holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add support for range lists in /etc/shorewall/masq

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@687 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-08-06 23:50:33 +00:00
parent c8b9cbfd35
commit 4192870cb2
4 changed files with 48 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -18,3 +18,5 @@ Changes since 1.4.6
8) Fixed adding addresses to ppp interfaces. 8) Fixed adding addresses to ppp interfaces.
9) Added generic tunnel support. 9) Added generic tunnel support.
10) Added support for Address Range Lists in /etc/shorewall/masq.

59
Shorewall/firewall
View File

@ -1187,7 +1187,7 @@ setup_tunnels() # $1 = name of tunnels file
echo " OPENVPN tunnel to $1:$p defined." echo " OPENVPN tunnel to $1:$p defined."
} }
setup_one_generic() # $1 = gateway, $2 = kind:protocol[:port] setup_one_generic() # $1 = gateway, $2 = kind:protocol[:port], $3 = Gateway Zone
{ {
local procotol local procotol
local p= local p=
@ -1207,11 +1207,21 @@ setup_tunnels() # $1 = name of tunnels file
;; ;;
esac esac
p=${p+=--dport $p} p=${p:+--dport $p}
addrule $inchain -p $protocol -s $1 $p -j ACCEPT addrule $inchain -p $protocol -s $1 $p -j ACCEPT
addrule $outchain -p $protocol -d $1 $p -j ACCEPT addrule $outchain -p $protocol -d $1 $p -j ACCEPT
for z in `separate_list $3`; do
if validate_zone $z; then
addrule ${FW}2${z} -p $protocol $p -j ACCEPT
addrule ${z}2${FW} -p $protocol $p -j ACCEPT
else
error_message "Warning: Invalid gateway zone ($z)" \
" -- Tunnel \"$tunnel\" may encounter problems"
fi
done
echo " GENERIC tunnel to $1:$p defined." echo " GENERIC tunnel to $1:$p defined."
} }
@ -1249,7 +1259,7 @@ setup_tunnels() # $1 = name of tunnels file
setup_one_openvpn $gateway $kind setup_one_openvpn $gateway $kind
;; ;;
generic:*|GENERIC:*) generic:*|GENERIC:*)
setup_one_generic $gateway $kind setup_one_generic $gateway $kind $z1
;; ;;
*) *)
error_message "Tunnels of type $kind are not supported:" \ error_message "Tunnels of type $kind are not supported:" \
@ -3021,16 +3031,18 @@ setup_masq()
;; ;;
esac esac
if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then if [ -n "$addresses" -a -n "$ADD_SNAT_ALIASES" ]; then
for addr in `ip_range $address` ; do for address in `separate_list $addresses`; do
if ! list_search $addr $aliases_to_add; then for addr in `ip_range $address` ; do
aliases_to_add="$aliases_to_add $addr $fullinterface" if ! list_search $addr $aliases_to_add; then
case $fullinterface in aliases_to_add="$aliases_to_add $addr $fullinterface"
*:*) case $fullinterface in
fullinterface=${fullinterface%:*}:$((${fullinterface#*:} + 1 )) *:*)
;; fullinterface=${fullinterface%:*}:$((${fullinterface#*:} + 1 ))
esac ;;
fi esac
fi
done
done done
fi fi
@ -3062,19 +3074,26 @@ setup_masq()
destnet="-d $destnet" destnet="-d $destnet"
fi fi
if [ -n "$addresses" ]; then
temp=
for address in `separate_list $addresses`; do
temp="$temp --to-source $address"
done
fi
if [ -n "$subnet" ]; then if [ -n "$subnet" ]; then
for s in $subnet; do for s in $subnet; do
if [ -n "$address" ]; then if [ -n "$addresses" ]; then
addnatrule $chain -s $s $destnet -j SNAT --to-source $address addnatrule $chain -s $s $destnet -j SNAT $temp
echo " To $destination from $s through ${interface} using $address" echo " To $destination from $s through ${interface} using $addresses"
else else
addnatrule $chain -s $s $destnet -j MASQUERADE addnatrule $chain -s $s $destnet -j MASQUERADE
echo " To $destination from $s through ${interface}" echo " To $destination from $s through ${interface}"
fi fi
done done
elif [ -n "$address" ]; then elif [ -n "$address" ]; then
addnatrule $chain $destnet -j SNAT --to-source $address addnatrule $chain $destnet -j SNAT $temp
echo " To $destination from $source through ${interface} using $address" echo " To $destination from $source through ${interface} using $addresses"
else else
addnatrule $chain $destnet -j MASQUERADE addnatrule $chain $destnet -j MASQUERADE
echo " To $destination from $source through ${interface}" echo " To $destination from $source through ${interface}"
@ -3086,8 +3105,8 @@ setup_masq()
[ -n "$NAT_ENABLED" ] && echo "Masqueraded Subnets and Hosts:" [ -n "$NAT_ENABLED" ] && echo "Masqueraded Subnets and Hosts:"
while read fullinterface subnet address; do while read fullinterface subnet addresses; do
expandv fullinterface subnet address expandv fullinterface subnet addresses
[ -n "$NAT_ENABLED" ] && setup_one || \ [ -n "$NAT_ENABLED" ] && setup_one || \
error_message "Warning: NAT disabled; masq rule ignored" error_message "Warning: NAT disabled; masq rule ignored"
done < $TMP_DIR/masq done < $TMP_DIR/masq

3
Shorewall/masq
View File

@ -50,6 +50,9 @@
# #
# Example: 206.124.146.177-206.124.146.180 # Example: 206.124.146.177-206.124.146.180
# #
# Finally, you may also specify a comma-separated
# list of ranges and/or addresses in this column.
#
# This column may not contain DNS Names. # This column may not contain DNS Names.
# #
# Example 1: # Example 1:

5
Shorewall/releasenotes.txt
View File

@ -100,7 +100,7 @@ New Features:
form: form:
# TYPE ZONE GATEWAY GATEWAY ZONE # TYPE ZONE GATEWAY GATEWAY ZONE
generic:<protocol>[:<port>] <zone> <ip address> generic:<protocol>[:<port>] <zone> <ip address> <gateway zones>
where: where:
@ -111,5 +111,8 @@ New Features:
<zone> is the zone of the remote tunnel gateway <zone> is the zone of the remote tunnel gateway
<ip address> is the IP address of the remote tunnel <ip address> is the IP address of the remote tunnel
gateway. gateway.
<gateway zone> Optional. A comma-separated list of zone names.
If specified, the remote gateway is to be
considered part of these zones.