forked from extern/shorewall_code
Allow interface name in the SUBNET column with -e
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3278 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
25e02e273f
commit
7ba6cf7200
@ -12,3 +12,5 @@ Changes in 3.1.0
|
||||
|
||||
6) Change output of 'generate' to always be the file name entered (do not
|
||||
prepend /var/lib/shorewall/)
|
||||
|
||||
7) Remove some restrictions on remote compiles.
|
||||
|
||||
@ -7300,10 +7300,15 @@ setup_masq()
|
||||
*.*.*|+*|!+*)
|
||||
;;
|
||||
*)
|
||||
[ -n "$EXPORT" ] && fatal_error "An interface name in the SUBNET column is not allowed with the -e run-line option"
|
||||
networks=$(get_routed_networks $networks)
|
||||
[ -z "$networks" ] && fatal_error "Unable to determine the routes through interface \"$source\""
|
||||
networks="$networks"
|
||||
if [ $COMMAND = generate ]; then
|
||||
detectinterface=$networks
|
||||
networks=
|
||||
else
|
||||
networks=$(get_routed_networks $networks)
|
||||
[ -z "$networks" ] && fatal_error "Unable to determine the routes through interface \"$source\""
|
||||
networks="$networks"
|
||||
detectinterface=
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -7384,6 +7389,8 @@ setup_masq()
|
||||
|
||||
[ -z "$pre_nat" ] && chain=$(masq_chain $interface) || chain=$(snat_chain $interface)
|
||||
|
||||
ensurenatchain $chain
|
||||
|
||||
case $destnets in
|
||||
!*)
|
||||
destnets=${destnets#!}
|
||||
@ -7396,6 +7403,18 @@ setup_masq()
|
||||
addnatrule $chain $(source_ip_range $s) $proto $ports $policy -j $newchain
|
||||
done
|
||||
networks=
|
||||
elif [ -n "$detectinterface" ]; then
|
||||
cat >> $RESTOREBASE << __EOF__
|
||||
|
||||
networks ="\$(get_routed_networks $detectinterface)"
|
||||
|
||||
[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\""
|
||||
|
||||
for network in \$networks; do
|
||||
$IPTABLES -t nat -A $chain -s \$network $proto $ports $policy -j $newchain
|
||||
done
|
||||
|
||||
__EOF__
|
||||
else
|
||||
addnatrule $chain -j $newchain
|
||||
fi
|
||||
@ -7422,6 +7441,24 @@ setup_masq()
|
||||
addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports $policy -j $newchain
|
||||
done
|
||||
done
|
||||
elif [ -n "$detectinterface" ]; then
|
||||
cat >> $RESTOREBASE << __EOF__
|
||||
|
||||
networks ="\$(get_routed_networks $detectinterface)"
|
||||
|
||||
[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\""
|
||||
|
||||
for network in \$networks; do
|
||||
__EOF__
|
||||
for destnet in $(separate_list $destnets); do
|
||||
cat >> $RESTOREBASE << __EOF__
|
||||
$IPTABLES -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $sports $policy -j $netchain
|
||||
__EOF__
|
||||
done
|
||||
cat >> $RESTOREBASE << __EOF__
|
||||
|
||||
done
|
||||
__EOF__
|
||||
else
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $newchain
|
||||
@ -7489,6 +7526,33 @@ setup_masq()
|
||||
progress_message " To $destination $displayproto from $network through ${interface}"
|
||||
fi
|
||||
done
|
||||
elif [ -n "$detectinterface" ]; then
|
||||
cat >> $RESTOREBASE << __EOF__
|
||||
|
||||
networks ="\$(get_routed_networks $detectinterface)"
|
||||
|
||||
[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\""
|
||||
|
||||
for network in \$networks; do
|
||||
__EOF__
|
||||
for destnet in $(separate_list $destnets); do
|
||||
cat >> $RESTOREBASE << __EOF__
|
||||
$IPTABLES -t nat -A $CHAIN -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist
|
||||
__EOF__
|
||||
done
|
||||
|
||||
if [ -n "$addresses" ]; then
|
||||
message=" To $destination $displayproto from \$network through ${interface} using $addresses"
|
||||
else
|
||||
message=" To $destination $displayproto from \$network through ${interface}"
|
||||
fi
|
||||
|
||||
cat >> $RESTOREBASE << __EOF__
|
||||
progress_message "$message"
|
||||
done
|
||||
|
||||
__EOF__
|
||||
|
||||
else
|
||||
if [ $COMMAND != check ]; then
|
||||
for destnet in $(separate_list $destnets); do
|
||||
|
||||
@ -80,7 +80,6 @@ New Features:
|
||||
1) The same version of Shorewall must be running on the remote system
|
||||
2) The 'detectnets' interface option is not allowed.
|
||||
3) DETECT_DNAT_ADDRS=Yes is not allowed.
|
||||
4) An interface name in the SUBNET column of /etc/shorewall/masq is not allowed.
|
||||
|
||||
b) If you have extension scripts, they may need modification. The scripts
|
||||
will be run at generation time, rather than when the generated script
|
||||
|
||||
Loading…
Reference in New Issue
Block a user