forked from extern/shorewall_code
Add support for ROUTE target
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2120 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
9faf321c52
commit
bd18cf79c0
@ -1,8 +1,16 @@
|
||||
Changes in 2.3.2
|
||||
|
||||
1) Add support for -j ROUTE
|
||||
|
||||
Changes in 2.3.1
|
||||
|
||||
1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in
|
||||
Shorewall configuration directories.
|
||||
|
||||
Changes in 2.3.0
|
||||
|
||||
1) Implement support for --cmd-owner
|
||||
|
||||
2) Implement support for ipsets.
|
||||
|
||||
3) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in
|
||||
Shorewall configuration directories.
|
||||
|
||||
|
@ -5248,6 +5248,103 @@ get_routed_networks() # $1 = interface name
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Add a route from /etc/shorewall/routes
|
||||
#
|
||||
add_a_route()
|
||||
{
|
||||
local r=
|
||||
local chain=routefwd
|
||||
|
||||
if [ "x$source" != "x-" ]; then
|
||||
case ${source} in
|
||||
$FW:*)
|
||||
chain=routeout
|
||||
r="$(source_ip_range ${source%:*}) "
|
||||
;;
|
||||
*:*)
|
||||
r="$(match_source_dev ${source%:*}) $(source_ip_range ${source#*:}) "
|
||||
;;
|
||||
*.*.*|+*|!+*)
|
||||
r="$(source_ip_range $source) "
|
||||
;;
|
||||
~*)
|
||||
r="$(mac_match $source) "
|
||||
;;
|
||||
$FW)
|
||||
chain=routeout
|
||||
;;
|
||||
*)
|
||||
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
|
||||
r="$(match_source_dev) $source "
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
if [ "x$dest" != "x-" ]; then
|
||||
case $dest in
|
||||
*:*)
|
||||
verify_interface ${dest%:*} || fatal_error "Unknown interface ${dest%:*} in rule \"$rule\""
|
||||
r="$(match_dest_dev ${dest%:*}) $(dest_ip_range ${dest#*:}) "
|
||||
;;
|
||||
*.*.*|+*|!+*)
|
||||
r="${r}$(dest_ip_range $dest) "
|
||||
;;
|
||||
*)
|
||||
verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
|
||||
r="${r}$(match_dest_dev $dest) "
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
if [ "x$proto" = xipp2p ]; then
|
||||
[ "x$port" = "x-" ] && port="ipp2p"
|
||||
r="${r}-p tcp -m ipp2p --${port} "
|
||||
else
|
||||
[ "x$proto" = "x-" ] && proto=all
|
||||
[ "x$proto" = "x" ] && proto=all
|
||||
[ "$proto" = "all" ] || r="${r}-p $proto "
|
||||
[ "x$port" = "x-" ] || r="${r}--dport $port "
|
||||
fi
|
||||
|
||||
[ "x${sport:--}" = "x-" ] || r="${r}--sport $sport "
|
||||
|
||||
r="${r}-j ROUTE "
|
||||
|
||||
[ "x${interface:--}" != x- ] && r="${r}--oif $interface "
|
||||
|
||||
[ "x${gateway:--}" != x- ] && r="${r}--gw $gateway"
|
||||
|
||||
run_iptables2 -t mangle -A $chain $r --continue
|
||||
|
||||
progress_message " Routing Rule \"$rule\" Added."
|
||||
}
|
||||
|
||||
#
|
||||
# Set up Routing
|
||||
#
|
||||
setup_routes() # $1 = file name
|
||||
{
|
||||
strip_file routes $1
|
||||
|
||||
if [ -s $TMP_DIR/routes ]; then
|
||||
echo "Processing $1..."
|
||||
[ -n "$ROUTE_TARGET" ] || \
|
||||
fatal_error "Entries in /etc/shorewall/routes requires that your kernel and iptables have ROUTE target support"
|
||||
run_iptables -t mangle -N routefwd
|
||||
run_iptables -t mangle -A FORWARD -j routefwd
|
||||
run_iptables -t mangle -N routeout
|
||||
run_iptables -t mangle -A OUTPUT -j routeout
|
||||
|
||||
while read source dest proto port sport interface gateway; do
|
||||
|
||||
expandv source dest proto port sport interface gateway
|
||||
rule="$source $dest $proto $port $sport $interface $gateway"
|
||||
add_a_route
|
||||
done < $TMP_DIR/routes
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Set up Source NAT (including masquerading)
|
||||
#
|
||||
@ -5923,6 +6020,7 @@ determine_capabilities() {
|
||||
RECENT_MATCH=
|
||||
OWNER_MATCH=
|
||||
IPSET_MATCH=
|
||||
ROUTE_TARGET=
|
||||
|
||||
qt $IPTABLES -N fooX1234
|
||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||
@ -5934,6 +6032,12 @@ determine_capabilities() {
|
||||
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
||||
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
|
||||
|
||||
qt $IPTABLES -t mangle -N fooX1234
|
||||
qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0 && ROUTE_TARGET=Yes
|
||||
qt $IPTABLES -t mangle -F fooX1234
|
||||
qt $IPTABLES -t mangle -X fooX1234
|
||||
|
||||
|
||||
qt ipset -X fooX1234 # Just in case something went wrong the last time
|
||||
|
||||
if qt ipset -N fooX1234 iphash ; then
|
||||
@ -5975,6 +6079,7 @@ report_capabilities() {
|
||||
report_capability "Recent Match" $RECENT_MATCH
|
||||
report_capability "Owner Match" $OWNER_MATCH
|
||||
report_capability "Ipset Match" $IPSET_MATCH
|
||||
report_capability "Route Target" $ROUTE_TARGET
|
||||
}
|
||||
|
||||
#
|
||||
@ -7072,6 +7177,9 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
|
||||
[ -n "$TC_ENABLED" ] && setup_tc
|
||||
|
||||
routes=$(find_file routes)
|
||||
[ -f $routes ] && setup_routes $routes
|
||||
|
||||
echo "Activating Rules..."; activate_rules
|
||||
|
||||
[ -n "$aliases_to_add" ] && \
|
||||
|
@ -1,5 +1,76 @@
|
||||
Shorewall 2.3.1
|
||||
Shorewall 2.3.3
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in version 2.3.2
|
||||
|
||||
None.
|
||||
-----------------------------------------------------------------------
|
||||
New Features in version 2.3.2
|
||||
|
||||
1) Shorewall 2.3.2 can now configure routing if your kernel and
|
||||
iptables support the ROUTE target extension. This extension is
|
||||
available in Patch-O-Matic-ng.
|
||||
|
||||
Routing is configured using the /etc/shorewall/routes file. Columns
|
||||
in the file are as follows:
|
||||
|
||||
SOURCE Source of the packet. May be any of the
|
||||
following:
|
||||
|
||||
|
||||
- A host or network address
|
||||
- A network interface name.
|
||||
- The name of an ipset prefaced with "+"
|
||||
- $FW (for packets originating on the firewall)
|
||||
- A MAC address in Shorewall format
|
||||
- A range of IP addresses (assuming that your
|
||||
kernel and iptables support range match)
|
||||
- A network interface name followed by ":"
|
||||
and an address or address range.
|
||||
|
||||
DEST Destination of the packet. May be any of the
|
||||
following:
|
||||
|
||||
- A host or network address
|
||||
- A network interface name (determined from
|
||||
routing table(s))
|
||||
- The name of an ipset prefaced with "+"
|
||||
- A network interface name followed by ":"
|
||||
and an address or address range.
|
||||
|
||||
PROTO Protocol - Must be "tcp", "udp", "icmp",
|
||||
"ipp2p", a number, or "all". "ipp2p" requires
|
||||
ipp2p match support in your kernel and
|
||||
iptables.
|
||||
|
||||
PORT(S) Destination Ports. A comma-separated list of
|
||||
Port names (from /etc/services), port numbers
|
||||
or port ranges; if the protocol is "icmp", this
|
||||
column is interpreted as the destination
|
||||
icmp-type(s).
|
||||
|
||||
If the protocol is ipp2p, this column is
|
||||
interpreted as an ipp2p option without the
|
||||
leading "--" (example "bit" for bit-torrent).
|
||||
If no PORT is given, "ipp2p" is assumed.
|
||||
|
||||
This column is ignored if PROTOCOL = all but
|
||||
must be entered if any of the following field
|
||||
is supplied. In that case, it is suggested that
|
||||
this field contain "-"
|
||||
|
||||
SOURCE PORT(S) (Optional) Source port(s). If omitted,
|
||||
any source port is acceptable. Specified as a
|
||||
comma-separated list of port names, port
|
||||
numbers or port ranges.
|
||||
|
||||
INTERFACE The interface that the packet is to be routed
|
||||
out of. If you do not specify this field then
|
||||
you must place "-" in this column and enter an
|
||||
IP address in the GATEWAY column.
|
||||
|
||||
GATEWAY The gateway that the packet is to be forewarded
|
||||
through.
|
||||
-----------------------------------------------------------------------
|
||||
Problems corrected in version 2.3.1
|
||||
|
||||
|
@ -723,6 +723,7 @@ show_reset() {
|
||||
echo "Counters reset $(cat $STATEDIR/restarted)" && \
|
||||
echo
|
||||
}
|
||||
|
||||
#
|
||||
# Display's the passed file name followed by "=" and the file's contents.
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user