holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Allow exclusion in the netmap file's NET1 column

Browse Source
This commit is contained in:
Tom Eastep 2011-09-17 09:20:15 -07:00
parent 5aac5870a1
commit 95a83f7fdf
1 changed files with 71 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -409,9 +409,6 @@ sub setup_netmap() {
my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 4, 8, 'netmap file'; my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 4, 8, 'netmap file';
validate_net $net1, 0;
validate_net $net2, 0;
$net3 = ALLIP if $net3 eq '-'; $net3 = ALLIP if $net3 eq '-';
for my $interface ( split_list $interfacelist, 'interface' ) { for my $interface ( split_list $interfacelist, 'interface' ) {
@ -426,6 +423,9 @@ sub setup_netmap() {
my @rulein; my @rulein;
my @ruleout; my @ruleout;
validate_net $net1, 0;
validate_net $net2, 0;
unless ( $interfaceref->{root} ) { unless ( $interfaceref->{root} ) {
@rulein = imatch_source_dev( $interface ); @rulein = imatch_source_dev( $interface );
@ruleout = imatch_dest_dev( $interface ); @ruleout = imatch_dest_dev( $interface );
@ -444,7 +444,8 @@ sub setup_netmap() {
} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) { } elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
my ( $target , $chain ) = ( $1, $2 ); my ( $target , $chain ) = ( $1, $2 );
my $table = 'raw'; my $table = 'raw';
my @match = (); my @match;
my @net4;
require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', ''; require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
@ -463,16 +464,66 @@ sub setup_netmap() {
$table = 'rawpost'; $table = 'rawpost';
} }
my $chainref = ensure_chain( $table, $chain );
if ( $net1 =~ /^([^!]+)!([^!]+)$/ ) {
$net1 = $1;
@net4 = split_list1( $2 , 'exclusion' );
}
if ( $target eq 'DNAT' ) { if ( $target eq 'DNAT' ) {
add_ijump( ensure_chain( $table, $chain ) , if ( @net4 ) {
my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
add_ijump( $chainref1,
j => 'RETURN',
imatch_dest_net( $_ )
) for @net4;
add_ijump( $chainref1,
j => 'RAWDNAT',
targetopts => "--to-dest $net2"
);
add_ijump( $chainref,
j => $chainref1,
imatch_source_net( $net3 ) ,
imatch_dest_net( $net1 ) ,
@rule ,
@match
);
} else {
add_ijump( $chainref ,
j => 'RAWDNAT', j => 'RAWDNAT',
targetopts => "--to-dest $net2", targetopts => "--to-dest $net2",
imatch_source_net( $net3 ) , imatch_source_net( $net3 ) ,
imatch_dest_net( $net1 ) , imatch_dest_net( $net1 ) ,
@rule , @rule ,
@match ); @match );
}
} else { } else {
add_ijump( ensure_chain( $table, $chain ) , if ( @net4 ) {
my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
add_ijump( $chainref1,
j => 'RETURN',
imatch_dest_net( $_ )
) for @net4;
add_ijump( $chainref1,
j => 'RAWSNAT',
targetopts => "--to-source $net2"
);
add_ijump( $chainref,
j => $chainref1,
imatch_dest_net( $net3 ) ,
imatch_source_net( $net1 ) ,
@rule ,
@match
);
} else {
add_ijump( $chainref ,
j => 'RAWSNAT', j => 'RAWSNAT',
targetopts => "--to-source $net2", targetopts => "--to-source $net2",
imatch_dest_net( $net3 ) , imatch_dest_net( $net3 ) ,
@ -480,6 +531,7 @@ sub setup_netmap() {
@rule , @rule ,
@match ); @match );
} }
}
} else { } else {
fatal_error "Invalid type ($type)"; fatal_error "Invalid type ($type)";
} }