forked from extern/shorewall_code
Apply Luigi's MARK patches
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6181 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
a275d33cd2
commit
58678ec18f
@ -7,6 +7,6 @@
|
||||
# additional information about how to use this file.
|
||||
#
|
||||
#####################################################################################
|
||||
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/
|
||||
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK
|
||||
# PORT(S) PORT(S) GROUP
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@ -6,5 +6,5 @@
|
||||
# For additional information, see http://shorewall.net/Documentation.htm#Masq
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC
|
||||
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
# See http://shorewall.net/Documentation.htm#Rules for additional information.
|
||||
#
|
||||
#############################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
|
||||
@ -4,6 +4,6 @@
|
||||
# For information about entries in this file, type "man shorewall-tos"
|
||||
#
|
||||
###############################################################################
|
||||
#SOURCE DEST PROTOCOL SOURCE DEST TOS
|
||||
#SOURCE DEST PROTOCOL SOURCE DEST TOS MARK
|
||||
# PORTS PORTS
|
||||
#LAST LINE -- Add your entries above -- DO NOT REMOVE
|
||||
|
||||
@ -1621,6 +1621,7 @@ __EOF__
|
||||
# ratelimit = Optional rate limiting clause
|
||||
# userandgroup = -m owner clause
|
||||
# userspec = User name
|
||||
# mark = Packet mark
|
||||
# logtag = Log tag
|
||||
# policy = Applicable Policy
|
||||
#
|
||||
@ -1762,6 +1763,7 @@ add_a_rule() {
|
||||
servport=$serverport
|
||||
multiport=
|
||||
user="$userandgroup"
|
||||
mrk="$mark"
|
||||
|
||||
# Restore $chain to the canonical chain.
|
||||
|
||||
@ -1808,7 +1810,7 @@ add_a_rule() {
|
||||
#
|
||||
# This function is called from process_default_macro() after rules are DONE
|
||||
#
|
||||
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$user" -a -z "$excludesource" -a -z "$excludedest" ] ; then
|
||||
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$user" -a -z "$excludesource" -a -z "$excludedest" -a -z "$mark" ] ; then
|
||||
error_message "WARNING -- Rule \"$rule\" is a POLICY"
|
||||
error_message " -- and should be moved to the policy file"
|
||||
fi
|
||||
@ -1867,7 +1869,7 @@ add_a_rule() {
|
||||
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
|
||||
if [ "$addr" = detect ]; then
|
||||
indent >&3 << __EOF__
|
||||
run_iptables -A $chain $state $proto $ratelimit $multiport $cli $sports $(dest_ip_range $srv) $dports -m conntrack --ctorigdst \$adr $user -j $target
|
||||
run_iptables -A $chain $state $proto $ratelimit $multiport $cli $sports $(dest_ip_range $srv) $dports -m conntrack --ctorigdst \$adr $user $mrk -j $target
|
||||
done
|
||||
|
||||
__EOF__
|
||||
@ -1875,44 +1877,44 @@ __EOF__
|
||||
for adr in $(separate_list $addr); do
|
||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \
|
||||
$user $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state
|
||||
$user $mrk $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state
|
||||
fi
|
||||
|
||||
run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \
|
||||
$(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $user -j $target
|
||||
$(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $user $mrk -j $target
|
||||
done
|
||||
fi
|
||||
else
|
||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
|
||||
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \
|
||||
$state $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
|
||||
fi
|
||||
|
||||
if [ -n "$nonat" ]; then
|
||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||
$cli $sports $(dest_ip_range $srv) $dports $ratelimit $user -j RETURN
|
||||
$cli $sports $(dest_ip_range $srv) $dports $ratelimit $user $mrk -j RETURN
|
||||
fi
|
||||
|
||||
if [ "$logtarget" != NONAT ]; then
|
||||
run_iptables2 -A $chain $state $proto $multiport $cli $sports \
|
||||
$(dest_ip_range $srv) $dports $ratelimit $user -j $target
|
||||
$(dest_ip_range $srv) $dports $ratelimit $user $mrk -j $target
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
else
|
||||
if [ -n "$loglevel" -a -z "$natrule" ]; then
|
||||
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
|
||||
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \
|
||||
$state $(fix_bang $proto $sports $multiport $cli $dports)
|
||||
fi
|
||||
|
||||
[ -n "$nonat" ] && \
|
||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||
$cli $sports $dports $ratelimit $user -j RETURN
|
||||
$cli $sports $dports $ratelimit $user $mrk -j RETURN
|
||||
|
||||
[ "$logtarget" != NONAT ] && \
|
||||
run_iptables2 -A $chain $state $proto $multiport $cli $sports \
|
||||
$dports $ratelimit $user -j $target
|
||||
$dports $ratelimit $user $mrk -j $target
|
||||
fi
|
||||
fi
|
||||
else
|
||||
@ -1926,37 +1928,37 @@ __EOF__
|
||||
if [ -n "$addr" ]; then
|
||||
for adr in $(separate_list $addr); do
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
|
||||
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \
|
||||
$state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr)
|
||||
fi
|
||||
|
||||
if [ "$logtarget" != LOG ]; then
|
||||
if [ -n "$nonat" ]; then
|
||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||
$cli $sports $dports $ratelimit $user -m conntrack --ctorigdst $adr -j RETURN
|
||||
$cli $sports $dports $ratelimit $user $mrk -m conntrack --ctorigdst $adr -j RETURN
|
||||
fi
|
||||
|
||||
if [ "$logtarget" != NONAT ]; then
|
||||
run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \
|
||||
$sports $dports $ratelimit $user -m conntrack --ctorigdst $adr -j $target
|
||||
$sports $dports $ratelimit $user $mrk -m conntrack --ctorigdst $adr -j $target
|
||||
fi
|
||||
fi
|
||||
done
|
||||
else
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
|
||||
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \
|
||||
$state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
|
||||
fi
|
||||
|
||||
if [ "$logtarget" != LOG ]; then
|
||||
if [ -n "$nonat" ]; then
|
||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||
$cli $sports $dports $ratelimit $user -j RETURN
|
||||
$cli $sports $dports $ratelimit $user $mrk -j RETURN
|
||||
fi
|
||||
|
||||
if [ "$logtarget" != NONAT ]; then
|
||||
run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \
|
||||
$sports $dports $ratelimit $user -j $target
|
||||
$sports $dports $ratelimit $user $mrk -j $target
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
@ -2037,6 +2039,21 @@ process_ratelimit() {
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Process the MARK column contents
|
||||
#
|
||||
process_mark() {
|
||||
[ "x$mark" = "x-" ] && mark=
|
||||
|
||||
if [ -n "$mark" ]; then
|
||||
if [ "$mark" = "${mark%!*}" ]; then
|
||||
mark="-m mark --mark $mark"
|
||||
else
|
||||
mark="-m mark ! --mark ${mark#*!}"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Combine a source/dest from the macro body with one from the macro invocation
|
||||
#
|
||||
@ -2070,6 +2087,7 @@ process_rule() # $1 = target
|
||||
# $7 = address
|
||||
# $8 = ratelimit
|
||||
# $9 = userspec
|
||||
# $10= mark
|
||||
{
|
||||
local target="$1"
|
||||
local clients="$2"
|
||||
@ -2080,12 +2098,15 @@ process_rule() # $1 = target
|
||||
local address="$7"
|
||||
local ratelimit="$8"
|
||||
local userspec="$9"
|
||||
local mark="${10}"
|
||||
local userandgroup=
|
||||
local logtag=
|
||||
local nonat=
|
||||
|
||||
# # # # # F u n c t i o n B o d y # # # # #
|
||||
|
||||
process_mark
|
||||
|
||||
process_ratelimit
|
||||
|
||||
# Isolate log level
|
||||
@ -2427,6 +2448,7 @@ process_macro() # $1 = target
|
||||
# $7 = address
|
||||
# $8 = ratelimit
|
||||
# $9 = userspec
|
||||
# $10= mark
|
||||
{
|
||||
local itarget="$1"
|
||||
local param="$2"
|
||||
@ -2438,6 +2460,7 @@ process_macro() # $1 = target
|
||||
local iaddress="$8"
|
||||
local iratelimit="$9"
|
||||
local iuserspec="${10}"
|
||||
local imark="${11}"
|
||||
|
||||
progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..."
|
||||
|
||||
@ -2506,7 +2529,7 @@ process_macro() # $1 = target
|
||||
[ -n "$iuserspec" ] && [ "x${iuserspec}" != x- ] && muserspec=$iuserspec
|
||||
|
||||
rule="$mtarget ${mclients=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${xaddress:=-} ${mratelimit:=-} ${muserspec:=-}"
|
||||
process_rule $mtarget $mclients $mservers $mprotocol $mports $mcports ${iaddress:=-} $mratelimit $muserspec
|
||||
process_rule $mtarget $mclients $mservers $mprotocol $mports $mcports ${iaddress:=-} $mratelimit $muserspec $imark
|
||||
|
||||
done < $TMP_DIR/macro.${itarget%%:*}
|
||||
|
||||
@ -2545,10 +2568,10 @@ process_rules()
|
||||
fi
|
||||
fi
|
||||
if [ "$1" = Yes ]; then
|
||||
process_macro $xtarget "$xparam" $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
|
||||
process_macro $xtarget "$xparam" $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark
|
||||
else
|
||||
rule="$xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec"
|
||||
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
|
||||
rule="$xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark"
|
||||
process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
@ -2612,16 +2635,16 @@ process_rules()
|
||||
esac
|
||||
|
||||
if [ "$1" = Yes ]; then
|
||||
process_macro $xtarget "$xparam" $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
|
||||
process_macro $xtarget "$xparam" $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark
|
||||
else
|
||||
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec"
|
||||
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
|
||||
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark"
|
||||
process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark
|
||||
fi
|
||||
}
|
||||
|
||||
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do
|
||||
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec xmark; do
|
||||
if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then
|
||||
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec"
|
||||
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark"
|
||||
progress_message " Rule \"$rule\" ignored."
|
||||
continue
|
||||
fi
|
||||
@ -2638,7 +2661,7 @@ process_rules()
|
||||
;;
|
||||
COMMENT)
|
||||
if [ -n "$COMMENTS" ]; then
|
||||
comment=$(echo $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)
|
||||
comment=$(echo $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark)
|
||||
save_command COMMENT=\"$comment\"
|
||||
else
|
||||
error_message "COMMENT ignored -- requires comment support in iptables/Netfilter"
|
||||
@ -2703,7 +2726,7 @@ process_rules()
|
||||
strip_file $f $fn
|
||||
do_it Yes
|
||||
else
|
||||
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec"
|
||||
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark"
|
||||
fatal_error "Invalid Action in rule \"$rule\""
|
||||
fi
|
||||
fi
|
||||
@ -2942,6 +2965,15 @@ process_tos_rule() {
|
||||
|
||||
protocol="${protocol:+-p $protocol}"
|
||||
|
||||
[ "x$mark" = x- ] && mark=
|
||||
if [ -n "$mark" ]; then
|
||||
if [ "$mark" = "${mark%!*}" ]; then
|
||||
mark="-m mark --mark $mark"
|
||||
else
|
||||
mark="-m mark ! --mark ${mark#*!}"
|
||||
fi
|
||||
fi
|
||||
|
||||
tos="-j TOS --set-tos $tos"
|
||||
|
||||
case "$dstzone" in
|
||||
@ -2964,24 +2996,24 @@ process_tos_rule() {
|
||||
case $srczone in
|
||||
$FW)
|
||||
run_iptables2 -t mangle -A outtos \
|
||||
$protocol $dest $dports $sports $tos
|
||||
$protocol $dest $dports $sports $mark $tos
|
||||
;;
|
||||
all|ALL)
|
||||
run_iptables2 -t mangle -A outtos \
|
||||
$protocol $dest $dports $sports $tos
|
||||
$protocol $dest $dports $sports $mark $tos
|
||||
run_iptables2 -t mangle -A $chain \
|
||||
$protocol $dest $dports $sports $tos
|
||||
$protocol $dest $dports $sports $mark $tos
|
||||
;;
|
||||
*)
|
||||
if [ -n "$src" ]; then
|
||||
run_iptables2 -t mangle -A $chain $src \
|
||||
$protocol $dest $dports $sports $tos
|
||||
$protocol $dest $dports $sports $mark $tos
|
||||
else
|
||||
eval hosts=\$${srczone}_hosts
|
||||
|
||||
for host in $hosts; do
|
||||
run_iptables2 -t mangle -A $chain $(match_source $host) \
|
||||
$protocol $dest $dports $sports $tos
|
||||
$protocol $dest $dports $sports $mark $tos
|
||||
done
|
||||
fi
|
||||
;;
|
||||
@ -3013,8 +3045,8 @@ process_tos() # $1 = name of tos file
|
||||
createmanglechain $chain
|
||||
createmanglechain outtos
|
||||
|
||||
while read src dst protocol sport dport tos; do
|
||||
rule="$(echo $src $dst $protocol $sport $dport $tos)"
|
||||
while read src dst protocol sport dport tos mark; do
|
||||
rule="$(echo $src $dst $protocol $sport $dport $tos $mark)"
|
||||
process_tos_rule
|
||||
done < $TMP_DIR/tos
|
||||
|
||||
|
||||
@ -35,11 +35,11 @@ process_accounting_rule() {
|
||||
user1=
|
||||
|
||||
accounting_error() {
|
||||
error_message "WARNING: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user
|
||||
error_message "WARNING: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user $mark
|
||||
}
|
||||
|
||||
accounting_interface_error() {
|
||||
error_message "WARNING: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport $user
|
||||
error_message "WARNING: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport $user $mark
|
||||
}
|
||||
|
||||
accounting_interface_verify() {
|
||||
@ -195,6 +195,18 @@ process_accounting_rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
[ -n "$mark" ] && case $mark in
|
||||
-|any|all)
|
||||
mark=
|
||||
;;
|
||||
!*)
|
||||
rule="$rule -m mark ! --mark ${mark#*!}"
|
||||
;;
|
||||
*)
|
||||
rule="$rule -m mark --mark $mark"
|
||||
;;
|
||||
esac
|
||||
|
||||
case $action in
|
||||
COUNT)
|
||||
;;
|
||||
@ -239,7 +251,7 @@ setup_accounting() # $1 = Name of accounting file
|
||||
|
||||
save_progress_message "Setting up Accounting..."
|
||||
|
||||
while read action chain source dest proto port sport user ; do
|
||||
while read action chain source dest proto port sport user mark ; do
|
||||
process_accounting_rule
|
||||
done < $TMP_DIR/accounting
|
||||
|
||||
|
||||
@ -245,6 +245,7 @@ process_action() # $1 = chain (Chain to add the rules to)
|
||||
# $8 = cports
|
||||
# $9 = ratelimit
|
||||
# $10 = userspec
|
||||
# $11 = mark
|
||||
{
|
||||
local chain="$1"
|
||||
local action="$2"
|
||||
@ -256,6 +257,7 @@ process_action() # $1 = chain (Chain to add the rules to)
|
||||
local cports="$8"
|
||||
local ratelimit="$9"
|
||||
local userspec="${10}"
|
||||
local mark="${11}"
|
||||
local userandgroup=
|
||||
local logtag=
|
||||
|
||||
@ -322,6 +324,16 @@ process_action() # $1 = chain (Chain to add the rules to)
|
||||
[ "$userandgroup" = "-m owner" ] && userandgroup=
|
||||
fi
|
||||
|
||||
[ "x$mark" = "x-" ] && mark=
|
||||
|
||||
if [ -n "$mark" ]; then
|
||||
if [ "$mark" = "${mark%!*}" ]; then
|
||||
mark="-m mark --mark $mark"
|
||||
else
|
||||
mark="-m mark ! --mark ${mark#*!}"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Isolate log level
|
||||
|
||||
if [ "$target" = "${target%:*}" ]; then
|
||||
@ -579,7 +591,7 @@ process_actions1() {
|
||||
if [ -f $fn ]; then
|
||||
progress_message2 " Pre-processing $fn..."
|
||||
strip_file $f $fn
|
||||
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do
|
||||
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec $xmark; do
|
||||
temp="${xtarget%%:*}"
|
||||
case "$temp" in
|
||||
ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE)
|
||||
@ -600,7 +612,7 @@ process_actions1() {
|
||||
ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE)
|
||||
;;
|
||||
*)
|
||||
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec"
|
||||
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark"
|
||||
fatal_error "Invalid Macro Parameter in rule \"$rule\""
|
||||
;;
|
||||
esac
|
||||
@ -633,7 +645,7 @@ process_actions1() {
|
||||
|
||||
progress_message " ..End Macro"
|
||||
else
|
||||
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec"
|
||||
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark"
|
||||
fatal_error "Invalid TARGET in rule \"$rule\""
|
||||
fi
|
||||
fi
|
||||
@ -715,7 +727,7 @@ process_action3() {
|
||||
|
||||
progress_message2 "$DOING $(find_file $f) for Chain $xchain..."
|
||||
|
||||
while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec; do
|
||||
while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec xmark; do
|
||||
#
|
||||
# Generate the target:level:tag to pass to process_action()
|
||||
#
|
||||
@ -734,7 +746,7 @@ process_action3() {
|
||||
;;
|
||||
COMMENT)
|
||||
if [ -n "$COMMENTS" ]; then
|
||||
comment=$(echo $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)
|
||||
comment=$(echo $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark)
|
||||
save_command COMMENT=\"$comment\"
|
||||
else
|
||||
error_message "COMMENT ignored -- requires comment support in iptables/Netfilter"
|
||||
@ -817,13 +829,13 @@ process_action3() {
|
||||
[ -n "$xratelimit" ] && [ "x${xratelimit}" != x- ] && mratelimit=$xratelimit
|
||||
[ -n "$xuserspec" ] && [ "x${xuserspec}" != x- ] && muserspec=$xuserspec
|
||||
|
||||
rule="$mtarget ${mclients:=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${mratelimit:-} ${muserspec:=-}"
|
||||
process_action $xchain $xaction1 $mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec
|
||||
rule="$mtarget ${mclients:=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${mratelimit:-} ${muserspec:=-} $xmark"
|
||||
process_action $xchain $xaction1 $mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec $xmark
|
||||
done < $TMP_DIR/macro.$xtarget1
|
||||
progress_message "..End Macro"
|
||||
else
|
||||
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec"
|
||||
process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
|
||||
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark"
|
||||
process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark
|
||||
fi
|
||||
done < $TMP_DIR/$f
|
||||
|
||||
|
||||
@ -154,6 +154,8 @@ setup_masq()
|
||||
[ "x$proto" = x- ] && proto=
|
||||
[ "x$ports" = x- ] && ports=
|
||||
|
||||
[ "x$mark" = x- ] && mark=
|
||||
|
||||
if [ -n "$proto" ]; then
|
||||
|
||||
displayproto="($proto)"
|
||||
@ -203,6 +205,15 @@ setup_masq()
|
||||
[ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)"
|
||||
fi
|
||||
|
||||
if [ -n "$mark" ]; then
|
||||
displaymark="($mark)"
|
||||
if [ "$mark" = "${mark%!*}" ]; then
|
||||
mark="-m mark --mark $mark"
|
||||
else
|
||||
mark="-m mark ! --mark ${mark#*!}"
|
||||
fi
|
||||
fi
|
||||
|
||||
destination=${destnets:=0.0.0.0/0}
|
||||
|
||||
[ -z "$pre_nat" ] && chain=$(masq_chain $interface) || chain=$(snat_chain $interface)
|
||||
@ -217,7 +228,7 @@ setup_masq()
|
||||
|
||||
if [ -n "$networks" ]; then
|
||||
for s in $networks; do
|
||||
addnatrule $chain $(source_ip_range $s) $proto $ports $policy -j $newchain
|
||||
addnatrule $chain $(source_ip_range $s) $proto $ports $mark $policy -j $newchain
|
||||
done
|
||||
networks=
|
||||
elif [ -n "$detectinterface" ]; then
|
||||
@ -228,7 +239,7 @@ networks="\$(get_routed_networks $detectinterface)"
|
||||
[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\""
|
||||
|
||||
for network in \$networks; do
|
||||
run_iptables -t nat -A $chain -s \$network $proto $ports $policy -j $newchain
|
||||
run_iptables -t nat -A $chain -s \$network $proto $ports $mark $policy -j $newchain
|
||||
done
|
||||
|
||||
__EOF__
|
||||
@ -252,7 +263,7 @@ __EOF__
|
||||
if [ -n "$networks" ]; then
|
||||
for s in $networks; do
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports $policy -j $newchain
|
||||
addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports $mark $policy -j $newchain
|
||||
done
|
||||
done
|
||||
elif [ -n "$detectinterface" ]; then
|
||||
@ -266,7 +277,7 @@ for network in \$networks; do
|
||||
__EOF__
|
||||
for destnet in $(separate_list $destnets); do
|
||||
indent >&3 << __EOF__
|
||||
run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $newchain
|
||||
run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $mark $policy -j $newchain
|
||||
__EOF__
|
||||
done
|
||||
indent >&3 << __EOF__
|
||||
@ -275,7 +286,7 @@ done
|
||||
__EOF__
|
||||
else
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $newchain
|
||||
addnatrule $chain $(dest_ip_range $destnet) $proto $ports $mark $policy -j $newchain
|
||||
done
|
||||
fi
|
||||
|
||||
@ -379,7 +390,7 @@ __EOF__
|
||||
if [ -n "$networks" ]; then
|
||||
for network in $networks; do
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain $(both_ip_ranges $network $destnet) $proto $ports $policy -j $target $addrlist
|
||||
addnatrule $chain $(both_ip_ranges $network $destnet) $proto $ports $mark $policy -j $target $addrlist
|
||||
done
|
||||
|
||||
if [ -n "$addresses" ]; then
|
||||
@ -399,7 +410,7 @@ for network in \$networks; do
|
||||
__EOF__
|
||||
for destnet in $(separate_list $destnets); do
|
||||
indent >&3 << __EOF__
|
||||
run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist
|
||||
run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $mark $policy -j $target $addrlist
|
||||
__EOF__
|
||||
done
|
||||
|
||||
@ -417,7 +428,7 @@ __EOF__
|
||||
|
||||
else
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist
|
||||
addnatrule $chain $(dest_ip_range $destnet) $proto $ports $mark $policy -j $target $addrlist
|
||||
done
|
||||
|
||||
if [ -n "$addresses" ]; then
|
||||
@ -433,11 +444,11 @@ __EOF__
|
||||
progress_message2 "$DOING Masquerading/SNAT"
|
||||
save_progress_message "Setting up Masquerading/SNAT..."
|
||||
|
||||
while read fullinterface networks addresses proto ports ipsec; do
|
||||
while read fullinterface networks addresses proto ports ipsec mark; do
|
||||
if [ -n "$NAT_ENABLED" ]; then
|
||||
if [ "x$fullinterface" = xCOMMENT ]; then
|
||||
if [ -n "$COMMENTS" ]; then
|
||||
comment=$(echo $networks $addresses $proto $ports $ipsec)
|
||||
comment=$(echo $networks $addresses $proto $ports $ipsec $mark)
|
||||
save_command COMMENT=\"$comment\"
|
||||
else
|
||||
error_message "COMMENT ignored -- requires comment support in iptables/Netfilter"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user