holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Allow IP ranges with ADD_SNAT_ALIASES=Yes; Fix add_ip_aliases to match proper subnet to add to

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@605 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-06-22 16:58:33 +00:00
parent d6262099c6
commit debf41d707
4 changed files with 104 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall/changelog.txt
View File

@ -3,3 +3,11 @@ Changes since 1.4.5
1) Worked around RH7.3 "service" anomaly. 1) Worked around RH7.3 "service" anomaly.
2) Implemented 'newnotsyn' interface option. 2) Implemented 'newnotsyn' interface option.
3) Document range in masq ADDRESS column and suppress ADD_SNAT_ALIASES
behavior in that case.
4) Enable ADD_SNAT_ALIASES=Yes for SNAT ranges.
5) Allow Shorewall to add aliases to other than the first subnet on an
interface.

99
Shorewall/firewall
View File

@ -2826,7 +2826,70 @@ get_routed_subnets() # $1 = interface name
fi fi
done done
} }
#
# Convert an IP address to an integer
#
decodeaddr() {
local x
local temp=0
ifs=$IFS
IFS=.
for x in $1; do
temp=$(( $temp * 256 + $x ))
done
echo $temp
IFS=$ifs
}
#
# convert an integer to an IP address
#
encodeaddr() {
addr=$1
local x
local y=$(($addr % 256))
for (( x=3 ; $x ; x-- )); do
addr=$(($addr >> 8))
y=$(($addr % 256)).$y
done
echo $y
}
#
# Enumerate the members of an IP range
#
ip_range() {
first=`decodeaddr ${1%-*}`
last=`decodeaddr ${1#*-}`
if [ $first -gt $last -o $(($last - $first)) -gt 256 ]; then
fatal_error "Invalid IP address range: $1"
fi
while [ $first -le $last ]; do
echo `encodeaddr $first`
first=$(($first + 1))
done
}
#
# Netmask from VLSM
#
ip_netmask() {
echo $(( $(( 0xffffffff << $((32 - $1)) )) & 0xffffffff ))
}
#
# Test for subnet membership
#
in_subnet() # $1 = IP address, $2 = CIDR network
{
local netmask=`ip_netmask ${2#*/}`
test $(( `decodeaddr $1` & $netmask)) -eq $(( `decodeaddr ${2%/*}` & $netmask ))
}
# #
# Set up Source NAT (including masquerading) # Set up Source NAT (including masquerading)
# #
@ -2899,8 +2962,10 @@ setup_masq()
esac esac
if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then
list_search $address $aliases_to_add || \ for addr in `ip_range $address` ; do
aliases_to_add="$aliases_to_add $address $fullinterface" list_search $addr $aliases_to_add || \
aliases_to_add="$aliases_to_add $addr $fullinterface"
done
fi fi
destination=$destnet destination=$destnet
@ -3133,9 +3198,7 @@ verify_os_version() {
# #
add_ip_aliases() add_ip_aliases()
{ {
local external local external interface inet cidr brd bcast rest
local interface
local primary
do_one() do_one()
{ {
@ -3148,19 +3211,18 @@ add_ip_aliases()
# #
# Get all of the lines that contain inet addresses with broadcast # Get all of the lines that contain inet addresses with broadcast
# #
val=`ip addr show $interface | grep 'inet.*brd '` 2> /dev/null val=
if [ -n "$val" ] ; then ip addr show $interface 2> /dev/null | grep 'inet.*brd ' | while read inet cidr brd bcast rest ; do
# if in_subnet $external $cidr; then
# Hack off the leading 'inet <ip addr>' (actually cut off the if [ $external = ${cidr%/*} ]; then
# "/" as well but add it back in). return
# fi
val="/${val#*/}"
# val="/${cidr#*/} brd $bcast"
# Now get the VLSM, "brd" and the broadcast address break
# fi
val=${val%% scope*} done
fi
run_ip addr add ${external}${val} dev $interface $label run_ip addr add ${external}${val} dev $interface $label
echo "$external $interface" >> ${STATEDIR}/nat echo "$external $interface" >> ${STATEDIR}/nat
@ -3181,9 +3243,8 @@ add_ip_aliases()
label="label $interface:$label" label="label $interface:$label"
fi fi
primary=`find_interface_address $interface`
shift;shift shift;shift
[ "x${primary}" = "x${external}" ] || do_one do_one
done done
} }

13
Shorewall/masq
View File

@ -42,12 +42,15 @@
# will automatically add this address to the # will automatically add this address to the
# INTERFACE named in the first column. # INTERFACE named in the first column.
# #
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if # You may also specify a range of up to 256
# the address given in this column is the primary # IP addresses if you want the SNAT address to
# IP address for the interface in the INTERFACE # be assigned from that range in a round-robin
# column. # range by connection. The range is specified by
# <first ip in range>-<last ip in range>.
# #
# This column may not contain a DNS Name. # Example: 206.124.146.177-206.124.146.180
#
# This column may not contain DNS Names.
# #
# Example 1: # Example 1:
# #

8
Shorewall/releasenotes.txt
View File

@ -11,3 +11,11 @@ New Features:
1) A 'newnotsyn' interface option has been added. This option may be 1) A 'newnotsyn' interface option has been added. This option may be
specified in /etc/shorewall/interfaces and overrides the setting specified in /etc/shorewall/interfaces and overrides the setting
NEWNOTSYN=No for packets arriving on the associated interface. NEWNOTSYN=No for packets arriving on the associated interface.
2) The means for specifying a range of IP addresses in
/etc/shorewall/masq to use for SNAT is now
documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges.
3) Shorewall can now add IP addresses to subnets on an interface other
than the first one.