holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Support IPv6 Masquerade

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-02-27 09:25:26 -08:00
parent 78babf0941
commit 418034579f
5 changed files with 61 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Shorewall-core/lib.cli
View File

@ -25,7 +25,7 @@
# loaded after this one and replaces some of the functions declared here.
#
SHOREWALL_CAPVERSION=40512
SHOREWALL_CAPVERSION=40514
[ -n "${g_program:=shorewall}" ]
@ -2197,6 +2197,7 @@ determine_capabilities() {
NFACCT_MATCH=
CHECKSUM_TARGET=
ARPTABLESJF=
MASQUERADE_TGT=
AMANDA_HELPER=
FTP_HELPER=
FTP0_HELPER=
@ -2228,6 +2229,7 @@ determine_capabilities() {
else
qt $g_tool -t nat -A $chain -j SNAT --to-source 2001::1 --persistent && PERSISTENT_SNAT=Yes
fi
qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
qt $g_tool -t nat -F $chain
qt $g_tool -t nat -X $chain
fi
@ -2602,6 +2604,7 @@ report_capabilities_unsorted() {
report_capability "NFAcct match" $NFACCT_MATCH
report_capability "Checksum Target" $CHECKSUM_TARGET
report_capability "Arptables JF" $ARPTABLESJF
report_capability "MASQUERADE Target" $MASQUERADE_TGT
report_capability "Amanda Helper" $AMANDA_HELPER
report_capability "FTP Helper" $FTP_HELPER
@ -2720,6 +2723,7 @@ report_capabilities_unsorted1() {
report_capability1 NFACCT_MATCH
report_capability1 CHECKSUM_TARGET
report_capability1 ARPTABLESJF
report_capability1 MASQUERADE_TGT
report_capability1 AMANDA_HELPER
report_capability1 FTP_HELPER

21
Shorewall/Perl/Shorewall/Config.pm
View File

@ -357,6 +357,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
NFACCT_MATCH => 'NFAcct Match',
CHECKSUM_TARGET => 'Checksum Target',
ARPTABLESJF => 'Arptables JF',
MASQUERADE_TGT => 'MASQUERADE Target',
AMANDA_HELPER => 'Amanda Helper',
FTP_HELPER => 'FTP Helper',
FTP0_HELPER => 'FTP-0 Helper',
@ -649,7 +650,7 @@ sub initialize( $;$$) {
KLUDGEFREE => '',
STATEMATCH => '-m state --state',
VERSION => "4.5.13-Beta3",
CAPVERSION => 40512 ,
CAPVERSION => 40514 ,
);
#
# From shorewall.conf file
@ -901,6 +902,7 @@ sub initialize( $;$$) {
NFACCT_MATCH => undef,
CHECKSUM_TARGET => undef,
ARPTABLESJF => undef,
MASQUERADE_TGT => undef,
AMANDA_HELPER => undef,
FTP_HELPER => undef,
@ -3561,6 +3563,22 @@ sub Persistent_Snat() {
$result;
}
sub Masquerade_Tgt() {
have_capability( 'NAT_ENABLED' ) || return '';
my $result = '';
my $address = $family == F_IPV4 ? '1.2.3.4' : '2001::1';
if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
$result = qt1( "$iptables -t nat -A $sillyname -j MASQUERADE" );
qt1( "$iptables -t nat -F $sillyname" );
qt1( "$iptables -t nat -X $sillyname" );
}
$result;
}
sub Mangle_Enabled() {
if ( qt1( "$iptables -t mangle -L -n" ) ) {
system( "$iptables -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
@ -4075,6 +4093,7 @@ our %detect_capability =
MANGLE_FORWARD => \&Mangle_Forward,
MARK => \&Mark,
MARK_ANYWHERE => \&Mark_Anywhere,
MASQUERADE_TGT => \&Masquerade_Tgt,
MULTIPORT => \&Multiport,
NAT_ENABLED => \&Nat_Enabled,
NETBIOS_NS_HELPER => \&Netbios_ns_Helper,

16
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -172,7 +172,7 @@ sub process_one_masq1( $$$$$$$$$$ )
#
if ( $addresses ne '-' ) {
if ( $addresses eq 'random' ) {
fatal_error 'Invalid IPv6 address (random)' if $family == F_IPV6;
require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '') if $family == F_IPV6;
$randomize = '--random ';
} else {
$addresses =~ s/:persistent$// and $persistent = ' --persistent ';
@ -194,9 +194,11 @@ sub process_one_masq1( $$$$$$$$$$ )
$detectaddress = 1;
}
} elsif ( $addresses eq 'NONAT' ) {
fatal_error "'persistent' may not be specified with 'NONAT'" if $persistent;
fatal_error "'random' may not be specified with 'NONAT'" if $randomize;
$target = 'RETURN';
$add_snat_aliases = 0;
} else {
} elsif ( $addresses ) {
my $addrlist = '';
my @addrs = split_list $addresses, 'address';
@ -305,13 +307,15 @@ sub process_one_masq1( $$$$$$$$$$ )
}
$target .= $addrlist;
} else {
require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' ) if $family == F_IPV6;
}
}
$target .= $randomize;
$target .= $persistent;
} else {
fatal_error "IPv6 does does not support MASQUERADE -- you must use SNAT" if $family == F_IPV6;
require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' ) if $family == F_IPV6;
$add_snat_aliases = 0;
}
#
@ -373,11 +377,9 @@ sub process_one_masq( )
#
sub setup_masq()
{
my $name = $family == F_IPV4 ? 'masq' : 'snat';
if ( my $fn = open_file( 'masq', 1, 1 ) ) {
if ( my $fn = open_file( $name, 1, 1 ) ) {
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty $name file" , 's'; } );
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
process_one_masq while read_a_line( NORMAL_READ );
}

6
Shorewall6/configfiles/snat → Shorewall6/configfiles/masq
View File

@ -1,10 +1,10 @@
#
# Shorewall6 version 4 - SNAT file
# Shorewall6 version 4 - MASQUERADE/SNAT file
#
# For information about entries in this file, type "man shorewall6-snat"
# For information about entries in this file, type "man shorewall6-masq"
#
# The manpage is also online at
# http://www.shorewall.net/manpages6/shorewall6-snat.html
# http://www.shorewall.net/manpages6/shorewall6-masq.html
#
########################################################################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL

51
Shorewall6/manpages/shorewall6-snat.xml → Shorewall6/manpages/shorewall6-masq.xml
View File

@ -3,20 +3,20 @@
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-snat</refentrytitle>
<refentrytitle>shorewall6-masq</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>snat</refname>
<refname>masq</refname>
<refpurpose>Shorewall6 SNAT definition file</refpurpose>
<refpurpose>Shorewall6 Masquerade/SNAT definition file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/snat</command>
<command>/etc/shorewall6/masq</command>
</cmdsynopsis>
</refsynopsisdiv>
@ -26,11 +26,6 @@
<para>Use this file to define Source NAT (SNAT). Requires Shorewall 4.5.14
or later.</para>
<note>
<para>Unlike with IPv4, Netfilter does not support the MASQUERADE target
with IPv6.</para>
</note>
<warning>
<para>The entries in this file are order-sensitive. The first entry that
matches a particular connection will be the one that is used.</para>
@ -117,27 +112,32 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ADDRESS</emphasis> -
{<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
<term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
role="bold">-</emphasis>|<emphasis
role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
role="bold">:random</emphasis>][:persistent]|}</term>
role="bold">:random</emphasis>][:persistent]|<emphasis
role="bold">detect</emphasis>|<emphasis
role="bold">random</emphasis>]</term>
<listitem>
<para>The address specified here will be used as the source address.
If you simply wish to use the IPv6 address of the
<replaceable>interface</replaceable> in the first column, enter the
name of that interface preceded by an apersand ('&amp;') - e.g.,
&amp;sit1.</para>
<para>If you do not specify an address or address range,
masquerading will be performed. This requires <firstterm>Masquerade
Target</firstterm> support in your kernel and ip6tables.</para>
<para>If you specify an address here, SNAT will be used and this
will be the source address.</para>
<para>You may also specify a range of up to 256 IP addresses if you
want the SNAT address to be assigned from that range in a
round-robin fashion by connection. The range is specified by
<emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
The address or address range may be optionally followed by a port
range. When this is done, you must enclose the IPv6 address(es) in
square brackets. You may follow the port range with<emphasis
role="bold"> :random</emphasis> in which case assignment of ports
from the range will be random.</para>
You may follow the port range with<emphasis
role="bold">:random</emphasis> in which case assignment of ports
from the list will be random. <emphasis
role="bold">random</emphasis> may also be specified by itself in
this column in which case random local port assignments are made for
the outgoing connections.</para>
<para>Example:
[2001:470:a:227::2]-[2001:470:a:227::10]:1000-1010</para>
@ -148,9 +148,6 @@
address range is specified and causes a client to be given the same
source/destination IP pair.</para>
<para>Finally, you may also specify a comma-separated list of ranges
and/or addresses in this column.</para>
<para>This column may not contain DNS Names.</para>
<para>Normally, Netfilter will attempt to retain the source port
@ -502,7 +499,7 @@
<para>Your entry in the file will be:</para>
<programlisting> #INTERFACE SOURCE ADDRESS
eth0 2001:470:b:787::0/64 &amp;eth0</programlisting>
eth0 2001:470:b:787::0/64 -</programlisting>
</listitem>
</varlistentry>
</variablelist>
@ -511,6 +508,6 @@
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/snat</para>
<para>/etc/shorewall6/masq</para>
</refsect1>
</refentry>