From 7ba6cf72008767264d90ccd0641b6cf7d69b463a Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 13 Jan 2006 20:33:16 +0000 Subject: [PATCH] Allow interface name in the SUBNET column with -e git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3278 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 2 ++ Shorewall/firewall | 72 +++++++++++++++++++++++++++++++++++--- Shorewall/releasenotes.txt | 1 - 3 files changed, 70 insertions(+), 5 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 16e811654..b43444081 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -12,3 +12,5 @@ Changes in 3.1.0 6) Change output of 'generate' to always be the file name entered (do not prepend /var/lib/shorewall/) + +7) Remove some restrictions on remote compiles. diff --git a/Shorewall/firewall b/Shorewall/firewall index 850b4f734..8bae3fc55 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -7300,10 +7300,15 @@ setup_masq() *.*.*|+*|!+*) ;; *) - [ -n "$EXPORT" ] && fatal_error "An interface name in the SUBNET column is not allowed with the -e run-line option" - networks=$(get_routed_networks $networks) - [ -z "$networks" ] && fatal_error "Unable to determine the routes through interface \"$source\"" - networks="$networks" + if [ $COMMAND = generate ]; then + detectinterface=$networks + networks= + else + networks=$(get_routed_networks $networks) + [ -z "$networks" ] && fatal_error "Unable to determine the routes through interface \"$source\"" + networks="$networks" + detectinterface= + fi ;; esac @@ -7384,6 +7389,8 @@ setup_masq() [ -z "$pre_nat" ] && chain=$(masq_chain $interface) || chain=$(snat_chain $interface) + ensurenatchain $chain + case $destnets in !*) destnets=${destnets#!} @@ -7396,6 +7403,18 @@ setup_masq() addnatrule $chain $(source_ip_range $s) $proto $ports $policy -j $newchain done networks= + elif [ -n "$detectinterface" ]; then + cat >> $RESTOREBASE << __EOF__ + +networks ="\$(get_routed_networks $detectinterface)" + +[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\"" + +for network in \$networks; do + $IPTABLES -t nat -A $chain -s \$network $proto $ports $policy -j $newchain +done + +__EOF__ else addnatrule $chain -j $newchain fi @@ -7422,6 +7441,24 @@ setup_masq() addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports $policy -j $newchain done done + elif [ -n "$detectinterface" ]; then + cat >> $RESTOREBASE << __EOF__ + +networks ="\$(get_routed_networks $detectinterface)" + +[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\"" + +for network in \$networks; do +__EOF__ + for destnet in $(separate_list $destnets); do + cat >> $RESTOREBASE << __EOF__ + $IPTABLES -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $sports $policy -j $netchain +__EOF__ + done + cat >> $RESTOREBASE << __EOF__ + +done +__EOF__ else for destnet in $(separate_list $destnets); do addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $newchain @@ -7489,6 +7526,33 @@ setup_masq() progress_message " To $destination $displayproto from $network through ${interface}" fi done + elif [ -n "$detectinterface" ]; then + cat >> $RESTOREBASE << __EOF__ + +networks ="\$(get_routed_networks $detectinterface)" + +[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\"" + +for network in \$networks; do +__EOF__ + for destnet in $(separate_list $destnets); do + cat >> $RESTOREBASE << __EOF__ + $IPTABLES -t nat -A $CHAIN -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist +__EOF__ + done + + if [ -n "$addresses" ]; then + message=" To $destination $displayproto from \$network through ${interface} using $addresses" + else + message=" To $destination $displayproto from \$network through ${interface}" + fi + + cat >> $RESTOREBASE << __EOF__ + progress_message "$message" +done + +__EOF__ + else if [ $COMMAND != check ]; then for destnet in $(separate_list $destnets); do diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index e760b908a..675c2f00d 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -80,7 +80,6 @@ New Features: 1) The same version of Shorewall must be running on the remote system 2) The 'detectnets' interface option is not allowed. 3) DETECT_DNAT_ADDRS=Yes is not allowed. - 4) An interface name in the SUBNET column of /etc/shorewall/masq is not allowed. b) If you have extension scripts, they may need modification. The scripts will be run at generation time, rather than when the generated script