forked from extern/shorewall_code
Add support for range lists in /etc/shorewall/masq
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@687 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
c8b9cbfd35
commit
4192870cb2
@ -18,3 +18,5 @@ Changes since 1.4.6
|
||||
8) Fixed adding addresses to ppp interfaces.
|
||||
|
||||
9) Added generic tunnel support.
|
||||
|
||||
10) Added support for Address Range Lists in /etc/shorewall/masq.
|
||||
|
||||
@ -1187,7 +1187,7 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
echo " OPENVPN tunnel to $1:$p defined."
|
||||
}
|
||||
|
||||
setup_one_generic() # $1 = gateway, $2 = kind:protocol[:port]
|
||||
setup_one_generic() # $1 = gateway, $2 = kind:protocol[:port], $3 = Gateway Zone
|
||||
{
|
||||
local procotol
|
||||
local p=
|
||||
@ -1207,11 +1207,21 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
;;
|
||||
esac
|
||||
|
||||
p=${p+=--dport $p}
|
||||
p=${p:+--dport $p}
|
||||
|
||||
addrule $inchain -p $protocol -s $1 $p -j ACCEPT
|
||||
addrule $outchain -p $protocol -d $1 $p -j ACCEPT
|
||||
|
||||
for z in `separate_list $3`; do
|
||||
if validate_zone $z; then
|
||||
addrule ${FW}2${z} -p $protocol $p -j ACCEPT
|
||||
addrule ${z}2${FW} -p $protocol $p -j ACCEPT
|
||||
else
|
||||
error_message "Warning: Invalid gateway zone ($z)" \
|
||||
" -- Tunnel \"$tunnel\" may encounter problems"
|
||||
fi
|
||||
done
|
||||
|
||||
echo " GENERIC tunnel to $1:$p defined."
|
||||
}
|
||||
|
||||
@ -1249,7 +1259,7 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
setup_one_openvpn $gateway $kind
|
||||
;;
|
||||
generic:*|GENERIC:*)
|
||||
setup_one_generic $gateway $kind
|
||||
setup_one_generic $gateway $kind $z1
|
||||
;;
|
||||
*)
|
||||
error_message "Tunnels of type $kind are not supported:" \
|
||||
@ -3021,7 +3031,8 @@ setup_masq()
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then
|
||||
if [ -n "$addresses" -a -n "$ADD_SNAT_ALIASES" ]; then
|
||||
for address in `separate_list $addresses`; do
|
||||
for addr in `ip_range $address` ; do
|
||||
if ! list_search $addr $aliases_to_add; then
|
||||
aliases_to_add="$aliases_to_add $addr $fullinterface"
|
||||
@ -3032,6 +3043,7 @@ setup_masq()
|
||||
esac
|
||||
fi
|
||||
done
|
||||
done
|
||||
fi
|
||||
|
||||
destination=$destnet
|
||||
@ -3062,19 +3074,26 @@ setup_masq()
|
||||
destnet="-d $destnet"
|
||||
fi
|
||||
|
||||
if [ -n "$addresses" ]; then
|
||||
temp=
|
||||
for address in `separate_list $addresses`; do
|
||||
temp="$temp --to-source $address"
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -n "$subnet" ]; then
|
||||
for s in $subnet; do
|
||||
if [ -n "$address" ]; then
|
||||
addnatrule $chain -s $s $destnet -j SNAT --to-source $address
|
||||
echo " To $destination from $s through ${interface} using $address"
|
||||
if [ -n "$addresses" ]; then
|
||||
addnatrule $chain -s $s $destnet -j SNAT $temp
|
||||
echo " To $destination from $s through ${interface} using $addresses"
|
||||
else
|
||||
addnatrule $chain -s $s $destnet -j MASQUERADE
|
||||
echo " To $destination from $s through ${interface}"
|
||||
fi
|
||||
done
|
||||
elif [ -n "$address" ]; then
|
||||
addnatrule $chain $destnet -j SNAT --to-source $address
|
||||
echo " To $destination from $source through ${interface} using $address"
|
||||
addnatrule $chain $destnet -j SNAT $temp
|
||||
echo " To $destination from $source through ${interface} using $addresses"
|
||||
else
|
||||
addnatrule $chain $destnet -j MASQUERADE
|
||||
echo " To $destination from $source through ${interface}"
|
||||
@ -3086,8 +3105,8 @@ setup_masq()
|
||||
|
||||
[ -n "$NAT_ENABLED" ] && echo "Masqueraded Subnets and Hosts:"
|
||||
|
||||
while read fullinterface subnet address; do
|
||||
expandv fullinterface subnet address
|
||||
while read fullinterface subnet addresses; do
|
||||
expandv fullinterface subnet addresses
|
||||
[ -n "$NAT_ENABLED" ] && setup_one || \
|
||||
error_message "Warning: NAT disabled; masq rule ignored"
|
||||
done < $TMP_DIR/masq
|
||||
|
||||
@ -50,6 +50,9 @@
|
||||
#
|
||||
# Example: 206.124.146.177-206.124.146.180
|
||||
#
|
||||
# Finally, you may also specify a comma-separated
|
||||
# list of ranges and/or addresses in this column.
|
||||
#
|
||||
# This column may not contain DNS Names.
|
||||
#
|
||||
# Example 1:
|
||||
|
||||
@ -100,7 +100,7 @@ New Features:
|
||||
form:
|
||||
|
||||
# TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
generic:<protocol>[:<port>] <zone> <ip address>
|
||||
generic:<protocol>[:<port>] <zone> <ip address> <gateway zones>
|
||||
|
||||
where:
|
||||
|
||||
@ -111,5 +111,8 @@ New Features:
|
||||
<zone> is the zone of the remote tunnel gateway
|
||||
<ip address> is the IP address of the remote tunnel
|
||||
gateway.
|
||||
<gateway zone> Optional. A comma-separated list of zone names.
|
||||
If specified, the remote gateway is to be
|
||||
considered part of these zones.
|
||||
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user