Add support for ROUTE target

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2120 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-05-15 20:18:30 +00:00
parent 9faf321c52
commit bd18cf79c0
4 changed files with 191 additions and 3 deletions

View File

@ -1,8 +1,16 @@
Changes in 2.3.2
1) Add support for -j ROUTE
Changes in 2.3.1
1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in
Shorewall configuration directories.
Changes in 2.3.0 Changes in 2.3.0
1) Implement support for --cmd-owner 1) Implement support for --cmd-owner
2) Implement support for ipsets. 2) Implement support for ipsets.
3) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in
Shorewall configuration directories.

View File

@ -5248,6 +5248,103 @@ get_routed_networks() # $1 = interface name
done done
} }
#
# Add a route from /etc/shorewall/routes
#
add_a_route()
{
local r=
local chain=routefwd
if [ "x$source" != "x-" ]; then
case ${source} in
$FW:*)
chain=routeout
r="$(source_ip_range ${source%:*}) "
;;
*:*)
r="$(match_source_dev ${source%:*}) $(source_ip_range ${source#*:}) "
;;
*.*.*|+*|!+*)
r="$(source_ip_range $source) "
;;
~*)
r="$(mac_match $source) "
;;
$FW)
chain=routeout
;;
*)
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
r="$(match_source_dev) $source "
;;
esac
fi
if [ "x$dest" != "x-" ]; then
case $dest in
*:*)
verify_interface ${dest%:*} || fatal_error "Unknown interface ${dest%:*} in rule \"$rule\""
r="$(match_dest_dev ${dest%:*}) $(dest_ip_range ${dest#*:}) "
;;
*.*.*|+*|!+*)
r="${r}$(dest_ip_range $dest) "
;;
*)
verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
r="${r}$(match_dest_dev $dest) "
;;
esac
fi
if [ "x$proto" = xipp2p ]; then
[ "x$port" = "x-" ] && port="ipp2p"
r="${r}-p tcp -m ipp2p --${port} "
else
[ "x$proto" = "x-" ] && proto=all
[ "x$proto" = "x" ] && proto=all
[ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port "
fi
[ "x${sport:--}" = "x-" ] || r="${r}--sport $sport "
r="${r}-j ROUTE "
[ "x${interface:--}" != x- ] && r="${r}--oif $interface "
[ "x${gateway:--}" != x- ] && r="${r}--gw $gateway"
run_iptables2 -t mangle -A $chain $r --continue
progress_message " Routing Rule \"$rule\" Added."
}
#
# Set up Routing
#
setup_routes() # $1 = file name
{
strip_file routes $1
if [ -s $TMP_DIR/routes ]; then
echo "Processing $1..."
[ -n "$ROUTE_TARGET" ] || \
fatal_error "Entries in /etc/shorewall/routes requires that your kernel and iptables have ROUTE target support"
run_iptables -t mangle -N routefwd
run_iptables -t mangle -A FORWARD -j routefwd
run_iptables -t mangle -N routeout
run_iptables -t mangle -A OUTPUT -j routeout
while read source dest proto port sport interface gateway; do
expandv source dest proto port sport interface gateway
rule="$source $dest $proto $port $sport $interface $gateway"
add_a_route
done < $TMP_DIR/routes
fi
}
# #
# Set up Source NAT (including masquerading) # Set up Source NAT (including masquerading)
# #
@ -5923,6 +6020,7 @@ determine_capabilities() {
RECENT_MATCH= RECENT_MATCH=
OWNER_MATCH= OWNER_MATCH=
IPSET_MATCH= IPSET_MATCH=
ROUTE_TARGET=
qt $IPTABLES -N fooX1234 qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
@ -5934,6 +6032,12 @@ determine_capabilities() {
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
qt $IPTABLES -t mangle -N fooX1234
qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0 && ROUTE_TARGET=Yes
qt $IPTABLES -t mangle -F fooX1234
qt $IPTABLES -t mangle -X fooX1234
qt ipset -X fooX1234 # Just in case something went wrong the last time qt ipset -X fooX1234 # Just in case something went wrong the last time
if qt ipset -N fooX1234 iphash ; then if qt ipset -N fooX1234 iphash ; then
@ -5975,6 +6079,7 @@ report_capabilities() {
report_capability "Recent Match" $RECENT_MATCH report_capability "Recent Match" $RECENT_MATCH
report_capability "Owner Match" $OWNER_MATCH report_capability "Owner Match" $OWNER_MATCH
report_capability "Ipset Match" $IPSET_MATCH report_capability "Ipset Match" $IPSET_MATCH
report_capability "Route Target" $ROUTE_TARGET
} }
# #
@ -7072,6 +7177,9 @@ define_firewall() # $1 = Command (Start or Restart)
[ -n "$TC_ENABLED" ] && setup_tc [ -n "$TC_ENABLED" ] && setup_tc
routes=$(find_file routes)
[ -f $routes ] && setup_routes $routes
echo "Activating Rules..."; activate_rules echo "Activating Rules..."; activate_rules
[ -n "$aliases_to_add" ] && \ [ -n "$aliases_to_add" ] && \

View File

@ -1,5 +1,76 @@
Shorewall 2.3.1 Shorewall 2.3.3
-----------------------------------------------------------------------
Problems corrected in version 2.3.2
None.
-----------------------------------------------------------------------
New Features in version 2.3.2
1) Shorewall 2.3.2 can now configure routing if your kernel and
iptables support the ROUTE target extension. This extension is
available in Patch-O-Matic-ng.
Routing is configured using the /etc/shorewall/routes file. Columns
in the file are as follows:
SOURCE Source of the packet. May be any of the
following:
- A host or network address
- A network interface name.
- The name of an ipset prefaced with "+"
- $FW (for packets originating on the firewall)
- A MAC address in Shorewall format
- A range of IP addresses (assuming that your
kernel and iptables support range match)
- A network interface name followed by ":"
and an address or address range.
DEST Destination of the packet. May be any of the
following:
- A host or network address
- A network interface name (determined from
routing table(s))
- The name of an ipset prefaced with "+"
- A network interface name followed by ":"
and an address or address range.
PROTO Protocol - Must be "tcp", "udp", "icmp",
"ipp2p", a number, or "all". "ipp2p" requires
ipp2p match support in your kernel and
iptables.
PORT(S) Destination Ports. A comma-separated list of
Port names (from /etc/services), port numbers
or port ranges; if the protocol is "icmp", this
column is interpreted as the destination
icmp-type(s).
If the protocol is ipp2p, this column is
interpreted as an ipp2p option without the
leading "--" (example "bit" for bit-torrent).
If no PORT is given, "ipp2p" is assumed.
This column is ignored if PROTOCOL = all but
must be entered if any of the following field
is supplied. In that case, it is suggested that
this field contain "-"
SOURCE PORT(S) (Optional) Source port(s). If omitted,
any source port is acceptable. Specified as a
comma-separated list of port names, port
numbers or port ranges.
INTERFACE The interface that the packet is to be routed
out of. If you do not specify this field then
you must place "-" in this column and enter an
IP address in the GATEWAY column.
GATEWAY The gateway that the packet is to be forewarded
through.
----------------------------------------------------------------------- -----------------------------------------------------------------------
Problems corrected in version 2.3.1 Problems corrected in version 2.3.1

View File

@ -723,6 +723,7 @@ show_reset() {
echo "Counters reset $(cat $STATEDIR/restarted)" && \ echo "Counters reset $(cat $STATEDIR/restarted)" && \
echo echo
} }
# #
# Display's the passed file name followed by "=" and the file's contents. # Display's the passed file name followed by "=" and the file's contents.
# #