Implement SNAT actions and inlines

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-10-18 10:09:07 -07:00
parent 9796af5d80
commit d52a4b1c9d
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10

View File

@ -1303,18 +1303,19 @@ sub finish_section ( $ ) {
# #
sub normalize_action( $$$ ) { sub normalize_action( $$$ ) {
my ( $action, $level, $param ) = @_; my ( $action, $level, $param ) = @_;
my $caller = ''; #We assume that the function doesn't use @CALLER my $caller = ''; #We assume that the action doesn't use @CALLER
( $level, my $tag ) = split ':', $level; ( $level, my $tag ) = split ':', $level;
if ( $actions{$action}{options} & LOGJUMP_OPT ) { if ( $actions{$action}{options} & LOGJUMP_OPT ) {
$level = 'none'; $level = 'none';
$tag = '';
} else { } else {
$level = 'none' unless supplied $level; $level = 'none' unless supplied $level;
$tag = '' unless defined $tag;
} }
#
# Note: SNAT actions store the current interface's name in the tag
#
$tag = '' unless defined $tag;
$param = '' unless defined $param; $param = '' unless defined $param;
$param = '' if $param eq '-'; $param = '' if $param eq '-';
@ -1612,6 +1613,41 @@ sub merge_macro_source_dest( $$ ) {
$body || ''; $body || '';
} }
#
# This one is used by snat inline
#
sub merge_inline_source_dest( $$ ) {
my ( $body, $invocation ) = @_;
if ( $invocation ) {
if ( $body ) {
return $body if $invocation eq '-';
if ( $family == F_IPV4 ) {
fatal_error 'Interface names cannot appear in the DEST column within an action body' if $body =~ /:/;
if ( $invocation =~ /:/ ) {
$invocation =~ s/:.*//;
return join( ':', $invocation, $body );
}
} else {
fatal_error 'Interface names cannot appear in the DEST column within an action body' if $body =~ /:\[|:\+|/;
if ( $invocation =~ /:\[|:\+/ ) {
$invocation =~ s/:.*//;
return join( ':', $invocation, $body );
}
}
return "$invocation:$body";
}
return $invocation;
}
$body || '';
}
sub merge_macro_column( $$ ) { sub merge_macro_column( $$ ) {
my ( $body, $invocation ) = @_; my ( $body, $invocation ) = @_;
@ -1838,6 +1874,7 @@ my %builtinops = ( 'dropBcast' => \&dropBcast,
sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ); sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ); sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ );
sub process_snat1( $$$$$$$$$$$$ );
sub perl_action_helper( $$;$$ ); sub perl_action_helper( $$;$$ );
# #
@ -1886,7 +1923,63 @@ sub process_action(\$\$$) {
my $save_comment = push_comment; my $save_comment = push_comment;
while ( read_a_line( NORMAL_READ ) ) { while ( read_a_line( NORMAL_READ ) ) {
if ( $type & MANGLE_TABLE ) { unless ( $type & ( MANGLE_TABLE | NAT_TABLE | RAW_TABLE ) ) {
my ($target, $source, $dest, $protos, $ports, $sports, $origdest, $rate, $users, $mark, $connlimit, $time, $headers, $condition, $helper );
if ( $file_format == 1 ) {
fatal_error( "FORMAT-1 actions are no longer supported" );
} else {
($target, $source, $dest, $protos, $ports, $sports, $origdest, $rate, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
= split_line2( 'action file',
\%rulecolumns,
$action_commands,
undef,
1 );
}
fatal_error 'TARGET must be specified' if $target eq '-';
if ( $target eq 'DEFAULTS' ) {
default_action_params( $action, split_list $source, 'defaults' );
if ( my $state = $actionref->{state} ) {
my ( $action ) = get_action_params( 1 );
if ( my $check = check_state( $state ) ) {
perl_action_helper( $action, $check == 1 ? state_match( $state ) : '' , $state );
}
}
next;
}
for my $proto ( split_list( $protos, 'Protocol' ) ) {
for my $user ( split_list( $users, 'User/Group' ) ) {
process_rule( $chainref,
'',
'',
$nolog ? $target : merge_levels( join(':', @actparams{'chain','loglevel','logtag'}), $target ),
'',
$source,
$dest,
$proto,
$ports,
$sports,
$origdest,
$rate,
$user,
$mark,
$connlimit,
$time,
$headers,
$condition,
$helper,
0 );
set_inline_matches( $matches );
}
}
} elsif ( $type & MANGLE_TABLE ) {
my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ); my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
@ -1970,60 +2063,45 @@ sub process_action(\$\$$) {
set_inline_matches( $matches ); set_inline_matches( $matches );
} }
} else { } else {
my ($target, $source, $dest, $protos, $ports, $sports, $origdest, $rate, $users, $mark, $connlimit, $time, $headers, $condition, $helper ); my ( $action, $source, $dest, $protos, $port, $ipsec, $mark, $user, $condition, $origdest, $probability) =
split_line2( 'snat file',
{ action =>0,
source => 1,
dest => 2,
proto => 3,
port => 4,
ipsec => 5,
mark => 6,
user => 7,
switch => 8,
origdest => 9,
probability => 10,
},
{},
11,
1 );
if ( $file_format == 1 ) { fatal_error 'ACTION must be specified' if $action eq '-';
fatal_error( "FORMAT-1 actions are no longer supported" );
} else {
($target, $source, $dest, $protos, $ports, $sports, $origdest, $rate, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
= split_line2( 'action file',
\%rulecolumns,
$action_commands,
undef,
1 );
}
fatal_error 'TARGET must be specified' if $target eq '-';
if ( $target eq 'DEFAULTS' ) {
default_action_params( $action, split_list $source, 'defaults' );
if ( my $state = $actionref->{state} ) {
my ( $action ) = get_action_params( 1 );
if ( my $check = check_state( $state ) ) {
perl_action_helper( $action, $check == 1 ? state_match( $state ) : '' , $state );
}
}
if ( $action eq 'DEFAULTS' ) {
default_action_params( $chainref, split_list( $source, 'defaults' ) );
next; next;
} }
for my $proto ( split_list( $protos, 'Protocol' ) ) { for my $proto (split_list( $protos, 'Protocol' ) ) {
for my $user ( split_list( $users, 'User/Group' ) ) { process_snat1( $chainref,
process_rule( $chainref, $action,
'', $source,
'', $dest,
$nolog ? $target : merge_levels( join(':', @actparams{'chain','loglevel','logtag'}), $target ), $proto,
'', $port,
$source, $ipsec,
$dest, $mark,
$proto, $user,
$ports, $condition,
$sports, $origdest,
$origdest, $probability,
$rate, );
$user,
$mark,
$connlimit,
$time,
$headers,
$condition,
$helper,
0 );
set_inline_matches( $matches );
}
} }
} }
} }
@ -2177,9 +2255,10 @@ sub process_actions() {
make_terminating( $action ) if $opts & TERMINATING_OPT make_terminating( $action ) if $opts & TERMINATING_OPT
} else { } else {
fatal_error "Only the 'mangle' and 'filter' table may be specified for non-builtin actions" if $opts & ( RAW_OPT | NAT_OPT ); fatal_error "The 'raw' table may not be specified for non-builtin actions" if $opts & RAW_OPT;
$type |= MANGLE_TABLE if $opts & MANGLE_OPT; $type |= MANGLE_TABLE if $opts & MANGLE_OPT;
$type |= NAT_TABLE if $opts & NAT_OPT;
my $actionfile = find_file( "action.$action" ); my $actionfile = find_file( "action.$action" );
@ -5163,12 +5242,99 @@ sub process_mangle_rule( $ ) {
} }
} }
sub process_snat_inline( $$$$$$$$$$$$$ ) {
my ($inline, $chainref, $params, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
my $oldparms = push_action_params( $inline,
$chainref,
$params,
'none',
'' ,
$chainref->{name} );
my $inlinefile = $actions{$inline}{file};
my $matches = fetch_inline_matches;
progress_message "..Expanding inline action $inlinefile...";
push_open $inlinefile, 2, 1, undef , 2;
my $save_comment = push_comment;
while ( read_a_line( NORMAL_READ ) ) {
my ( $maction, $msource, $mdest, $mprotos, $mports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
split_line2( 'snat file',
{ action =>0,
source => 1,
dest => 2,
proto => 3,
port => 4,
ipsec => 5,
mark => 6,
user => 7,
switch => 8,
origdest => 9,
probability => 10,
},
{},
11,
1 );
fatal_error 'ACTION must be specified' if $maction eq '-';
if ( $maction eq 'DEFAULTS' ) {
default_action_params( $chainref, split_list( $msource, 'defaults' ) );
next;
}
$msource = $source if $msource eq '-';
if ( $mdest eq '-' ) {
$mdest = $dest;
} else {
$mdest = merge_inline_source_dest( $mdest, $dest );
}
$mprotos = $protos if $mprotos eq '-';
for my $proto (split_list( $mprotos, 'Protocol' ) ) {
process_snat1( $chainref,
$maction,
$msource,
$mdest,
$proto,
merge_macro_column( $mports, $ports ),
merge_macro_column( $mipsec, $ipsec ),
merge_macro_column( $mmark, $mark ),
merge_macro_column( $muser, $user ),
merge_macro_column( $mcondition, $condition ),
merge_macro_column( $morigdest , $origdest ),
merge_macro_column( $mprobability, $probability ),
);
}
progress_message " Rule \"$currentline\" $done";
set_inline_matches( $matches );
}
pop_comment( $save_comment );
pop_open;
progress_message "..End inline action $inlinefile";
pop_action_params( $oldparms );
}
# #
# Process a record in the snat file # Process a record in the snat file
# #
sub process_one_snat1( $$$$$$$$$$$ ) { sub process_snat1( $$$$$$$$$$$$ ) {
my ($action, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_; my ( $chainref, $action, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
my $inchain;
my $inaction;
my $pre_nat; my $pre_nat;
my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES}; my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
my $destnets = ''; my $destnets = '';
@ -5178,61 +5344,76 @@ sub process_one_snat1( $$$$$$$$$$$ ) {
my $options = ''; my $options = '';
my $addresses; my $addresses;
my $target; my $target;
my $params;
my $actiontype;
my $interfaces;
my $interface;
my $normalized_action;
if ( $action =~ /^MASQUERADE(\+)?\((.+)\)$/ ) { if ( $action =~ /^MASQUERADE(\+)?\((.+)\)$/ ) {
$target = 'MASQUERADE'; $target = 'MASQUERADE';
$action = $target; $actiontype = $builtin_target{$action = $target};
$pre_nat = $1; $pre_nat = $1;
$addresses = $2; $addresses = $2;
$options = 'random' if $addresses =~ s/:?random$//; $options = 'random' if $addresses =~ s/:?random$//;
} elsif ( $action =~ /^SNAT(\+)?\((.+)\)$/ ) { } elsif ( $action =~ /^SNAT(\+)?\((.+)\)$/ ) {
$pre_nat = $1; $pre_nat = $1;
$addresses = $2; $addresses = $2;
$target = 'SNAT'; $target = 'SNAT';
$action = $target; $actiontype = $builtin_target{$action = $target};
$options .= ':persistent' if $addresses =~ s/:persistent//; $options .= ':persistent' if $addresses =~ s/:persistent//;
$options .= ':random' if $addresses =~ s/:random//; $options .= ':random' if $addresses =~ s/:random//;
$options =~ s/^://; $options =~ s/^://;
} elsif ( $action =~ /^CONTINUE(\+)?$/ ) { } elsif ( $action =~ /^CONTINUE(\+)?$/ ) {
$add_snat_aliases = 0; $add_snat_aliases = 0;
$target = 'RETURN'; $actiontype = $builtin_target{$target = 'RETURN'};
$pre_nat = $1; $pre_nat = $1;
} elsif ( $action eq 'MASQUERADE' ) { } elsif ( $action eq 'MASQUERADE' ) {
$target = 'MASQUERADE'; $actiontype = $builtin_target{$target = 'MASQUERADE'};
} else { } else {
fatal_error "Invalid ACTION ($action)"; ( $target , $params ) = get_target_param1( $action );
$actiontype = $targets{$target};
fatal_error "Invalid ACTION ($action)" unless $actiontype & ( ACTION | INLINE );
}
if ( $inchain = defined $chainref ) {
( $inaction, undef, $interfaces, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 5 if $chainref->{action};
} }
# #
# Next, parse the DEST column # Next, parse the DEST column
# #
if ( $family == F_IPV4 ) { if ( $inaction ) {
fatal_error q('*' is not allowed within an action body) if $pre_nat;
$destnets = $dest;
} elsif ( $family == F_IPV4 ) {
if ( $dest =~ /^([^:]+)::([^:]*)$/ ) { if ( $dest =~ /^([^:]+)::([^:]*)$/ ) {
$add_snat_aliases = 0; $add_snat_aliases = 0;
$destnets = $2; $destnets = $2;
$dest = $1; $interfaces = $1;
} elsif ( $dest =~ /^([^:]+:[^:]+):([^:]+)$/ ) { } elsif ( $dest =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
$destnets = $2; $destnets = $2;
$dest = $1; $interfaces = $1;
} elsif ( $dest =~ /^([^:]+):$/ ) { } elsif ( $dest =~ /^([^:]+):$/ ) {
$add_snat_aliases = 0; $add_snat_aliases = 0;
$dest = $1; $interfaces = $1;
} elsif ( $dest =~ /^([^:]+):([^:]*)$/ ) { } elsif ( $dest =~ /^([^:]+):([^:]*)$/ ) {
my ( $one, $two ) = ( $1, $2 ); my ( $one, $two ) = ( $1, $2 );
if ( $2 =~ /\./ || $2 =~ /^%/ ) { if ( $2 =~ /\./ || $2 =~ /^%/ ) {
$dest = $one; $interfaces = $one;
$destnets = $two; $destnets = $two;
} }
} else {
$interfaces = $dest;
} }
} elsif ( $dest =~ /^(.+?):(.+)$/ ) { } elsif ( $dest =~ /^(.+?):(.+)$/ ) {
$dest = $1; $interfaces = $1;
$destnets = $2; $destnets = $2;
} else {
$interfaces = $dest;
} }
# #
# If there is no source or destination then allow all addresses
#
$source = ALLIP if $source eq '-';
$destnets = ALLIP if $destnets eq '-';
#
# Handle IPSEC options, if any # Handle IPSEC options, if any
# #
if ( $ipsec ne '-' ) { if ( $ipsec ne '-' ) {
@ -5259,203 +5440,260 @@ sub process_one_snat1( $$$$$$$$$$$ ) {
$baserule .= do_user( $user ) if $user ne '-'; $baserule .= do_user( $user ) if $user ne '-';
$baserule .= do_probability( $probability ) if $probability ne '-'; $baserule .= do_probability( $probability ) if $probability ne '-';
my $rule = ''; for $interface ( split_list( $interfaces, 'interface' ) ) {
my $rule = '';
my $saveaddresses = $addresses;
( my $interface = $dest ) =~ s/:.*//; unless ( $inaction ) {
if ( $interface =~ /(.*)[(](\w*)[)]$/ ) {
$interface = $1;
my $provider = $2;
if ( $interface =~ /(.*)[(](\w*)[)]$/ ) { fatal_error "Missing Provider ($dest)" unless supplied $provider;
$interface = $1;
my $provider = $2;
fatal_error "Missing Provider ($dest)" unless supplied $provider; $dest =~ s/[(]\w*[)]//;
my $realm = provider_realm( $provider );
$dest =~ s/[(]\w*[)]//; fatal_error "$provider is not a shared-interface provider" unless $realm;
my $realm = provider_realm( $provider );
fatal_error "$provider is not a shared-interface provider" unless $realm; $rule .= "-m realm --realm $realm ";
$rule .= "-m realm --realm $realm ";
}
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
if ( $interfaceref->{root} ) {
$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
} else {
$rule .= match_dest_dev( $interface );
$interface = $interfaceref->{name};
}
my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
$baserule .= do_condition( $condition , $chainref->{name} );
my $detectaddress = 0;
my $exceptionrule = '';
my $conditional = 0;
if ( $action eq 'SNAT' ) {
if ( $addresses eq 'detect' ) {
my $variable = get_interface_address $interface;
$target .= " --to-source $variable";
if ( interface_is_optional $interface ) {
add_commands( $chainref,
'',
"if [ \"$variable\" != 0.0.0.0 ]; then" );
incr_cmd_level( $chainref );
$detectaddress = 1;
} }
} else {
my $addrlist = '';
my @addrs = split_list $addresses, 'address';
fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1; fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
for my $addr ( @addrs ) { if ( $interfaceref->{root} ) {
if ( $addr =~ /^([&%])(.+)$/ ) { $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
my ( $type, $interface ) = ( $1, $2 ); } else {
$rule .= match_dest_dev( $interface );
$interface = $interfaceref->{name};
}
my $ports = ''; $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
}
if ( $interface =~ s/:(.+)$// ) { $baserule .= do_condition( $condition , $chainref->{name} );
validate_portpair1( $proto, $1 );
$ports = ":$1"; my $detectaddress = 0;
} my $exceptionrule = '';
# my $conditional = 0;
# Address Variable
# if ( $action eq 'SNAT' ) {
if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) { if ( $addresses eq 'detect' ) {
my $variable = get_interface_address $interface;
$target .= " --to-source $variable";
if ( interface_is_optional $interface ) {
add_commands( $chainref,
'',
"if [ \"$variable\" != 0.0.0.0 ]; then" );
incr_cmd_level( $chainref );
$detectaddress = 1;
}
} else {
my $addrlist = '';
my @addrs = split_list $addresses, 'address';
fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1;
for my $addr ( @addrs ) {
if ( $addr =~ /^([&%])(.+)$/ ) {
my ( $type, $interface ) = ( $1, $2 );
my $ports = '';
if ( $interface =~ s/:(.+)$// ) {
validate_portpair1( $proto, $1 );
$ports = ":$1";
}
# #
# User-defined address variable # Address Variable
# #
$conditional = conditional_rule( $chainref, $addr ); if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
$addrlist .= ' --to-source' . "\$${1}${ports} ";
} else {
if ( $conditional = conditional_rule( $chainref, $addr ) ) {
# #
# Optional Interface -- rule is conditional # User-defined address variable
# #
$addr = get_interface_address $interface; $conditional = conditional_rule( $chainref, $addr );
$addrlist .= ' --to-source' . "\$${1}${ports} ";
} else { } else {
# if ( $conditional = conditional_rule( $chainref, $addr ) ) {
# Interface is not optional #
# # Optional Interface -- rule is conditional
$addr = record_runtime_address( $type, $interface ); #
} $addr = get_interface_address $interface;
} else {
#
# Interface is not optional
#
$addr = record_runtime_address( $type, $interface );
}
if ( $ports ) { if ( $ports ) {
$addr =~ s/ $//; $addr =~ s/ $//;
$addr = $family == F_IPV4 ? "${addr}${ports} " : "[$addr]$ports "; $addr = $family == F_IPV4 ? "${addr}${ports} " : "[$addr]$ports ";
} }
$addrlist .= ' --to-source' . $addr; $addrlist .= ' --to-source' . $addr;
} }
} elsif ( $family == F_IPV4 ) { } elsif ( $family == F_IPV4 ) {
if ( $addr =~ /^.*\..*\..*\./ ) { if ( $addr =~ /^.*\..*\..*\./ ) {
my ($ipaddr, $rest) = split ':', $addr; my ($ipaddr, $rest) = split ':', $addr;
if ( $ipaddr =~ /^(.+)-(.+)$/ ) { if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
validate_range( $1, $2 ); validate_range( $1, $2 );
} else {
validate_address $ipaddr, 0;
}
validate_portpair1( $proto, $rest ) if supplied $rest;
$addrlist .= " --to-source $addr";
$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
} else { } else {
validate_address $ipaddr, 0; my $ports = $addr;
} $ports =~ s/^://;
validate_portpair1( $proto, $rest ) if supplied $rest;
$addrlist .= " --to-source $addr";
$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
} else {
my $ports = $addr;
$ports =~ s/^://;
validate_portpair1( $proto, $ports );
$addrlist .= " --to-ports $ports";
$exceptionrule = do_proto( $proto, '', '' );
}
} else {
if ( $addr =~ /^\[/ ) {
#
# Can have ports specified
#
my $ports;
if ( $addr =~ s/:([^]:]+)$// ) {
$ports = $1;
}
fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
$addr = $1;
if ( $addr =~ /^(.+)-(.+)$/ ) {
fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
validate_range( $1, $2 );
} else {
validate_address $addr, 0;
}
if ( supplied $ports ) {
validate_portpair1( $proto, $ports ); validate_portpair1( $proto, $ports );
$addrlist .= " --to-ports $ports";
$exceptionrule = do_proto( $proto, '', '' ); $exceptionrule = do_proto( $proto, '', '' );
$addr = "[$addr]:$ports";
} }
$addrlist .= " --to-source $addr";
} else { } else {
if ( $addr =~ /^(.+)-(.+)$/ ) { if ( $addr =~ /^\[/ ) {
validate_range( $1, $2 ); #
} else { # Can have ports specified
validate_address $addr, 0; #
} my $ports;
$addrlist .= " --to-source $addr"; if ( $addr =~ s/:([^]:]+)$// ) {
$ports = $1;
}
fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
$addr = $1;
if ( $addr =~ /^(.+)-(.+)$/ ) {
fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
validate_range( $1, $2 );
} else {
validate_address $addr, 0;
}
if ( supplied $ports ) {
validate_portpair1( $proto, $ports );
$exceptionrule = do_proto( $proto, '', '' );
$addr = "[$addr]:$ports";
}
$addrlist .= " --to-source $addr";
} else {
if ( $addr =~ /^(.+)-(.+)$/ ) {
validate_range( $1, $2 );
} else {
validate_address $addr, 0;
}
$addrlist .= " --to-source $addr";
}
}
}
$target .= $addrlist;
}
} elsif ( $action eq 'MASQUERADE' ) {
if ( supplied $addresses ) {
validate_portpair1($proto, $addresses );
$target .= " --to-ports $addresses";
}
}
#
# And Generate the Rule(s)
#
if ( $actiontype & INLINE ) {
fatal_error( qq(Action $target may not be used in the snat file) ) unless $actiontype & NAT_TABLE;
process_snat_inline( $target,
$chainref,
$params,
$source,
supplied $destnets && $destnets ne '-' ? $inaction ? $destnets : join( ':', $interface, $destnets ) : $inaction ? '-' : $interface,
$proto,
$ports,
$ipsec,
$mark,
$user,
$condition,
$origdest,
$probability );
} else {
if ( $actiontype & ACTION ) {
fatal_error( qq(Action $target may not be used in the snat file) ) unless $actiontype & NAT_TABLE;
#
# Create the action:level:tag:param tuple. Since we don't allow logging out of nat POSTROUTING, we store
# the interface name in the log tag
#
my $normalized_target = normalize_action( $target, "none:$interface", $params );
fatal_error( "Action $target invoked Recursively (" . join( '->', map( external_name( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$target};
my $ref = use_action( 'nat', $normalized_target );
if ( $ref ) {
#
# First reference to this tuple - process_action may modify both $normalized_target and $ref!!!
#
process_action( $normalized_target, $ref, $chainref->{name} );
#
# Capture the name of the action chain
#
} else {
#
# We've seen this tuple before
#
$ref = $usedactions{$normalized_target};
}
$target = $ref->{name};
} else {
for my $option ( split_list2( $options , 'option' ) ) {
if ( $option eq 'random' ) {
$target .= ' --random';
require_capability( 'MASQUERADE_TGT', "$action rules", '') if $family == F_IPV6;
} elsif ( $option eq 'persistent' ) {
fatal_error( "':persistent' is not allowed in a MASQUERADE rule" ) if $action eq 'MASQUERADE';
require_capability 'PERSISTENT_SNAT', ':persistent', 's';
$target .= ' --persistent';
} else {
fatal_error "Invalid $action option ($option)";
} }
} }
} }
#
# If there is no source or destination then allow all addresses
#
$source = ALLIP if $source eq '-';
$destnets = ALLIP unless supplied $destnets && $destnets ne '-';
$target .= $addrlist; expand_rule( $chainref ,
} POSTROUTE_RESTRICT ,
} elsif ( $action eq 'MASQUERADE' ) { $prerule ,
if ( supplied $addresses ) { $baserule . $inlinematches . $rule ,
validate_portpair1($proto, $addresses ); $source ,
$target .= " --to-ports $addresses"; $destnets ,
} $origdest ,
} $target ,
'' ,
for my $option ( split_list2( $options , 'option' ) ) { '' ,
if ( $option eq 'random' ) { $exceptionrule ,
$target .= ' --random'; '' )
require_capability( 'MASQUERADE_TGT', "$action rules", '') if $family == F_IPV6; unless unreachable_warning( 0, $chainref );
} elsif ( $option eq 'persistent' ) {
fatal_error( "':persistent' is not allowed in a MASQUERADE rule" ) if $action eq 'MASQUERADE'; conditional_rule_end( $chainref ) if $detectaddress || $conditional;
require_capability 'PERSISTENT_SNAT', ':persistent', 's';
$target .= ' --persistent';
} else {
fatal_error "Invalid $action option ($option)";
} }
$addresses = $saveaddresses;
} }
#
# And Generate the Rule(s)
#
expand_rule( $chainref ,
POSTROUTE_RESTRICT ,
$prerule ,
$baserule . $inlinematches . $rule ,
$source ,
$destnets ,
$origdest ,
$target ,
'' ,
'' ,
$exceptionrule ,
'' )
unless unreachable_warning( 0, $chainref );
conditional_rule_end( $chainref ) if $detectaddress || $conditional;
progress_message " Snat record \"$currentline\" $done" progress_message " Snat record \"$currentline\" $done"
} }
sub process_one_snat( ) sub process_snat( )
{ {
my ($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = my ($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
split_line2( 'snat file', split_line2( 'snat file',
@ -5468,7 +5706,7 @@ sub process_one_snat( )
fatal_error 'DEST must be specified' if $dest eq '-'; fatal_error 'DEST must be specified' if $dest eq '-';
for my $proto ( split_list $protos, 'Protocol' ) { for my $proto ( split_list $protos, 'Protocol' ) {
process_one_snat1( $action, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ); process_snat1( undef, $action, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
} }
} }
@ -5487,7 +5725,7 @@ sub setup_snat( $ ) # Convert masq->snat if true
process_one_masq(0) while read_a_line( NORMAL_READ ); process_one_masq(0) while read_a_line( NORMAL_READ );
} elsif ( $fn = open_file( 'snat', 1, 1 ) ) { } elsif ( $fn = open_file( 'snat', 1, 1 ) ) {
process_one_snat while read_a_line( NORMAL_READ ); process_snat while read_a_line( NORMAL_READ );
} }
} }