Masquerade from all primary subnets when an interface name is in the second column of masq file entry

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@415 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-01-24 22:47:22 +00:00
parent 43cc73ef47
commit 94c5455c9e
3 changed files with 79 additions and 26 deletions

View File

@ -2898,6 +2898,47 @@ rules_chain() # $1 = source zone, $2 = destination zone
fatal_error "Error: No appropriate chain for zone $1 to zone $2" fatal_error "Error: No appropriate chain for zone $1 to zone $2"
} }
#
# Get primary addresses of an interface
#
get_primary_addresses() # $1 = interface name
{
local address
ip addr show dev $1 2> /dev/null | \
grep inet | \
grep -v secondary | \
sed s/" "// | \
cut -d' ' -f2 | \
while read address; do
[ -z "`echo "$address" | grep '/'`" ] && address="${address}/32"
echo $address
done
}
#
# Show network address corresponding to the passed PREFIX/VLSM using
# the ipcalc utility. This probably only works on RedHat systems :-(
#
show_network() {
local ipcalc=`which ipcalc 2> /dev/null`
local network
#
# If the distribution doesn't have ipcalc we'll just have to be ugly
#
[ -z "$ipcalc" ] && echo $1 && return
case $1 in
*/32)
echo $1
;;
*)
network=`$ipcalc -n $1`
echo ${network#*=}/${1#*/}
;;
esac
}
# #
# Set up Source NAT (including masquerading) # Set up Source NAT (including masquerading)
# #
@ -2927,10 +2968,10 @@ setup_masq()
chain=`masq_chain $interface` chain=`masq_chain $interface`
iface= iface=
source="$subnet"
case $subnet in case $subnet in
*.*.*) *.*.*)
source="$subnet"
subnet="-s $subnet"
;; ;;
-) -)
# #
@ -2943,16 +2984,9 @@ setup_masq()
iface="-o $interface" iface="-o $interface"
;; ;;
*) *)
ipaddr="`ip addr show $subnet 2> /dev/null | grep 'inet '`" subnets=`get_primary_addresses $subnet`
source="$subnet" [ -z "$subnets" ] && startup_error "Unable to determine the address(es) for interface $subnet"
if [ -z "$ipaddr" ]; then subnet="$subnets"
fatal_error \
"Interface $subnet must be up before Shorewall starts"
fi
subnet="`echo $ipaddr | sed s/" "// | cut -d' ' -f2`"
[ -z "`echo "$subnet" | grep '/'`" ] && subnet="${subnet}/32"
subnet="-s $subnet"
;; ;;
esac esac
@ -2966,7 +3000,15 @@ setup_masq()
if [ -n "$nomasq" ]; then if [ -n "$nomasq" ]; then
newchain=masq${masq_seq} newchain=masq${masq_seq}
createnatchain $newchain createnatchain $newchain
addnatrule $chain -d $destnet $iface $subnet -j $newchain
if [ -n "$subnet" ]; then
for s in $subnet; do
addnatrule $chain -d $destnet $iface -s $s -j $newchain
done
else
addnatrule $chain -d $destnet $iface -j $newchain
fi
masq_seq=$(($masq_seq + 1)) masq_seq=$(($masq_seq + 1))
chain=$newchain chain=$newchain
subnet= subnet=
@ -2976,21 +3018,34 @@ setup_masq()
for addr in `separate_list $nomasq`; do for addr in `separate_list $nomasq`; do
addnatrule $chain -s $addr -j RETURN addnatrule $chain -s $addr -j RETURN
done done
source="$source except $nomasq"
else else
destnet="-d $destnet" destnet="-d $destnet"
fi fi
if [ -n "$address" ]; then if [ -n "$address" ]; then
addnatrule $chain $subnet $destnet $iface \ if [ -n "$subnet" ]; then
-j SNAT --to-source $address for s in $subnet; do
using=" using $address" addnatrule $chain -s $s $destnet $iface \
-j SNAT --to-source $address
echo " To $destination from `show_network $s` through ${interface} using $address"
done
else
addnatrule $chain $destnet $iface \
-j SNAT --to-source $address
echo " To $destination from $source through ${interface} using $address"
fi
elif [ -n "$subnet" ]; then
for s in $subnet; do
addnatrule $chain -s $s $destnet $iface -j MASQUERADE
echo " To $destination from `show_network $s` through ${interface}"
done
else else
addnatrule $chain $subnet $destnet $iface -j MASQUERADE addnatrule $chain $destnet $iface -j MASQUERADE
using= echo " To $destination from $source through ${interface}"
fi fi
[ -n "$nomasq" ] && source="$source except $nomasq"
echo " To $destination from $source through ${interface}${using}"
} }
strip_file masq $1 strip_file masq $1

View File

@ -16,11 +16,7 @@
# SUBNET -- Subnet that you wish to masquerade. You can specify this as # SUBNET -- Subnet that you wish to masquerade. You can specify this as
# a subnet or as an interface. If you give the name of an # a subnet or as an interface. If you give the name of an
# interface, you must have iproute installed and the interface # interface, you must have iproute installed and the interface
# must be up before you start the firewall. If you have # must be up before you start the firewall.
# multiple IP addresses on the specified interface, Shorewall
# WILL ONLY MASQUERADE TRAFFIC FROM THE FIRST SUBNET. You will
# need to add additional entries to this file that specify
# the other subnets in this column.
# #
# In order to exclude a subset of the specified SUBNET, you # In order to exclude a subset of the specified SUBNET, you
# may append "!" and a comma-separated list of IP addresses # may append "!" and a comma-separated list of IP addresses

View File

@ -20,7 +20,9 @@
# follow the interface name with ":" and a digit to # follow the interface name with ":" and a digit to
# indicate that you want Shorewall to add the alias # indicate that you want Shorewall to add the alias
# with this name (e.g., "eth0:0"). That allows you to # with this name (e.g., "eth0:0"). That allows you to
# see the alias with ifconfig. # see the alias with ifconfig. THAT IS THE ONLY THING
# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
# INTERNAL Internal Address (must not be a DNS Name). # INTERNAL Internal Address (must not be a DNS Name).
# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective # ALL INTERFACES If Yes or yes (or left empty), NAT will be effective
# from all hosts. If No or no then NAT will be effective # from all hosts. If No or no then NAT will be effective