forked from extern/shorewall_code
Allow IP ranges with ADD_SNAT_ALIASES=Yes; Fix add_ip_aliases to match proper subnet to add to
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@605 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
d6262099c6
commit
debf41d707
@ -3,3 +3,11 @@ Changes since 1.4.5
|
||||
1) Worked around RH7.3 "service" anomaly.
|
||||
|
||||
2) Implemented 'newnotsyn' interface option.
|
||||
|
||||
3) Document range in masq ADDRESS column and suppress ADD_SNAT_ALIASES
|
||||
behavior in that case.
|
||||
|
||||
4) Enable ADD_SNAT_ALIASES=Yes for SNAT ranges.
|
||||
|
||||
5) Allow Shorewall to add aliases to other than the first subnet on an
|
||||
interface.
|
||||
|
@ -2826,7 +2826,70 @@ get_routed_subnets() # $1 = interface name
|
||||
fi
|
||||
done
|
||||
}
|
||||
#
|
||||
# Convert an IP address to an integer
|
||||
#
|
||||
decodeaddr() {
|
||||
local x
|
||||
local temp=0
|
||||
|
||||
ifs=$IFS
|
||||
IFS=.
|
||||
|
||||
for x in $1; do
|
||||
temp=$(( $temp * 256 + $x ))
|
||||
done
|
||||
|
||||
echo $temp
|
||||
|
||||
IFS=$ifs
|
||||
}
|
||||
#
|
||||
# convert an integer to an IP address
|
||||
#
|
||||
encodeaddr() {
|
||||
addr=$1
|
||||
local x
|
||||
local y=$(($addr % 256))
|
||||
|
||||
for (( x=3 ; $x ; x-- )); do
|
||||
addr=$(($addr >> 8))
|
||||
y=$(($addr % 256)).$y
|
||||
done
|
||||
|
||||
echo $y
|
||||
}
|
||||
#
|
||||
# Enumerate the members of an IP range
|
||||
#
|
||||
ip_range() {
|
||||
first=`decodeaddr ${1%-*}`
|
||||
last=`decodeaddr ${1#*-}`
|
||||
|
||||
if [ $first -gt $last -o $(($last - $first)) -gt 256 ]; then
|
||||
fatal_error "Invalid IP address range: $1"
|
||||
fi
|
||||
|
||||
while [ $first -le $last ]; do
|
||||
echo `encodeaddr $first`
|
||||
first=$(($first + 1))
|
||||
done
|
||||
}
|
||||
#
|
||||
# Netmask from VLSM
|
||||
#
|
||||
ip_netmask() {
|
||||
echo $(( $(( 0xffffffff << $((32 - $1)) )) & 0xffffffff ))
|
||||
}
|
||||
#
|
||||
# Test for subnet membership
|
||||
#
|
||||
in_subnet() # $1 = IP address, $2 = CIDR network
|
||||
{
|
||||
local netmask=`ip_netmask ${2#*/}`
|
||||
|
||||
test $(( `decodeaddr $1` & $netmask)) -eq $(( `decodeaddr ${2%/*}` & $netmask ))
|
||||
}
|
||||
#
|
||||
# Set up Source NAT (including masquerading)
|
||||
#
|
||||
@ -2899,8 +2962,10 @@ setup_masq()
|
||||
esac
|
||||
|
||||
if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then
|
||||
list_search $address $aliases_to_add || \
|
||||
aliases_to_add="$aliases_to_add $address $fullinterface"
|
||||
for addr in `ip_range $address` ; do
|
||||
list_search $addr $aliases_to_add || \
|
||||
aliases_to_add="$aliases_to_add $addr $fullinterface"
|
||||
done
|
||||
fi
|
||||
|
||||
destination=$destnet
|
||||
@ -3133,9 +3198,7 @@ verify_os_version() {
|
||||
#
|
||||
add_ip_aliases()
|
||||
{
|
||||
local external
|
||||
local interface
|
||||
local primary
|
||||
local external interface inet cidr brd bcast rest
|
||||
|
||||
do_one()
|
||||
{
|
||||
@ -3148,19 +3211,18 @@ add_ip_aliases()
|
||||
#
|
||||
# Get all of the lines that contain inet addresses with broadcast
|
||||
#
|
||||
val=`ip addr show $interface | grep 'inet.*brd '` 2> /dev/null
|
||||
val=
|
||||
|
||||
if [ -n "$val" ] ; then
|
||||
#
|
||||
# Hack off the leading 'inet <ip addr>' (actually cut off the
|
||||
# "/" as well but add it back in).
|
||||
#
|
||||
val="/${val#*/}"
|
||||
#
|
||||
# Now get the VLSM, "brd" and the broadcast address
|
||||
#
|
||||
val=${val%% scope*}
|
||||
fi
|
||||
ip addr show $interface 2> /dev/null | grep 'inet.*brd ' | while read inet cidr brd bcast rest ; do
|
||||
if in_subnet $external $cidr; then
|
||||
if [ $external = ${cidr%/*} ]; then
|
||||
return
|
||||
fi
|
||||
|
||||
val="/${cidr#*/} brd $bcast"
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
run_ip addr add ${external}${val} dev $interface $label
|
||||
echo "$external $interface" >> ${STATEDIR}/nat
|
||||
@ -3181,9 +3243,8 @@ add_ip_aliases()
|
||||
label="label $interface:$label"
|
||||
fi
|
||||
|
||||
primary=`find_interface_address $interface`
|
||||
shift;shift
|
||||
[ "x${primary}" = "x${external}" ] || do_one
|
||||
do_one
|
||||
done
|
||||
}
|
||||
|
||||
|
@ -42,12 +42,15 @@
|
||||
# will automatically add this address to the
|
||||
# INTERFACE named in the first column.
|
||||
#
|
||||
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
|
||||
# the address given in this column is the primary
|
||||
# IP address for the interface in the INTERFACE
|
||||
# column.
|
||||
# You may also specify a range of up to 256
|
||||
# IP addresses if you want the SNAT address to
|
||||
# be assigned from that range in a round-robin
|
||||
# range by connection. The range is specified by
|
||||
# <first ip in range>-<last ip in range>.
|
||||
#
|
||||
# This column may not contain a DNS Name.
|
||||
# Example: 206.124.146.177-206.124.146.180
|
||||
#
|
||||
# This column may not contain DNS Names.
|
||||
#
|
||||
# Example 1:
|
||||
#
|
||||
|
@ -11,3 +11,11 @@ New Features:
|
||||
1) A 'newnotsyn' interface option has been added. This option may be
|
||||
specified in /etc/shorewall/interfaces and overrides the setting
|
||||
NEWNOTSYN=No for packets arriving on the associated interface.
|
||||
|
||||
2) The means for specifying a range of IP addresses in
|
||||
/etc/shorewall/masq to use for SNAT is now
|
||||
documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges.
|
||||
|
||||
3) Shorewall can now add IP addresses to subnets on an interface other
|
||||
than the first one.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user