forked from extern/shorewall_code
Generate warning for zone names beginning with digit; pretty up add_a_rule()
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2110 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
9350da941e
commit
d12d88afcd
@ -4288,8 +4288,8 @@ add_a_rule()
|
||||
|
||||
if [ -n "$natrule" ]; then
|
||||
add_nat_rule
|
||||
elif [ -n "$addr" -a "$addr" != "$serv" ] || [ -n "$servport" -a "$servport" != "$port" ]; then
|
||||
fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination mapping; rule \"$rule\""
|
||||
elif [ -n "$servport" -a "$servport" != "$port" ]; then
|
||||
fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination port mapping; rule \"$rule\""
|
||||
fi
|
||||
|
||||
if [ -z "$dnat_only" ]; then
|
||||
@ -4312,13 +4312,15 @@ add_a_rule()
|
||||
$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
|
||||
fi
|
||||
|
||||
[ -n "$nonat" ] && \
|
||||
if [ -n "$nonat" ]; then
|
||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||
$cli $sports $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j RETURN
|
||||
|
||||
[ "$logtarget" != NONAT ] && \
|
||||
fi
|
||||
|
||||
if [ "$logtarget" != NONAT ]; then
|
||||
run_iptables2 -A $chain $proto $multiport $cli $sports \
|
||||
$(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
@ -4342,24 +4344,43 @@ add_a_rule()
|
||||
|
||||
# Destination is a simple zone
|
||||
|
||||
[ -n "$addr" ] && fatal_error \
|
||||
"An ORIGINAL DESTINATION ($addr) is only allowed in" \
|
||||
" a DNAT, SAME or REDIRECT: \"$rule\""
|
||||
|
||||
if [ $COMMAND != check ]; then
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
|
||||
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
|
||||
fi
|
||||
if [ -n "$addr" ]; then
|
||||
for adr in $(separate_list $addr); do
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
|
||||
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr)
|
||||
fi
|
||||
|
||||
if [ "$logtarget" != LOG ]; then
|
||||
[ -n "$nonat" ] && \
|
||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||
$cli $sports $dports $ratelimit $userandgroup -j RETURN
|
||||
if [ "$logtarget" != LOG ]; then
|
||||
if [ -n "$nonat" ]; then
|
||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||
$cli $sports $dports $ratelimit $userandgroup -m conntrack --ctorigdst $adr -j RETURN
|
||||
fi
|
||||
|
||||
if [ "$logtarget" != NONAT ]; then
|
||||
run_iptables2 -A $chain $proto $multiport $cli $dest_interface \
|
||||
$sports $dports $ratelimit $userandgroup -m conntrack --ctorigdst $adr -j $target
|
||||
fi
|
||||
fi
|
||||
done
|
||||
else
|
||||
if [ -n "$loglevel" ]; then
|
||||
log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A $userandgroup \
|
||||
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
|
||||
fi
|
||||
|
||||
[ "$logtarget" != NONAT ] && \
|
||||
run_iptables2 -A $chain $proto $multiport $cli $dest_interface \
|
||||
$sports $dports $ratelimit $userandgroup -j $target
|
||||
if [ "$logtarget" != LOG ]; then
|
||||
if [ -n "$nonat" ]; then
|
||||
addnatrule $(dnat_chain $source) $proto $multiport \
|
||||
$cli $sports $dports $ratelimit $userandgroup -j RETURN
|
||||
fi
|
||||
|
||||
if [ "$logtarget" != NONAT ]; then
|
||||
run_iptables2 -A $chain $proto $multiport $cli $dest_interface \
|
||||
$sports $dports $ratelimit $userandgroup -j $target
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
@ -269,6 +269,9 @@ find_zones() # $1 = name of the zone file
|
||||
{
|
||||
while read zone display comments; do
|
||||
[ -n "$zone" ] && case "$zone" in
|
||||
[0-9*])
|
||||
echo " Warning: Illegal zone name \"$zone\" in zones file ignored" 2>&2
|
||||
;;
|
||||
\#*)
|
||||
;;
|
||||
$FW|all|none)
|
||||
|
@ -263,8 +263,8 @@
|
||||
# Otherwise, a separate rule will be generated for each
|
||||
# port.
|
||||
#
|
||||
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or
|
||||
# REDIRECT[-]) If included and different from the IP
|
||||
# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] then
|
||||
# if included and different from the IP
|
||||
# address given in the SERVER column, this is an address
|
||||
# on some interface on the firewall and connections to
|
||||
# that address will be forwarded to the IP and port
|
||||
@ -280,6 +280,20 @@
|
||||
# destination address in the connection request does not
|
||||
# match any of the addresses listed.
|
||||
#
|
||||
# For other actions, this column may be included and may
|
||||
# contain one or more addresses (host or network)
|
||||
# separated by commas. Address ranges are not allowed.
|
||||
# When this column is supplied, rules are generated
|
||||
# that require that the original destination address matches
|
||||
# one of the listed addresses. This feature is most useful when
|
||||
# you want to generate a filter rule that corresponds to a
|
||||
# DNAT- or REDIRECT- rule. In this usage, the list of
|
||||
# addresses should not begin with "!".
|
||||
#
|
||||
# See http://shorewall.net/PortKnocking.html for an
|
||||
# example of using an entry in this column with a
|
||||
# user-defined action rule.
|
||||
#
|
||||
# RATE LIMIT You may rate-limit the rule by placing a value in
|
||||
# this colume:
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user