forked from extern/shorewall_code
More detect changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5572 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
fedc99ecb6
commit
566090f2c8
@ -45,6 +45,7 @@ our @EXPORT = qw( STANDARD
|
||||
PREROUTE_RESTRICT
|
||||
POSTROUTE_RESTRICT
|
||||
|
||||
add_command
|
||||
add_rule
|
||||
insert_rule
|
||||
chain_base
|
||||
@ -980,8 +981,8 @@ sub expand_rule( $$$$$$$$$$ )
|
||||
fatal_error "Unknown Interface ($iiface): \"$line\"" unless known_interface $iiface;
|
||||
|
||||
if ( $restriction == POSTROUTE_RESTRICT ) {
|
||||
add_command( $chainref , (' ' x $detectcount) . "sources=\$(get_routed_networks $iiface)" );
|
||||
add_command( $chainref , (' ' x $detectcount) . qq([ -z "\$sourcess" ] && fatal_error "Unable to determine the routes through interface \"$iiface\"") );
|
||||
add_command( $chainref , (' ' x $detectcount) . "sources=\$(get_routed_networks $iiface);" );
|
||||
add_command( $chainref , (' ' x $detectcount) . qq([ -z "\$sourcess" ] && fatal_error "Unable to determine the routes through interface \"$iiface\"";) );
|
||||
add_command( $chainref , (' ' x $detectcount) . 'for source in $sources; do' );
|
||||
$rule .= '-s $source';
|
||||
$detectcount++;
|
||||
@ -1014,8 +1015,8 @@ sub expand_rule( $$$$$$$$$$ )
|
||||
fatal_error "Unknown Interface ($diface) in rule \"$line\"" unless known_interface $diface;
|
||||
|
||||
if ( $restriction == PREROUTE_RESTRICT ) {
|
||||
add_command( $chainref , (' ' x $detectcount) . "dests=\$(find_interface_addresses $diface)" );
|
||||
add_command( $chainref , (' ' x $detectcount) . qq([ -z "\$dests" ] && fatal_error "Unable to determine the address(es) of interface \"$diface\"") );
|
||||
add_command( $chainref , (' ' x $detectcount) . "dests=\$(find_interface_addresses $diface);" );
|
||||
add_command( $chainref , (' ' x $detectcount) . qq([ -z "\$dests" ] && fatal_error "Unable to determine the address(es) of interface \"$diface\";") );
|
||||
|
||||
add_command( $chainref , (' ' x $detectcount) . 'for dest in $dests; do' );
|
||||
$rule .= '-d $dest';
|
||||
@ -1030,7 +1031,7 @@ sub expand_rule( $$$$$$$$$$ )
|
||||
if ( $detectcount ) {
|
||||
my $newchainref = new_anon_chain( $chainref );
|
||||
|
||||
add_command $chainref, (' ' x $detectcount) . qq(emit "-A $chain $rule -j $newchainref->{name}");
|
||||
add_command $chainref, (' ' x $detectcount) . qq(emit "-A $chain $rule -j $newchainref->{name}";);
|
||||
|
||||
while ( $detectcount-- ) {
|
||||
add_command( $chainref, (' ' x $detectcount) . 'done' );
|
||||
@ -1243,7 +1244,8 @@ sub create_netfilter_load() {
|
||||
for my $chainref ( @chains ) {
|
||||
my $name = $chainref->{name};
|
||||
for my $rule ( @{$chainref->{rules}} ) {
|
||||
emit "-A $name $rule";
|
||||
$rule = "-A $name $rule" unless substr( $rule, 0, 1) eq '~';
|
||||
emit_unindented $rule;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -154,6 +154,7 @@ sub setup_one_masq($$$$$$)
|
||||
|
||||
fatal_error "Unknown interface $interface, rule \"$line\"" unless $interfaces{$interface}{root};
|
||||
|
||||
my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
|
||||
#
|
||||
# If there is no source or destination then allow all addresses
|
||||
#
|
||||
@ -165,6 +166,7 @@ sub setup_one_masq($$$$$$)
|
||||
#
|
||||
$rule .= do_proto $proto, $ports, '';
|
||||
|
||||
my $detectaddress = 0;
|
||||
#
|
||||
# Parse the ADDRESSES column
|
||||
#
|
||||
@ -175,12 +177,20 @@ sub setup_one_masq($$$$$$)
|
||||
for my $addr ( split /,/, $addresses ) {
|
||||
$target .= "--to $addr ";
|
||||
}
|
||||
} elsif ( $addresses =~ /^SAME:nodst:/ ) {
|
||||
} elsif ( $addresses =~ /^SAME:nodst:/ ) {
|
||||
$target = '-j SAME ';
|
||||
$addresses =~ s/.*://;
|
||||
for my $addr ( split /,/, $addresses ) {
|
||||
$target .= "--to $addr ";
|
||||
}
|
||||
} elsif ( $addresses eq 'detect' ) {
|
||||
$target = '-j SNAT $addrlist';
|
||||
add_command( $chainref , "addresses=\$(find_interface_addresses $interface); \\" );
|
||||
add_command( $chainref , qq([ -z "\$addresses" ] && fatal_error "Unable to determine the IP address(es) of $interface"; \\) );
|
||||
add_command( $chainref , 'addrlist=; \\' );
|
||||
add_command( $chainref , 'for address in $addresses; do \\' );
|
||||
add_command( $chainref , ' addrlist="$addrlist --to-source $address \\";' );
|
||||
add_command( $chainref , 'done' );
|
||||
} else {
|
||||
my $addrlist = '';
|
||||
for my $addr ( split /,/, $addresses ) {
|
||||
@ -195,12 +205,12 @@ sub setup_one_masq($$$$$$)
|
||||
|
||||
$target .= $addrlist;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# And Generate the Rule(s)
|
||||
#
|
||||
expand_rule ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface), POSTROUTE_RESTRICT , $rule, $networks, $destnets, '', $target, '', '' , '';
|
||||
expand_rule $chainref , POSTROUTE_RESTRICT , $rule, $networks, $destnets, '', $target, '', '' , '';
|
||||
|
||||
progress_message " Masq record \"$line\" $done";
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user