holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Implement NETMAP_TARGET capability

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-12-27 08:26:51 -08:00
parent c4bbb46e3f
commit 638c7c5bca
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
3 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Shorewall-core/lib.cli
View File

@ -2805,6 +2805,7 @@ determine_capabilities() {
TCPMSS_TARGET= TCPMSS_TARGET=
WAIT_OPTION= WAIT_OPTION=
CPU_FANOUT= CPU_FANOUT=
NETMAP_TARGET=
AMANDA_HELPER= AMANDA_HELPER=
FTP_HELPER= FTP_HELPER=
@ -2839,8 +2840,10 @@ determine_capabilities() {
if qt $g_tool -t nat -N $chain; then if qt $g_tool -t nat -N $chain; then
if [ $g_family -eq 4 ]; then if [ $g_family -eq 4 ]; then
qt $g_tool -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes qt $g_tool -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
qt $g_tool -t nat -A $chain -j NETMAP --to 1.2.3.0/24 && NETMAP_TARGET=Yes
else else
qt $g_tool -t nat -A $chain -j SNAT --to-source 2001::1 --persistent && PERSISTENT_SNAT=Yes qt $g_tool -t nat -A $chain -j SNAT --to-source 2001::1 --persistent && PERSISTENT_SNAT=Yes
qt $g_tool -t nat -A $chain -j NETMAP --to 2001:470:B:227::/64 && NETMAP_TARGET=Yes
fi fi
qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
@ -3304,6 +3307,7 @@ report_capabilities_unsorted() {
report_capability "Basic Ematch (BASIC_EMATCH)" $BASIC_EMATCH report_capability "Basic Ematch (BASIC_EMATCH)" $BASIC_EMATCH
report_capability "CT Target (CT_TARGET)" $CT_TARGET report_capability "CT Target (CT_TARGET)" $CT_TARGET
report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
echo " Kernel Version (KERNELVERSION): $KERNELVERSION" echo " Kernel Version (KERNELVERSION): $KERNELVERSION"
echo " Capabilities Version (CAPVERSION): $CAPVERSION" echo " Capabilities Version (CAPVERSION): $CAPVERSION"
@ -3409,6 +3413,7 @@ report_capabilities_unsorted1() {
report_capability1 TCPMSS_TARGET report_capability1 TCPMSS_TARGET
report_capability1 WAIT_OPTION report_capability1 WAIT_OPTION
report_capability1 CPU_FANOUT report_capability1 CPU_FANOUT
report_capability1 NETMAP_TARGET
report_capability1 AMANDA_HELPER report_capability1 AMANDA_HELPER
report_capability1 FTP_HELPER report_capability1 FTP_HELPER

20
Shorewall/Perl/Shorewall/Config.pm
View File

@ -412,6 +412,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
TCPMSS_TARGET => 'TCPMSS Target', TCPMSS_TARGET => 'TCPMSS Target',
WAIT_OPTION => 'iptables --wait option', WAIT_OPTION => 'iptables --wait option',
CPU_FANOUT => 'NFQUEUE CPU Fanout', CPU_FANOUT => 'NFQUEUE CPU Fanout',
NETMAP_TARGET => 'NETMAP Target',
AMANDA_HELPER => 'Amanda Helper', AMANDA_HELPER => 'Amanda Helper',
FTP_HELPER => 'FTP Helper', FTP_HELPER => 'FTP Helper',
@ -1035,6 +1036,7 @@ sub initialize( $;$$) {
TCPMSS_TARGET => undef, TCPMSS_TARGET => undef,
WAIT_OPTION => undef, WAIT_OPTION => undef,
CPU_FANOUT => undef, CPU_FANOUT => undef,
NETMAP_TARGET => undef,
AMANDA_HELPER => undef, AMANDA_HELPER => undef,
FTP_HELPER => undef, FTP_HELPER => undef,
@ -4316,6 +4318,22 @@ sub Masquerade_Tgt() {
$result; $result;
} }
sub Netmap_Target() {
have_capability( 'NAT_ENABLED' ) || return '';
my $result = '';
my $address = $family == F_IPV4 ? '1.2.3.0/24' : '2001::/64';
if ( qt1( "$iptables $iptablesw -t nat -N $sillyname" ) ) {
$result = qt1( "$iptables $iptablesw -t nat -A $sillyname -j NETMAP --to $address" );
qt1( "$iptables $iptablesw -t nat -F $sillyname" );
qt1( "$iptables $iptablesw -t nat -X $sillyname" );
}
$result;
}
sub Udpliteredirect() { sub Udpliteredirect() {
have_capability( 'NAT_ENABLED' ) || return ''; have_capability( 'NAT_ENABLED' ) || return '';
@ -4905,6 +4923,7 @@ our %detect_capability =
MULTIPORT => \&Multiport, MULTIPORT => \&Multiport,
NAT_ENABLED => \&Nat_Enabled, NAT_ENABLED => \&Nat_Enabled,
NETBIOS_NS_HELPER => \&Netbios_ns_Helper, NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
NETMAP_TARGET => \&Netmap_Target,
NEW_CONNTRACK_MATCH => \&New_Conntrack_Match, NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
NFACCT_MATCH => \&NFAcct_Match, NFACCT_MATCH => \&NFAcct_Match,
NFQUEUE_TARGET => \&Nfqueue_Target, NFQUEUE_TARGET => \&Nfqueue_Target,
@ -5088,6 +5107,7 @@ sub determine_capabilities() {
$capabilities{IFACE_MATCH} = detect_capability( 'IFACE_MATCH' ); $capabilities{IFACE_MATCH} = detect_capability( 'IFACE_MATCH' );
$capabilities{TCPMSS_TARGET} = detect_capability( 'TCPMSS_TARGET' ); $capabilities{TCPMSS_TARGET} = detect_capability( 'TCPMSS_TARGET' );
$capabilities{CPU_FANOUT} = detect_capability( 'CPU_FANOUT' ); $capabilities{CPU_FANOUT} = detect_capability( 'CPU_FANOUT' );
$capabilities{NETMAP_TARGET} = detect_capability( 'NETMAP_TARGET' );
unless ( have_capability 'CT_TARGET' ) { unless ( have_capability 'CT_TARGET' ) {
$capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH'; $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';

2
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -804,7 +804,7 @@ sub setup_netmap() {
$interface = $interfaceref->{name}; $interface = $interfaceref->{name};
} }
require_capability 'NAT_ENABLED', 'Stateful NAT Entries', ''; require_capability 'NETMAP_TARGET', 'Stateful Netmap Entries', '';
if ( $type eq 'DNAT' ) { if ( $type eq 'DNAT' ) {
dest_iexclusion( ensure_chain( 'nat' , input_chain $interface ) , dest_iexclusion( ensure_chain( 'nat' , input_chain $interface ) ,