Support IPv6 Masquerade

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-02-27 09:25:26 -08:00
parent 78babf0941
commit 418034579f
5 changed files with 61 additions and 39 deletions

View File

@ -25,7 +25,7 @@
# loaded after this one and replaces some of the functions declared here. # loaded after this one and replaces some of the functions declared here.
# #
SHOREWALL_CAPVERSION=40512 SHOREWALL_CAPVERSION=40514
[ -n "${g_program:=shorewall}" ] [ -n "${g_program:=shorewall}" ]
@ -2197,6 +2197,7 @@ determine_capabilities() {
NFACCT_MATCH= NFACCT_MATCH=
CHECKSUM_TARGET= CHECKSUM_TARGET=
ARPTABLESJF= ARPTABLESJF=
MASQUERADE_TGT=
AMANDA_HELPER= AMANDA_HELPER=
FTP_HELPER= FTP_HELPER=
FTP0_HELPER= FTP0_HELPER=
@ -2228,6 +2229,7 @@ determine_capabilities() {
else else
qt $g_tool -t nat -A $chain -j SNAT --to-source 2001::1 --persistent && PERSISTENT_SNAT=Yes qt $g_tool -t nat -A $chain -j SNAT --to-source 2001::1 --persistent && PERSISTENT_SNAT=Yes
fi fi
qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
qt $g_tool -t nat -F $chain qt $g_tool -t nat -F $chain
qt $g_tool -t nat -X $chain qt $g_tool -t nat -X $chain
fi fi
@ -2602,6 +2604,7 @@ report_capabilities_unsorted() {
report_capability "NFAcct match" $NFACCT_MATCH report_capability "NFAcct match" $NFACCT_MATCH
report_capability "Checksum Target" $CHECKSUM_TARGET report_capability "Checksum Target" $CHECKSUM_TARGET
report_capability "Arptables JF" $ARPTABLESJF report_capability "Arptables JF" $ARPTABLESJF
report_capability "MASQUERADE Target" $MASQUERADE_TGT
report_capability "Amanda Helper" $AMANDA_HELPER report_capability "Amanda Helper" $AMANDA_HELPER
report_capability "FTP Helper" $FTP_HELPER report_capability "FTP Helper" $FTP_HELPER
@ -2720,6 +2723,7 @@ report_capabilities_unsorted1() {
report_capability1 NFACCT_MATCH report_capability1 NFACCT_MATCH
report_capability1 CHECKSUM_TARGET report_capability1 CHECKSUM_TARGET
report_capability1 ARPTABLESJF report_capability1 ARPTABLESJF
report_capability1 MASQUERADE_TGT
report_capability1 AMANDA_HELPER report_capability1 AMANDA_HELPER
report_capability1 FTP_HELPER report_capability1 FTP_HELPER

View File

@ -357,6 +357,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
NFACCT_MATCH => 'NFAcct Match', NFACCT_MATCH => 'NFAcct Match',
CHECKSUM_TARGET => 'Checksum Target', CHECKSUM_TARGET => 'Checksum Target',
ARPTABLESJF => 'Arptables JF', ARPTABLESJF => 'Arptables JF',
MASQUERADE_TGT => 'MASQUERADE Target',
AMANDA_HELPER => 'Amanda Helper', AMANDA_HELPER => 'Amanda Helper',
FTP_HELPER => 'FTP Helper', FTP_HELPER => 'FTP Helper',
FTP0_HELPER => 'FTP-0 Helper', FTP0_HELPER => 'FTP-0 Helper',
@ -649,7 +650,7 @@ sub initialize( $;$$) {
KLUDGEFREE => '', KLUDGEFREE => '',
STATEMATCH => '-m state --state', STATEMATCH => '-m state --state',
VERSION => "4.5.13-Beta3", VERSION => "4.5.13-Beta3",
CAPVERSION => 40512 , CAPVERSION => 40514 ,
); );
# #
# From shorewall.conf file # From shorewall.conf file
@ -901,6 +902,7 @@ sub initialize( $;$$) {
NFACCT_MATCH => undef, NFACCT_MATCH => undef,
CHECKSUM_TARGET => undef, CHECKSUM_TARGET => undef,
ARPTABLESJF => undef, ARPTABLESJF => undef,
MASQUERADE_TGT => undef,
AMANDA_HELPER => undef, AMANDA_HELPER => undef,
FTP_HELPER => undef, FTP_HELPER => undef,
@ -3561,6 +3563,22 @@ sub Persistent_Snat() {
$result; $result;
} }
sub Masquerade_Tgt() {
have_capability( 'NAT_ENABLED' ) || return '';
my $result = '';
my $address = $family == F_IPV4 ? '1.2.3.4' : '2001::1';
if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
$result = qt1( "$iptables -t nat -A $sillyname -j MASQUERADE" );
qt1( "$iptables -t nat -F $sillyname" );
qt1( "$iptables -t nat -X $sillyname" );
}
$result;
}
sub Mangle_Enabled() { sub Mangle_Enabled() {
if ( qt1( "$iptables -t mangle -L -n" ) ) { if ( qt1( "$iptables -t mangle -L -n" ) ) {
system( "$iptables -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname"; system( "$iptables -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
@ -4075,6 +4093,7 @@ our %detect_capability =
MANGLE_FORWARD => \&Mangle_Forward, MANGLE_FORWARD => \&Mangle_Forward,
MARK => \&Mark, MARK => \&Mark,
MARK_ANYWHERE => \&Mark_Anywhere, MARK_ANYWHERE => \&Mark_Anywhere,
MASQUERADE_TGT => \&Masquerade_Tgt,
MULTIPORT => \&Multiport, MULTIPORT => \&Multiport,
NAT_ENABLED => \&Nat_Enabled, NAT_ENABLED => \&Nat_Enabled,
NETBIOS_NS_HELPER => \&Netbios_ns_Helper, NETBIOS_NS_HELPER => \&Netbios_ns_Helper,

View File

@ -172,7 +172,7 @@ sub process_one_masq1( $$$$$$$$$$ )
# #
if ( $addresses ne '-' ) { if ( $addresses ne '-' ) {
if ( $addresses eq 'random' ) { if ( $addresses eq 'random' ) {
fatal_error 'Invalid IPv6 address (random)' if $family == F_IPV6; require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '') if $family == F_IPV6;
$randomize = '--random '; $randomize = '--random ';
} else { } else {
$addresses =~ s/:persistent$// and $persistent = ' --persistent '; $addresses =~ s/:persistent$// and $persistent = ' --persistent ';
@ -194,9 +194,11 @@ sub process_one_masq1( $$$$$$$$$$ )
$detectaddress = 1; $detectaddress = 1;
} }
} elsif ( $addresses eq 'NONAT' ) { } elsif ( $addresses eq 'NONAT' ) {
fatal_error "'persistent' may not be specified with 'NONAT'" if $persistent;
fatal_error "'random' may not be specified with 'NONAT'" if $randomize;
$target = 'RETURN'; $target = 'RETURN';
$add_snat_aliases = 0; $add_snat_aliases = 0;
} else { } elsif ( $addresses ) {
my $addrlist = ''; my $addrlist = '';
my @addrs = split_list $addresses, 'address'; my @addrs = split_list $addresses, 'address';
@ -305,13 +307,15 @@ sub process_one_masq1( $$$$$$$$$$ )
} }
$target .= $addrlist; $target .= $addrlist;
} else {
require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' ) if $family == F_IPV6;
} }
} }
$target .= $randomize; $target .= $randomize;
$target .= $persistent; $target .= $persistent;
} else { } else {
fatal_error "IPv6 does does not support MASQUERADE -- you must use SNAT" if $family == F_IPV6; require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' ) if $family == F_IPV6;
$add_snat_aliases = 0; $add_snat_aliases = 0;
} }
# #
@ -373,11 +377,9 @@ sub process_one_masq( )
# #
sub setup_masq() sub setup_masq()
{ {
my $name = $family == F_IPV4 ? 'masq' : 'snat'; if ( my $fn = open_file( 'masq', 1, 1 ) ) {
if ( my $fn = open_file( $name, 1, 1 ) ) { first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty $name file" , 's'; } );
process_one_masq while read_a_line( NORMAL_READ ); process_one_masq while read_a_line( NORMAL_READ );
} }

View File

@ -1,10 +1,10 @@
# #
# Shorewall6 version 4 - SNAT file # Shorewall6 version 4 - MASQUERADE/SNAT file
# #
# For information about entries in this file, type "man shorewall6-snat" # For information about entries in this file, type "man shorewall6-masq"
# #
# The manpage is also online at # The manpage is also online at
# http://www.shorewall.net/manpages6/shorewall6-snat.html # http://www.shorewall.net/manpages6/shorewall6-masq.html
# #
######################################################################################################################## ########################################################################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL

View File

@ -3,20 +3,20 @@
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry> <refentry>
<refmeta> <refmeta>
<refentrytitle>shorewall6-snat</refentrytitle> <refentrytitle>shorewall6-masq</refentrytitle>
<manvolnum>5</manvolnum> <manvolnum>5</manvolnum>
</refmeta> </refmeta>
<refnamediv> <refnamediv>
<refname>snat</refname> <refname>masq</refname>
<refpurpose>Shorewall6 SNAT definition file</refpurpose> <refpurpose>Shorewall6 Masquerade/SNAT definition file</refpurpose>
</refnamediv> </refnamediv>
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall6/snat</command> <command>/etc/shorewall6/masq</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -26,11 +26,6 @@
<para>Use this file to define Source NAT (SNAT). Requires Shorewall 4.5.14 <para>Use this file to define Source NAT (SNAT). Requires Shorewall 4.5.14
or later.</para> or later.</para>
<note>
<para>Unlike with IPv4, Netfilter does not support the MASQUERADE target
with IPv6.</para>
</note>
<warning> <warning>
<para>The entries in this file are order-sensitive. The first entry that <para>The entries in this file are order-sensitive. The first entry that
matches a particular connection will be the one that is used.</para> matches a particular connection will be the one that is used.</para>
@ -117,27 +112,32 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">ADDRESS</emphasis> - <term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
{<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis role="bold">-</emphasis>|<emphasis
role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
role="bold">:random</emphasis>][:persistent]|}</term> role="bold">:random</emphasis>][:persistent]|<emphasis
role="bold">detect</emphasis>|<emphasis
role="bold">random</emphasis>]</term>
<listitem> <listitem>
<para>The address specified here will be used as the source address. <para>If you do not specify an address or address range,
If you simply wish to use the IPv6 address of the masquerading will be performed. This requires <firstterm>Masquerade
<replaceable>interface</replaceable> in the first column, enter the Target</firstterm> support in your kernel and ip6tables.</para>
name of that interface preceded by an apersand ('&amp;') - e.g.,
&amp;sit1.</para> <para>If you specify an address here, SNAT will be used and this
will be the source address.</para>
<para>You may also specify a range of up to 256 IP addresses if you <para>You may also specify a range of up to 256 IP addresses if you
want the SNAT address to be assigned from that range in a want the SNAT address to be assigned from that range in a
round-robin fashion by connection. The range is specified by round-robin fashion by connection. The range is specified by
<emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>. <emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
The address or address range may be optionally followed by a port You may follow the port range with<emphasis
range. When this is done, you must enclose the IPv6 address(es) in role="bold">:random</emphasis> in which case assignment of ports
square brackets. You may follow the port range with<emphasis from the list will be random. <emphasis
role="bold"> :random</emphasis> in which case assignment of ports role="bold">random</emphasis> may also be specified by itself in
from the range will be random.</para> this column in which case random local port assignments are made for
the outgoing connections.</para>
<para>Example: <para>Example:
[2001:470:a:227::2]-[2001:470:a:227::10]:1000-1010</para> [2001:470:a:227::2]-[2001:470:a:227::10]:1000-1010</para>
@ -148,9 +148,6 @@
address range is specified and causes a client to be given the same address range is specified and causes a client to be given the same
source/destination IP pair.</para> source/destination IP pair.</para>
<para>Finally, you may also specify a comma-separated list of ranges
and/or addresses in this column.</para>
<para>This column may not contain DNS Names.</para> <para>This column may not contain DNS Names.</para>
<para>Normally, Netfilter will attempt to retain the source port <para>Normally, Netfilter will attempt to retain the source port
@ -502,7 +499,7 @@
<para>Your entry in the file will be:</para> <para>Your entry in the file will be:</para>
<programlisting> #INTERFACE SOURCE ADDRESS <programlisting> #INTERFACE SOURCE ADDRESS
eth0 2001:470:b:787::0/64 &amp;eth0</programlisting> eth0 2001:470:b:787::0/64 -</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
@ -511,6 +508,6 @@
<refsect1> <refsect1>
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall6/snat</para> <para>/etc/shorewall6/masq</para>
</refsect1> </refsect1>
</refentry> </refentry>