forked from extern/shorewall_code
Add support for range lists in /etc/shorewall/masq
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@687 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
c8b9cbfd35
commit
4192870cb2
@ -18,3 +18,5 @@ Changes since 1.4.6
|
|||||||
8) Fixed adding addresses to ppp interfaces.
|
8) Fixed adding addresses to ppp interfaces.
|
||||||
|
|
||||||
9) Added generic tunnel support.
|
9) Added generic tunnel support.
|
||||||
|
|
||||||
|
10) Added support for Address Range Lists in /etc/shorewall/masq.
|
||||||
|
@ -1187,7 +1187,7 @@ setup_tunnels() # $1 = name of tunnels file
|
|||||||
echo " OPENVPN tunnel to $1:$p defined."
|
echo " OPENVPN tunnel to $1:$p defined."
|
||||||
}
|
}
|
||||||
|
|
||||||
setup_one_generic() # $1 = gateway, $2 = kind:protocol[:port]
|
setup_one_generic() # $1 = gateway, $2 = kind:protocol[:port], $3 = Gateway Zone
|
||||||
{
|
{
|
||||||
local procotol
|
local procotol
|
||||||
local p=
|
local p=
|
||||||
@ -1207,11 +1207,21 @@ setup_tunnels() # $1 = name of tunnels file
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
p=${p+=--dport $p}
|
p=${p:+--dport $p}
|
||||||
|
|
||||||
addrule $inchain -p $protocol -s $1 $p -j ACCEPT
|
addrule $inchain -p $protocol -s $1 $p -j ACCEPT
|
||||||
addrule $outchain -p $protocol -d $1 $p -j ACCEPT
|
addrule $outchain -p $protocol -d $1 $p -j ACCEPT
|
||||||
|
|
||||||
|
for z in `separate_list $3`; do
|
||||||
|
if validate_zone $z; then
|
||||||
|
addrule ${FW}2${z} -p $protocol $p -j ACCEPT
|
||||||
|
addrule ${z}2${FW} -p $protocol $p -j ACCEPT
|
||||||
|
else
|
||||||
|
error_message "Warning: Invalid gateway zone ($z)" \
|
||||||
|
" -- Tunnel \"$tunnel\" may encounter problems"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
echo " GENERIC tunnel to $1:$p defined."
|
echo " GENERIC tunnel to $1:$p defined."
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1249,7 +1259,7 @@ setup_tunnels() # $1 = name of tunnels file
|
|||||||
setup_one_openvpn $gateway $kind
|
setup_one_openvpn $gateway $kind
|
||||||
;;
|
;;
|
||||||
generic:*|GENERIC:*)
|
generic:*|GENERIC:*)
|
||||||
setup_one_generic $gateway $kind
|
setup_one_generic $gateway $kind $z1
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
error_message "Tunnels of type $kind are not supported:" \
|
error_message "Tunnels of type $kind are not supported:" \
|
||||||
@ -3021,7 +3031,8 @@ setup_masq()
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then
|
if [ -n "$addresses" -a -n "$ADD_SNAT_ALIASES" ]; then
|
||||||
|
for address in `separate_list $addresses`; do
|
||||||
for addr in `ip_range $address` ; do
|
for addr in `ip_range $address` ; do
|
||||||
if ! list_search $addr $aliases_to_add; then
|
if ! list_search $addr $aliases_to_add; then
|
||||||
aliases_to_add="$aliases_to_add $addr $fullinterface"
|
aliases_to_add="$aliases_to_add $addr $fullinterface"
|
||||||
@ -3032,6 +3043,7 @@ setup_masq()
|
|||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
destination=$destnet
|
destination=$destnet
|
||||||
@ -3062,19 +3074,26 @@ setup_masq()
|
|||||||
destnet="-d $destnet"
|
destnet="-d $destnet"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ -n "$addresses" ]; then
|
||||||
|
temp=
|
||||||
|
for address in `separate_list $addresses`; do
|
||||||
|
temp="$temp --to-source $address"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -n "$subnet" ]; then
|
if [ -n "$subnet" ]; then
|
||||||
for s in $subnet; do
|
for s in $subnet; do
|
||||||
if [ -n "$address" ]; then
|
if [ -n "$addresses" ]; then
|
||||||
addnatrule $chain -s $s $destnet -j SNAT --to-source $address
|
addnatrule $chain -s $s $destnet -j SNAT $temp
|
||||||
echo " To $destination from $s through ${interface} using $address"
|
echo " To $destination from $s through ${interface} using $addresses"
|
||||||
else
|
else
|
||||||
addnatrule $chain -s $s $destnet -j MASQUERADE
|
addnatrule $chain -s $s $destnet -j MASQUERADE
|
||||||
echo " To $destination from $s through ${interface}"
|
echo " To $destination from $s through ${interface}"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
elif [ -n "$address" ]; then
|
elif [ -n "$address" ]; then
|
||||||
addnatrule $chain $destnet -j SNAT --to-source $address
|
addnatrule $chain $destnet -j SNAT $temp
|
||||||
echo " To $destination from $source through ${interface} using $address"
|
echo " To $destination from $source through ${interface} using $addresses"
|
||||||
else
|
else
|
||||||
addnatrule $chain $destnet -j MASQUERADE
|
addnatrule $chain $destnet -j MASQUERADE
|
||||||
echo " To $destination from $source through ${interface}"
|
echo " To $destination from $source through ${interface}"
|
||||||
@ -3086,8 +3105,8 @@ setup_masq()
|
|||||||
|
|
||||||
[ -n "$NAT_ENABLED" ] && echo "Masqueraded Subnets and Hosts:"
|
[ -n "$NAT_ENABLED" ] && echo "Masqueraded Subnets and Hosts:"
|
||||||
|
|
||||||
while read fullinterface subnet address; do
|
while read fullinterface subnet addresses; do
|
||||||
expandv fullinterface subnet address
|
expandv fullinterface subnet addresses
|
||||||
[ -n "$NAT_ENABLED" ] && setup_one || \
|
[ -n "$NAT_ENABLED" ] && setup_one || \
|
||||||
error_message "Warning: NAT disabled; masq rule ignored"
|
error_message "Warning: NAT disabled; masq rule ignored"
|
||||||
done < $TMP_DIR/masq
|
done < $TMP_DIR/masq
|
||||||
|
@ -50,6 +50,9 @@
|
|||||||
#
|
#
|
||||||
# Example: 206.124.146.177-206.124.146.180
|
# Example: 206.124.146.177-206.124.146.180
|
||||||
#
|
#
|
||||||
|
# Finally, you may also specify a comma-separated
|
||||||
|
# list of ranges and/or addresses in this column.
|
||||||
|
#
|
||||||
# This column may not contain DNS Names.
|
# This column may not contain DNS Names.
|
||||||
#
|
#
|
||||||
# Example 1:
|
# Example 1:
|
||||||
|
@ -100,7 +100,7 @@ New Features:
|
|||||||
form:
|
form:
|
||||||
|
|
||||||
# TYPE ZONE GATEWAY GATEWAY ZONE
|
# TYPE ZONE GATEWAY GATEWAY ZONE
|
||||||
generic:<protocol>[:<port>] <zone> <ip address>
|
generic:<protocol>[:<port>] <zone> <ip address> <gateway zones>
|
||||||
|
|
||||||
where:
|
where:
|
||||||
|
|
||||||
@ -111,5 +111,8 @@ New Features:
|
|||||||
<zone> is the zone of the remote tunnel gateway
|
<zone> is the zone of the remote tunnel gateway
|
||||||
<ip address> is the IP address of the remote tunnel
|
<ip address> is the IP address of the remote tunnel
|
||||||
gateway.
|
gateway.
|
||||||
|
<gateway zone> Optional. A comma-separated list of zone names.
|
||||||
|
If specified, the remote gateway is to be
|
||||||
|
considered part of these zones.
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user