forked from extern/shorewall_code
Support IPv6 Masquerade
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
78babf0941
commit
418034579f
@ -25,7 +25,7 @@
|
|||||||
# loaded after this one and replaces some of the functions declared here.
|
# loaded after this one and replaces some of the functions declared here.
|
||||||
#
|
#
|
||||||
|
|
||||||
SHOREWALL_CAPVERSION=40512
|
SHOREWALL_CAPVERSION=40514
|
||||||
|
|
||||||
[ -n "${g_program:=shorewall}" ]
|
[ -n "${g_program:=shorewall}" ]
|
||||||
|
|
||||||
@ -2197,6 +2197,7 @@ determine_capabilities() {
|
|||||||
NFACCT_MATCH=
|
NFACCT_MATCH=
|
||||||
CHECKSUM_TARGET=
|
CHECKSUM_TARGET=
|
||||||
ARPTABLESJF=
|
ARPTABLESJF=
|
||||||
|
MASQUERADE_TGT=
|
||||||
AMANDA_HELPER=
|
AMANDA_HELPER=
|
||||||
FTP_HELPER=
|
FTP_HELPER=
|
||||||
FTP0_HELPER=
|
FTP0_HELPER=
|
||||||
@ -2228,6 +2229,7 @@ determine_capabilities() {
|
|||||||
else
|
else
|
||||||
qt $g_tool -t nat -A $chain -j SNAT --to-source 2001::1 --persistent && PERSISTENT_SNAT=Yes
|
qt $g_tool -t nat -A $chain -j SNAT --to-source 2001::1 --persistent && PERSISTENT_SNAT=Yes
|
||||||
fi
|
fi
|
||||||
|
qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
|
||||||
qt $g_tool -t nat -F $chain
|
qt $g_tool -t nat -F $chain
|
||||||
qt $g_tool -t nat -X $chain
|
qt $g_tool -t nat -X $chain
|
||||||
fi
|
fi
|
||||||
@ -2602,6 +2604,7 @@ report_capabilities_unsorted() {
|
|||||||
report_capability "NFAcct match" $NFACCT_MATCH
|
report_capability "NFAcct match" $NFACCT_MATCH
|
||||||
report_capability "Checksum Target" $CHECKSUM_TARGET
|
report_capability "Checksum Target" $CHECKSUM_TARGET
|
||||||
report_capability "Arptables JF" $ARPTABLESJF
|
report_capability "Arptables JF" $ARPTABLESJF
|
||||||
|
report_capability "MASQUERADE Target" $MASQUERADE_TGT
|
||||||
|
|
||||||
report_capability "Amanda Helper" $AMANDA_HELPER
|
report_capability "Amanda Helper" $AMANDA_HELPER
|
||||||
report_capability "FTP Helper" $FTP_HELPER
|
report_capability "FTP Helper" $FTP_HELPER
|
||||||
@ -2720,6 +2723,7 @@ report_capabilities_unsorted1() {
|
|||||||
report_capability1 NFACCT_MATCH
|
report_capability1 NFACCT_MATCH
|
||||||
report_capability1 CHECKSUM_TARGET
|
report_capability1 CHECKSUM_TARGET
|
||||||
report_capability1 ARPTABLESJF
|
report_capability1 ARPTABLESJF
|
||||||
|
report_capability1 MASQUERADE_TGT
|
||||||
|
|
||||||
report_capability1 AMANDA_HELPER
|
report_capability1 AMANDA_HELPER
|
||||||
report_capability1 FTP_HELPER
|
report_capability1 FTP_HELPER
|
||||||
|
@ -357,6 +357,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
|||||||
NFACCT_MATCH => 'NFAcct Match',
|
NFACCT_MATCH => 'NFAcct Match',
|
||||||
CHECKSUM_TARGET => 'Checksum Target',
|
CHECKSUM_TARGET => 'Checksum Target',
|
||||||
ARPTABLESJF => 'Arptables JF',
|
ARPTABLESJF => 'Arptables JF',
|
||||||
|
MASQUERADE_TGT => 'MASQUERADE Target',
|
||||||
AMANDA_HELPER => 'Amanda Helper',
|
AMANDA_HELPER => 'Amanda Helper',
|
||||||
FTP_HELPER => 'FTP Helper',
|
FTP_HELPER => 'FTP Helper',
|
||||||
FTP0_HELPER => 'FTP-0 Helper',
|
FTP0_HELPER => 'FTP-0 Helper',
|
||||||
@ -649,7 +650,7 @@ sub initialize( $;$$) {
|
|||||||
KLUDGEFREE => '',
|
KLUDGEFREE => '',
|
||||||
STATEMATCH => '-m state --state',
|
STATEMATCH => '-m state --state',
|
||||||
VERSION => "4.5.13-Beta3",
|
VERSION => "4.5.13-Beta3",
|
||||||
CAPVERSION => 40512 ,
|
CAPVERSION => 40514 ,
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
# From shorewall.conf file
|
# From shorewall.conf file
|
||||||
@ -901,6 +902,7 @@ sub initialize( $;$$) {
|
|||||||
NFACCT_MATCH => undef,
|
NFACCT_MATCH => undef,
|
||||||
CHECKSUM_TARGET => undef,
|
CHECKSUM_TARGET => undef,
|
||||||
ARPTABLESJF => undef,
|
ARPTABLESJF => undef,
|
||||||
|
MASQUERADE_TGT => undef,
|
||||||
|
|
||||||
AMANDA_HELPER => undef,
|
AMANDA_HELPER => undef,
|
||||||
FTP_HELPER => undef,
|
FTP_HELPER => undef,
|
||||||
@ -3561,6 +3563,22 @@ sub Persistent_Snat() {
|
|||||||
$result;
|
$result;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub Masquerade_Tgt() {
|
||||||
|
have_capability( 'NAT_ENABLED' ) || return '';
|
||||||
|
|
||||||
|
my $result = '';
|
||||||
|
my $address = $family == F_IPV4 ? '1.2.3.4' : '2001::1';
|
||||||
|
|
||||||
|
if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
|
||||||
|
$result = qt1( "$iptables -t nat -A $sillyname -j MASQUERADE" );
|
||||||
|
qt1( "$iptables -t nat -F $sillyname" );
|
||||||
|
qt1( "$iptables -t nat -X $sillyname" );
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
$result;
|
||||||
|
}
|
||||||
|
|
||||||
sub Mangle_Enabled() {
|
sub Mangle_Enabled() {
|
||||||
if ( qt1( "$iptables -t mangle -L -n" ) ) {
|
if ( qt1( "$iptables -t mangle -L -n" ) ) {
|
||||||
system( "$iptables -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
|
system( "$iptables -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
|
||||||
@ -4075,6 +4093,7 @@ our %detect_capability =
|
|||||||
MANGLE_FORWARD => \&Mangle_Forward,
|
MANGLE_FORWARD => \&Mangle_Forward,
|
||||||
MARK => \&Mark,
|
MARK => \&Mark,
|
||||||
MARK_ANYWHERE => \&Mark_Anywhere,
|
MARK_ANYWHERE => \&Mark_Anywhere,
|
||||||
|
MASQUERADE_TGT => \&Masquerade_Tgt,
|
||||||
MULTIPORT => \&Multiport,
|
MULTIPORT => \&Multiport,
|
||||||
NAT_ENABLED => \&Nat_Enabled,
|
NAT_ENABLED => \&Nat_Enabled,
|
||||||
NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
|
NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
|
||||||
|
@ -172,7 +172,7 @@ sub process_one_masq1( $$$$$$$$$$ )
|
|||||||
#
|
#
|
||||||
if ( $addresses ne '-' ) {
|
if ( $addresses ne '-' ) {
|
||||||
if ( $addresses eq 'random' ) {
|
if ( $addresses eq 'random' ) {
|
||||||
fatal_error 'Invalid IPv6 address (random)' if $family == F_IPV6;
|
require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '') if $family == F_IPV6;
|
||||||
$randomize = '--random ';
|
$randomize = '--random ';
|
||||||
} else {
|
} else {
|
||||||
$addresses =~ s/:persistent$// and $persistent = ' --persistent ';
|
$addresses =~ s/:persistent$// and $persistent = ' --persistent ';
|
||||||
@ -194,9 +194,11 @@ sub process_one_masq1( $$$$$$$$$$ )
|
|||||||
$detectaddress = 1;
|
$detectaddress = 1;
|
||||||
}
|
}
|
||||||
} elsif ( $addresses eq 'NONAT' ) {
|
} elsif ( $addresses eq 'NONAT' ) {
|
||||||
|
fatal_error "'persistent' may not be specified with 'NONAT'" if $persistent;
|
||||||
|
fatal_error "'random' may not be specified with 'NONAT'" if $randomize;
|
||||||
$target = 'RETURN';
|
$target = 'RETURN';
|
||||||
$add_snat_aliases = 0;
|
$add_snat_aliases = 0;
|
||||||
} else {
|
} elsif ( $addresses ) {
|
||||||
my $addrlist = '';
|
my $addrlist = '';
|
||||||
my @addrs = split_list $addresses, 'address';
|
my @addrs = split_list $addresses, 'address';
|
||||||
|
|
||||||
@ -305,13 +307,15 @@ sub process_one_masq1( $$$$$$$$$$ )
|
|||||||
}
|
}
|
||||||
|
|
||||||
$target .= $addrlist;
|
$target .= $addrlist;
|
||||||
|
} else {
|
||||||
|
require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' ) if $family == F_IPV6;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$target .= $randomize;
|
$target .= $randomize;
|
||||||
$target .= $persistent;
|
$target .= $persistent;
|
||||||
} else {
|
} else {
|
||||||
fatal_error "IPv6 does does not support MASQUERADE -- you must use SNAT" if $family == F_IPV6;
|
require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' ) if $family == F_IPV6;
|
||||||
$add_snat_aliases = 0;
|
$add_snat_aliases = 0;
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
@ -373,11 +377,9 @@ sub process_one_masq( )
|
|||||||
#
|
#
|
||||||
sub setup_masq()
|
sub setup_masq()
|
||||||
{
|
{
|
||||||
my $name = $family == F_IPV4 ? 'masq' : 'snat';
|
if ( my $fn = open_file( 'masq', 1, 1 ) ) {
|
||||||
|
|
||||||
if ( my $fn = open_file( $name, 1, 1 ) ) {
|
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
|
||||||
|
|
||||||
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty $name file" , 's'; } );
|
|
||||||
|
|
||||||
process_one_masq while read_a_line( NORMAL_READ );
|
process_one_masq while read_a_line( NORMAL_READ );
|
||||||
}
|
}
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
#
|
#
|
||||||
# Shorewall6 version 4 - SNAT file
|
# Shorewall6 version 4 - MASQUERADE/SNAT file
|
||||||
#
|
#
|
||||||
# For information about entries in this file, type "man shorewall6-snat"
|
# For information about entries in this file, type "man shorewall6-masq"
|
||||||
#
|
#
|
||||||
# The manpage is also online at
|
# The manpage is also online at
|
||||||
# http://www.shorewall.net/manpages6/shorewall6-snat.html
|
# http://www.shorewall.net/manpages6/shorewall6-masq.html
|
||||||
#
|
#
|
||||||
########################################################################################################################
|
########################################################################################################################
|
||||||
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL
|
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH ORIGINAL
|
@ -3,20 +3,20 @@
|
|||||||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||||||
<refentry>
|
<refentry>
|
||||||
<refmeta>
|
<refmeta>
|
||||||
<refentrytitle>shorewall6-snat</refentrytitle>
|
<refentrytitle>shorewall6-masq</refentrytitle>
|
||||||
|
|
||||||
<manvolnum>5</manvolnum>
|
<manvolnum>5</manvolnum>
|
||||||
</refmeta>
|
</refmeta>
|
||||||
|
|
||||||
<refnamediv>
|
<refnamediv>
|
||||||
<refname>snat</refname>
|
<refname>masq</refname>
|
||||||
|
|
||||||
<refpurpose>Shorewall6 SNAT definition file</refpurpose>
|
<refpurpose>Shorewall6 Masquerade/SNAT definition file</refpurpose>
|
||||||
</refnamediv>
|
</refnamediv>
|
||||||
|
|
||||||
<refsynopsisdiv>
|
<refsynopsisdiv>
|
||||||
<cmdsynopsis>
|
<cmdsynopsis>
|
||||||
<command>/etc/shorewall6/snat</command>
|
<command>/etc/shorewall6/masq</command>
|
||||||
</cmdsynopsis>
|
</cmdsynopsis>
|
||||||
</refsynopsisdiv>
|
</refsynopsisdiv>
|
||||||
|
|
||||||
@ -26,11 +26,6 @@
|
|||||||
<para>Use this file to define Source NAT (SNAT). Requires Shorewall 4.5.14
|
<para>Use this file to define Source NAT (SNAT). Requires Shorewall 4.5.14
|
||||||
or later.</para>
|
or later.</para>
|
||||||
|
|
||||||
<note>
|
|
||||||
<para>Unlike with IPv4, Netfilter does not support the MASQUERADE target
|
|
||||||
with IPv6.</para>
|
|
||||||
</note>
|
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>The entries in this file are order-sensitive. The first entry that
|
<para>The entries in this file are order-sensitive. The first entry that
|
||||||
matches a particular connection will be the one that is used.</para>
|
matches a particular connection will be the one that is used.</para>
|
||||||
@ -117,27 +112,32 @@
|
|||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">ADDRESS</emphasis> -
|
<term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
|
||||||
{<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
|
role="bold">-</emphasis>|<emphasis
|
||||||
|
role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
|
||||||
role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
|
role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
|
||||||
role="bold">:random</emphasis>][:persistent]|}</term>
|
role="bold">:random</emphasis>][:persistent]|<emphasis
|
||||||
|
role="bold">detect</emphasis>|<emphasis
|
||||||
|
role="bold">random</emphasis>]</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The address specified here will be used as the source address.
|
<para>If you do not specify an address or address range,
|
||||||
If you simply wish to use the IPv6 address of the
|
masquerading will be performed. This requires <firstterm>Masquerade
|
||||||
<replaceable>interface</replaceable> in the first column, enter the
|
Target</firstterm> support in your kernel and ip6tables.</para>
|
||||||
name of that interface preceded by an apersand ('&') - e.g.,
|
|
||||||
&sit1.</para>
|
<para>If you specify an address here, SNAT will be used and this
|
||||||
|
will be the source address.</para>
|
||||||
|
|
||||||
<para>You may also specify a range of up to 256 IP addresses if you
|
<para>You may also specify a range of up to 256 IP addresses if you
|
||||||
want the SNAT address to be assigned from that range in a
|
want the SNAT address to be assigned from that range in a
|
||||||
round-robin fashion by connection. The range is specified by
|
round-robin fashion by connection. The range is specified by
|
||||||
<emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
|
<emphasis>first.ip.in.range</emphasis>-<emphasis>last.ip.in.range</emphasis>.
|
||||||
The address or address range may be optionally followed by a port
|
You may follow the port range with<emphasis
|
||||||
range. When this is done, you must enclose the IPv6 address(es) in
|
role="bold">:random</emphasis> in which case assignment of ports
|
||||||
square brackets. You may follow the port range with<emphasis
|
from the list will be random. <emphasis
|
||||||
role="bold"> :random</emphasis> in which case assignment of ports
|
role="bold">random</emphasis> may also be specified by itself in
|
||||||
from the range will be random.</para>
|
this column in which case random local port assignments are made for
|
||||||
|
the outgoing connections.</para>
|
||||||
|
|
||||||
<para>Example:
|
<para>Example:
|
||||||
[2001:470:a:227::2]-[2001:470:a:227::10]:1000-1010</para>
|
[2001:470:a:227::2]-[2001:470:a:227::10]:1000-1010</para>
|
||||||
@ -148,9 +148,6 @@
|
|||||||
address range is specified and causes a client to be given the same
|
address range is specified and causes a client to be given the same
|
||||||
source/destination IP pair.</para>
|
source/destination IP pair.</para>
|
||||||
|
|
||||||
<para>Finally, you may also specify a comma-separated list of ranges
|
|
||||||
and/or addresses in this column.</para>
|
|
||||||
|
|
||||||
<para>This column may not contain DNS Names.</para>
|
<para>This column may not contain DNS Names.</para>
|
||||||
|
|
||||||
<para>Normally, Netfilter will attempt to retain the source port
|
<para>Normally, Netfilter will attempt to retain the source port
|
||||||
@ -502,7 +499,7 @@
|
|||||||
<para>Your entry in the file will be:</para>
|
<para>Your entry in the file will be:</para>
|
||||||
|
|
||||||
<programlisting> #INTERFACE SOURCE ADDRESS
|
<programlisting> #INTERFACE SOURCE ADDRESS
|
||||||
eth0 2001:470:b:787::0/64 &eth0</programlisting>
|
eth0 2001:470:b:787::0/64 -</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
@ -511,6 +508,6 @@
|
|||||||
<refsect1>
|
<refsect1>
|
||||||
<title>FILES</title>
|
<title>FILES</title>
|
||||||
|
|
||||||
<para>/etc/shorewall6/snat</para>
|
<para>/etc/shorewall6/masq</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
</refentry>
|
</refentry>
|
Loading…
Reference in New Issue
Block a user