interpreted # If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example "bit" # as an ipp2p option without the leading "--" (example "bit"
# for bit-torrent). If no PORT is given, "ipp2p" is # for bit-torrent). If no PORT is given, "ipp2p" is
# assumed. # assumed.
# #
# SOURCE PORT(S) (Optional) Source port(s). If omitted, # SOURCE PORT(S) Source port(s). If omitted, any source port is acceptable.
# any source port is acceptable. Specified as a comma- # Specified as a comma-separated list of port names, port
# separated list of port names, port numbers or port # numbers or port ranges.
# ranges. #
# Port ranges are allowed in a list only if your
# kernel and iptables support Extended Multi-port
# match (see the output of "shorewall show capabilities").
# #
# TEST Defines a test on the existing packet or connection mark. # TEST Defines a test on the existing packet or connection mark.
# The rule will match only if the test returns true. Tests # The rule will match only if the test returns true. Tests
@ -71,6 +79,8 @@
# the packet mark's value is tested. # the packet mark's value is tested.
# #
# INTERFACE The interface that the packet is to be routed out of. # INTERFACE The interface that the packet is to be routed out of.
# If you specify "-" here, then you must enter the IP address
# of a gateway in the GATEWAY column.
# #
# GATEWAY The gateway that the packet is to be forewarded through. # GATEWAY The gateway that the packet is to be forewarded through.
# #