From 2bc329aa1db2c36b8bbb3db1f2dad16cc4e56d9a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 13 Dec 2013 15:44:16 -0800 Subject: [PATCH] Add INLINE support to the masq file. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Nat.pm | 10 ++++++- Shorewall/manpages/shorewall-masq.xml | 40 ++++++++++++++++++++++--- Shorewall6/manpages/shorewall6-masq.xml | 37 +++++++++++++++++++++-- 3 files changed, 80 insertions(+), 7 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index c88c2efbe..d328ab393 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -66,12 +66,20 @@ sub process_one_masq1( $$$$$$$$$$ ) my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES}; my $destnets = ''; my $baserule = ''; + my $inlinematches = ''; # # Leading '+' # $pre_nat = 1 if $interfacelist =~ s/^\+//; # + # Check for INLINE + # + if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) { + $interfacelist = $1; + $inlinematches = get_inline_matches; + } + # # Parse the remaining part of the INTERFACE column # if ( $family == F_IPV4 ) { @@ -325,7 +333,7 @@ sub process_one_masq1( $$$$$$$$$$ ) expand_rule( $chainref , POSTROUTE_RESTRICT , '' , - $baserule . $rule , + $baserule . $inlinematches . $rule , $networks , $destnets , $origdest , diff --git a/Shorewall/manpages/shorewall-masq.xml b/Shorewall/manpages/shorewall-masq.xml index f6168775e..528b27f7d 100644 --- a/Shorewall/manpages/shorewall-masq.xml +++ b/Shorewall/manpages/shorewall-masq.xml @@ -80,8 +80,8 @@ eth0(Avvanta) - In that case, you will want to specify the interface's - address for that provider in the ADDRESS column. + In that case, you will want to specify the interface's address + for that provider in the ADDRESS column. The interface may be qualified by adding the character ":" followed by a comma-separated list of destination host or subnet @@ -123,12 +123,26 @@ Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT and is preferred. + + Beginning with Shorewall 4.6.0, a new syntax is also accepted. + With the exception of the leading '+', the interfacelist and + qualifiers may appear within the parentheses of INLINE(...). + + Example: + + +INLINE(eth0) + + When this is done, you may augment the rule generated by + Shorewall with iptables matches of your own. These matches appear + after a semicolon (';') at the end of the line. + + See example 8 below. - SOURCE (Formerly called SUBNET) - - + (Formerly called SUBNET) - {interface|address[,address][exclusion]} @@ -647,6 +661,24 @@ eth0 192.168.1.0/24 1.1.1.4 ; mark=3:C + + + Example 8: + + + Your eth1 has two public IP addresses: 70.90.191.121 and + 70.90.191.123. You want to use the iptables statistics match to + masquerade outgoing connections evenly between these two + addresses. + + /etc/shorewall/masq: + + #INTERFACE SOURCE ADDRESS + INLINE(eth1) 0.0.0.0/0 70.90.191.121 ; -m statistic --mode random --probability 0.50 + eth1 0.0.0.0/0 70.90.191.123 + + + diff --git a/Shorewall6/manpages/shorewall6-masq.xml b/Shorewall6/manpages/shorewall6-masq.xml index fb22d4c6f..31798a445 100644 --- a/Shorewall6/manpages/shorewall6-masq.xml +++ b/Shorewall6/manpages/shorewall6-masq.xml @@ -73,8 +73,8 @@ eth0(Avvanta) - In that case, you will want to specify the interface's - address for that provider in the ADDRESS column. + In that case, you will want to specify the interface's address + for that provider in the ADDRESS column. The interface may be qualified by adding the character ":" followed by a comma-separated list of destination host or subnet @@ -96,6 +96,21 @@ Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT and is preferred. + + Beginning with Shorewall 4.6.0, a new syntax is also accepted. + With the exception of the leading '+', the interfacelist and + qualifiers may appear within the parentheses of INLINE(...). + + Example: + + +INLINE(eth0) + + When this is done, you may augment the rule generated by + Shorewall with iptables matches of your own. These matches appear + after a semicolon (';') at the end of the line. + + See example 2 below. @@ -502,6 +517,24 @@ eth0 2001:470:b:787::0/64 - + + + Example 8: + + + Your sit1 interface has two public IP addresses: + 2001:470:a:227::1 and 2001:470:b:227::1. You want to use the + iptables statistics match to masquerade outgoing connections evenly + between these two addresses. + + /etc/shorewall/masq: + + #INTERFACE SOURCE ADDRESS + INLINE(sit1) 0.0.0.0/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50 + sit1 0.0.0.0/0 2001:470:a:227::2 + + +