From 5de1720a9e2eb18dc7b221bec6f1c83ff396db73 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 13 Jul 2004 00:33:30 +0000 Subject: [PATCH] SNAT Enhancements git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1471 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/changelog.txt | 5 +++++ Shorewall2/firewall | 38 ++++++++++++++++++++++++++++++++++--- Shorewall2/masq | 14 ++++++++++++++ Shorewall2/releasenotes.txt | 24 +++++++++++++++++++++++ 4 files changed, 78 insertions(+), 3 deletions(-) diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index d8a4a43c7..018187d3e 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -17,3 +17,8 @@ Changes since 2.0.3 firewall shorewall.conf + +8) Enhancements to /etc/shorewall/masq + + masq + firewall diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 85b0db933..0b5c793e8 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -437,6 +437,14 @@ masq_chain() # $1 = interface echo $(chain_base $1)_masq } +# +# SNAT Chain for an interface +# +snat_chain() # $1 = interface +{ + echo $(chain_base $1)_snat +} + # # MAC Verification Chain for an interface # @@ -4190,6 +4198,7 @@ get_routed_networks() # $1 = interface name ip route show dev $1 2> /dev/null | while read address rest; do if [ "x$address" = xdefault ]; then +//*-+9 error_message "Warning: default route ignored on interface $1" else [ "$address" = "${address%/*}" ] && address="${address}/32" @@ -4204,14 +4213,31 @@ get_routed_networks() # $1 = interface name setup_masq() { setup_one() { - local using + local add_snat_aliases=$ADD_SNAT_ALIASES, pre_nat= case $fullinterface in + +*) + pre_nat=Yes + fullinterface=${fullinterface#+} + ;; + esac + + case $fullinterface in + *::*) + add_snat_aliases= + destnets="${fullinterface##*:}" + fullinterface="${fullinterface%:*}" + ;; *:*:*) # Both alias name and networks destnets="${fullinterface##*:}" fullinterface="${fullinterface%:*}" ;; + *:) + add_snat_aliases= + funninterface=${fullinterface%:} + destnets="0.0.0.0/0" + ;; *:*) # Alias name OR networks case ${fullinterface#*:} in @@ -4259,7 +4285,7 @@ setup_masq() [ "x$addresses" = x- ] && addresses= - if [ -n "$addresses" -a -n "$ADD_SNAT_ALIASES" ]; then + if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then for address in $(separate_list $addresses); do for addr in $(ip_range_explicit $address) ; do if ! list_search $addr $aliases_to_add; then @@ -4321,7 +4347,7 @@ setup_masq() destination=$destnets - chain=$(masq_chain $interface) + [ -z "$pre_nat" ] && chain=$(masq_chain $interface) || chain=$(snat_chain $interface) case $destnets in !*) @@ -5348,6 +5374,12 @@ activate_rules() rm -f $TMP_DIR/physdev fi } + # + # Add early SNAT jumps + # + for interface in $all_interfaces; do + addrulejump POSTROUTING $(snat_chain $interface) -o $interface + done # # Add jumps for dynamic nat chains diff --git a/Shorewall2/masq b/Shorewall2/masq index 109c198ad..7ec769c8c 100755 --- a/Shorewall2/masq +++ b/Shorewall2/masq @@ -20,6 +20,20 @@ # This may be qualified by adding the character # ":" followed by a destination host or subnet. # +# If you wish to inhibit the action of ADD_SNAT_ALIASES +# for this entry then include the ":" but omit the digit: +# +# eth0: +# eth2::192.0.2.32/27 +# +# Normally Masq/SNAT rules are evaluated after those for +# one-to-one NAT (/etc/shorewall/nat file). If you want +# the rule to be applied before one-to-one NAT rules, +# prefix the interface name with "+": +# +# +eth0 +# +eth0:192.0.2.32/27 +# +eth0:2 # # SUBNET -- Subnet that you wish to masquerade. You can specify this as # a subnet or as an interface. If you give the name of an diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index be20bdffd..6805df752 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -37,3 +37,27 @@ New Features: 1) ICMP packets that are in the INVALID state are now dropped by the Reject and Drop default actions. They do so using the new 'dropInvalid' builtin action. + +2) The /etc/shorewall/masq file INTERFACE column now allows additional + options. + + Normally MASQUERADE/SNAT rules are evaluated after one-to-one NAT + rules defined in the /etc/shorewall/nat file. If you preceed the + interface name with a plus sign ("+") then the rule will be + evaluated before one-to-one NAT. + + Examples: + + +eth0 + +eth1:192.0.2.32/27 + + Also, the effect of ADD_SNAT_ALIASES=Yes can be negated for an + entry by following the interface name by ":" but no digit. + + Examples: + + eth0: + eth1::192.0.2.32/27 + +eth3: + +