forked from extern/shorewall_code
Add support for ROUTE target
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2120 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
9faf321c52
commit
bd18cf79c0
@ -1,8 +1,16 @@
|
|||||||
|
Changes in 2.3.2
|
||||||
|
|
||||||
|
1) Add support for -j ROUTE
|
||||||
|
|
||||||
|
Changes in 2.3.1
|
||||||
|
|
||||||
|
1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in
|
||||||
|
Shorewall configuration directories.
|
||||||
|
|
||||||
Changes in 2.3.0
|
Changes in 2.3.0
|
||||||
|
|
||||||
1) Implement support for --cmd-owner
|
1) Implement support for --cmd-owner
|
||||||
|
|
||||||
2) Implement support for ipsets.
|
2) Implement support for ipsets.
|
||||||
|
|
||||||
3) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in
|
|
||||||
Shorewall configuration directories.
|
|
||||||
|
@ -5248,6 +5248,103 @@ get_routed_networks() # $1 = interface name
|
|||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Add a route from /etc/shorewall/routes
|
||||||
|
#
|
||||||
|
add_a_route()
|
||||||
|
{
|
||||||
|
local r=
|
||||||
|
local chain=routefwd
|
||||||
|
|
||||||
|
if [ "x$source" != "x-" ]; then
|
||||||
|
case ${source} in
|
||||||
|
$FW:*)
|
||||||
|
chain=routeout
|
||||||
|
r="$(source_ip_range ${source%:*}) "
|
||||||
|
;;
|
||||||
|
*:*)
|
||||||
|
r="$(match_source_dev ${source%:*}) $(source_ip_range ${source#*:}) "
|
||||||
|
;;
|
||||||
|
*.*.*|+*|!+*)
|
||||||
|
r="$(source_ip_range $source) "
|
||||||
|
;;
|
||||||
|
~*)
|
||||||
|
r="$(mac_match $source) "
|
||||||
|
;;
|
||||||
|
$FW)
|
||||||
|
chain=routeout
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
|
||||||
|
r="$(match_source_dev) $source "
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "x$dest" != "x-" ]; then
|
||||||
|
case $dest in
|
||||||
|
*:*)
|
||||||
|
verify_interface ${dest%:*} || fatal_error "Unknown interface ${dest%:*} in rule \"$rule\""
|
||||||
|
r="$(match_dest_dev ${dest%:*}) $(dest_ip_range ${dest#*:}) "
|
||||||
|
;;
|
||||||
|
*.*.*|+*|!+*)
|
||||||
|
r="${r}$(dest_ip_range $dest) "
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
|
||||||
|
r="${r}$(match_dest_dev $dest) "
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "x$proto" = xipp2p ]; then
|
||||||
|
[ "x$port" = "x-" ] && port="ipp2p"
|
||||||
|
r="${r}-p tcp -m ipp2p --${port} "
|
||||||
|
else
|
||||||
|
[ "x$proto" = "x-" ] && proto=all
|
||||||
|
[ "x$proto" = "x" ] && proto=all
|
||||||
|
[ "$proto" = "all" ] || r="${r}-p $proto "
|
||||||
|
[ "x$port" = "x-" ] || r="${r}--dport $port "
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ "x${sport:--}" = "x-" ] || r="${r}--sport $sport "
|
||||||
|
|
||||||
|
r="${r}-j ROUTE "
|
||||||
|
|
||||||
|
[ "x${interface:--}" != x- ] && r="${r}--oif $interface "
|
||||||
|
|
||||||
|
[ "x${gateway:--}" != x- ] && r="${r}--gw $gateway"
|
||||||
|
|
||||||
|
run_iptables2 -t mangle -A $chain $r --continue
|
||||||
|
|
||||||
|
progress_message " Routing Rule \"$rule\" Added."
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Set up Routing
|
||||||
|
#
|
||||||
|
setup_routes() # $1 = file name
|
||||||
|
{
|
||||||
|
strip_file routes $1
|
||||||
|
|
||||||
|
if [ -s $TMP_DIR/routes ]; then
|
||||||
|
echo "Processing $1..."
|
||||||
|
[ -n "$ROUTE_TARGET" ] || \
|
||||||
|
fatal_error "Entries in /etc/shorewall/routes requires that your kernel and iptables have ROUTE target support"
|
||||||
|
run_iptables -t mangle -N routefwd
|
||||||
|
run_iptables -t mangle -A FORWARD -j routefwd
|
||||||
|
run_iptables -t mangle -N routeout
|
||||||
|
run_iptables -t mangle -A OUTPUT -j routeout
|
||||||
|
|
||||||
|
while read source dest proto port sport interface gateway; do
|
||||||
|
|
||||||
|
expandv source dest proto port sport interface gateway
|
||||||
|
rule="$source $dest $proto $port $sport $interface $gateway"
|
||||||
|
add_a_route
|
||||||
|
done < $TMP_DIR/routes
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Set up Source NAT (including masquerading)
|
# Set up Source NAT (including masquerading)
|
||||||
#
|
#
|
||||||
@ -5923,6 +6020,7 @@ determine_capabilities() {
|
|||||||
RECENT_MATCH=
|
RECENT_MATCH=
|
||||||
OWNER_MATCH=
|
OWNER_MATCH=
|
||||||
IPSET_MATCH=
|
IPSET_MATCH=
|
||||||
|
ROUTE_TARGET=
|
||||||
|
|
||||||
qt $IPTABLES -N fooX1234
|
qt $IPTABLES -N fooX1234
|
||||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||||
@ -5934,6 +6032,12 @@ determine_capabilities() {
|
|||||||
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
||||||
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
|
||||||
|
|
||||||
|
qt $IPTABLES -t mangle -N fooX1234
|
||||||
|
qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0 && ROUTE_TARGET=Yes
|
||||||
|
qt $IPTABLES -t mangle -F fooX1234
|
||||||
|
qt $IPTABLES -t mangle -X fooX1234
|
||||||
|
|
||||||
|
|
||||||
qt ipset -X fooX1234 # Just in case something went wrong the last time
|
qt ipset -X fooX1234 # Just in case something went wrong the last time
|
||||||
|
|
||||||
if qt ipset -N fooX1234 iphash ; then
|
if qt ipset -N fooX1234 iphash ; then
|
||||||
@ -5975,6 +6079,7 @@ report_capabilities() {
|
|||||||
report_capability "Recent Match" $RECENT_MATCH
|
report_capability "Recent Match" $RECENT_MATCH
|
||||||
report_capability "Owner Match" $OWNER_MATCH
|
report_capability "Owner Match" $OWNER_MATCH
|
||||||
report_capability "Ipset Match" $IPSET_MATCH
|
report_capability "Ipset Match" $IPSET_MATCH
|
||||||
|
report_capability "Route Target" $ROUTE_TARGET
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -7072,6 +7177,9 @@ define_firewall() # $1 = Command (Start or Restart)
|
|||||||
|
|
||||||
[ -n "$TC_ENABLED" ] && setup_tc
|
[ -n "$TC_ENABLED" ] && setup_tc
|
||||||
|
|
||||||
|
routes=$(find_file routes)
|
||||||
|
[ -f $routes ] && setup_routes $routes
|
||||||
|
|
||||||
echo "Activating Rules..."; activate_rules
|
echo "Activating Rules..."; activate_rules
|
||||||
|
|
||||||
[ -n "$aliases_to_add" ] && \
|
[ -n "$aliases_to_add" ] && \
|
||||||
|
@ -1,5 +1,76 @@
|
|||||||
Shorewall 2.3.1
|
Shorewall 2.3.3
|
||||||
|
|
||||||
|
-----------------------------------------------------------------------
|
||||||
|
Problems corrected in version 2.3.2
|
||||||
|
|
||||||
|
None.
|
||||||
|
-----------------------------------------------------------------------
|
||||||
|
New Features in version 2.3.2
|
||||||
|
|
||||||
|
1) Shorewall 2.3.2 can now configure routing if your kernel and
|
||||||
|
iptables support the ROUTE target extension. This extension is
|
||||||
|
available in Patch-O-Matic-ng.
|
||||||
|
|
||||||
|
Routing is configured using the /etc/shorewall/routes file. Columns
|
||||||
|
in the file are as follows:
|
||||||
|
|
||||||
|
SOURCE Source of the packet. May be any of the
|
||||||
|
following:
|
||||||
|
|
||||||
|
|
||||||
|
- A host or network address
|
||||||
|
- A network interface name.
|
||||||
|
- The name of an ipset prefaced with "+"
|
||||||
|
- $FW (for packets originating on the firewall)
|
||||||
|
- A MAC address in Shorewall format
|
||||||
|
- A range of IP addresses (assuming that your
|
||||||
|
kernel and iptables support range match)
|
||||||
|
- A network interface name followed by ":"
|
||||||
|
and an address or address range.
|
||||||
|
|
||||||
|
DEST Destination of the packet. May be any of the
|
||||||
|
following:
|
||||||
|
|
||||||
|
- A host or network address
|
||||||
|
- A network interface name (determined from
|
||||||
|
routing table(s))
|
||||||
|
- The name of an ipset prefaced with "+"
|
||||||
|
- A network interface name followed by ":"
|
||||||
|
and an address or address range.
|
||||||
|
|
||||||
|
PROTO Protocol - Must be "tcp", "udp", "icmp",
|
||||||
|
"ipp2p", a number, or "all". "ipp2p" requires
|
||||||
|
ipp2p match support in your kernel and
|
||||||
|
iptables.
|
||||||
|
|
||||||
|
PORT(S) Destination Ports. A comma-separated list of
|
||||||
|
Port names (from /etc/services), port numbers
|
||||||
|
or port ranges; if the protocol is "icmp", this
|
||||||
|
column is interpreted as the destination
|
||||||
|
icmp-type(s).
|
||||||
|
|
||||||
|
If the protocol is ipp2p, this column is
|
||||||
|
interpreted as an ipp2p option without the
|
||||||
|
leading "--" (example "bit" for bit-torrent).
|
||||||
|
If no PORT is given, "ipp2p" is assumed.
|
||||||
|
|
||||||
|
This column is ignored if PROTOCOL = all but
|
||||||
|
must be entered if any of the following field
|
||||||
|
is supplied. In that case, it is suggested that
|
||||||
|
this field contain "-"
|
||||||
|
|
||||||
|
SOURCE PORT(S) (Optional) Source port(s). If omitted,
|
||||||
|
any source port is acceptable. Specified as a
|
||||||
|
comma-separated list of port names, port
|
||||||
|
numbers or port ranges.
|
||||||
|
|
||||||
|
INTERFACE The interface that the packet is to be routed
|
||||||
|
out of. If you do not specify this field then
|
||||||
|
you must place "-" in this column and enter an
|
||||||
|
IP address in the GATEWAY column.
|
||||||
|
|
||||||
|
GATEWAY The gateway that the packet is to be forewarded
|
||||||
|
through.
|
||||||
-----------------------------------------------------------------------
|
-----------------------------------------------------------------------
|
||||||
Problems corrected in version 2.3.1
|
Problems corrected in version 2.3.1
|
||||||
|
|
||||||
|
@ -723,6 +723,7 @@ show_reset() {
|
|||||||
echo "Counters reset $(cat $STATEDIR/restarted)" && \
|
echo "Counters reset $(cat $STATEDIR/restarted)" && \
|
||||||
echo
|
echo
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Display's the passed file name followed by "=" and the file's contents.
|
# Display's the passed file name followed by "=" and the file's contents.
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user