holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Allow interface name in the SUBNET column with -e

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3278 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-01-13 20:33:16 +00:00
parent 25e02e273f
commit 7ba6cf7200
3 changed files with 70 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -12,3 +12,5 @@ Changes in 3.1.0
6) Change output of 'generate' to always be the file name entered (do not 6) Change output of 'generate' to always be the file name entered (do not
prepend /var/lib/shorewall/) prepend /var/lib/shorewall/)
7) Remove some restrictions on remote compiles.

72
Shorewall/firewall
View File

@ -7300,10 +7300,15 @@ setup_masq()
*.*.*|+*|!+*) *.*.*|+*|!+*)
;; ;;
*) *)
[ -n "$EXPORT" ] && fatal_error "An interface name in the SUBNET column is not allowed with the -e run-line option" if [ $COMMAND = generate ]; then
networks=$(get_routed_networks $networks) detectinterface=$networks
[ -z "$networks" ] && fatal_error "Unable to determine the routes through interface \"$source\"" networks=
networks="$networks" else
networks=$(get_routed_networks $networks)
[ -z "$networks" ] && fatal_error "Unable to determine the routes through interface \"$source\""
networks="$networks"
detectinterface=
fi
;; ;;
esac esac
@ -7384,6 +7389,8 @@ setup_masq()
[ -z "$pre_nat" ] && chain=$(masq_chain $interface) || chain=$(snat_chain $interface) [ -z "$pre_nat" ] && chain=$(masq_chain $interface) || chain=$(snat_chain $interface)
ensurenatchain $chain
case $destnets in case $destnets in
!*) !*)
destnets=${destnets#!} destnets=${destnets#!}
@ -7396,6 +7403,18 @@ setup_masq()
addnatrule $chain $(source_ip_range $s) $proto $ports $policy -j $newchain addnatrule $chain $(source_ip_range $s) $proto $ports $policy -j $newchain
done done
networks= networks=
elif [ -n "$detectinterface" ]; then
cat >> $RESTOREBASE << __EOF__
networks ="\$(get_routed_networks $detectinterface)"
[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\""
for network in \$networks; do
$IPTABLES -t nat -A $chain -s \$network $proto $ports $policy -j $newchain
done
__EOF__
else else
addnatrule $chain -j $newchain addnatrule $chain -j $newchain
fi fi
@ -7422,6 +7441,24 @@ setup_masq()
addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports $policy -j $newchain addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports $policy -j $newchain
done done
done done
elif [ -n "$detectinterface" ]; then
cat >> $RESTOREBASE << __EOF__
networks ="\$(get_routed_networks $detectinterface)"
[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\""
for network in \$networks; do
__EOF__
for destnet in $(separate_list $destnets); do
cat >> $RESTOREBASE << __EOF__
$IPTABLES -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $sports $policy -j $netchain
__EOF__
done
cat >> $RESTOREBASE << __EOF__
done
__EOF__
else else
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $newchain addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $newchain
@ -7489,6 +7526,33 @@ setup_masq()
progress_message " To $destination $displayproto from $network through ${interface}" progress_message " To $destination $displayproto from $network through ${interface}"
fi fi
done done
elif [ -n "$detectinterface" ]; then
cat >> $RESTOREBASE << __EOF__
networks ="\$(get_routed_networks $detectinterface)"
[ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\""
for network in \$networks; do
__EOF__
for destnet in $(separate_list $destnets); do
cat >> $RESTOREBASE << __EOF__
$IPTABLES -t nat -A $CHAIN -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist
__EOF__
done
if [ -n "$addresses" ]; then
message=" To $destination $displayproto from \$network through ${interface} using $addresses"
else
message=" To $destination $displayproto from \$network through ${interface}"
fi
cat >> $RESTOREBASE << __EOF__
progress_message "$message"
done
__EOF__
else else
if [ $COMMAND != check ]; then if [ $COMMAND != check ]; then
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do

1
Shorewall/releasenotes.txt
View File

@ -80,7 +80,6 @@ New Features:
1) The same version of Shorewall must be running on the remote system 1) The same version of Shorewall must be running on the remote system
2) The 'detectnets' interface option is not allowed. 2) The 'detectnets' interface option is not allowed.
3) DETECT_DNAT_ADDRS=Yes is not allowed. 3) DETECT_DNAT_ADDRS=Yes is not allowed.
4) An interface name in the SUBNET column of /etc/shorewall/masq is not allowed.
b) If you have extension scripts, they may need modification. The scripts b) If you have extension scripts, they may need modification. The scripts
will be run at generation time, rather than when the generated script will be run at generation time, rather than when the generated script