From df1b1f67688ec9c88ca441703cdd74b0562ea538 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 1 Apr 2016 08:57:08 -0700 Subject: [PATCH] Add MINIUPNPD option Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 18 ++++++++++++++++++ Shorewall/Perl/Shorewall/Config.pm | 6 ++++-- Shorewall/Perl/Shorewall/Misc.pm | 10 +++++++++- Shorewall/Samples/Universal/shorewall.conf | 2 ++ Shorewall/Samples/one-interface/shorewall.conf | 2 ++ .../Samples/three-interfaces/shorewall.conf | 2 ++ .../Samples/two-interfaces/shorewall.conf | 2 ++ Shorewall/configfiles/shorewall.conf | 2 ++ Shorewall/manpages/shorewall.conf.xml | 12 ++++++++++++ 9 files changed, 53 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index eda408e00..c5beb2d44 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -8172,6 +8172,15 @@ else rm -f \${VARDIR}/.dynamic fi EOF + if ( $config{MINIUPNPD} ) { + emit << "EOF"; +if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then + $tool -t nat -S MINIUPNPD-POSTROUTING | tail -n +2 > \${VARDIR}/.MINIUPNPD-POSTROUTING +else + rm -f \${VARDIR}/.MINIUPNPD-POSTROUTING +fi +EOF + } } else { emit <<"EOF"; if chain_exists 'UPnP -t nat'; then @@ -8192,6 +8201,15 @@ else rm -f \${VARDIR}/.dynamic fi EOF + if ( $config{MINIUPNPD} ) { + emit << "EOF"; +if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then + $utility -t nat | grep '^-A MINIUPNPD-POSTROUTING' > \${VARDIR}/.MINIUPNPD-POSTROUTING +else + rm -f \${VARDIR}/.MINIUPNPD-POSTROUTING +fi +EOF + } } pop_indent; diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index aa1d77c50..8a04a1196 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -885,6 +885,7 @@ sub initialize( $;$$) { RESTART => undef , DOCKER => undef , PAGER => undef , + MINIUPNPD => undef , # # Packet Disposition # @@ -5942,7 +5943,7 @@ sub get_configuration( $$$$ ) { default_yes_no 'INLINE_MATCHES' , ''; default_yes_no 'BASIC_FILTERS' , ''; default_yes_no 'WORKAROUNDS' , 'Yes'; - default_yes_no 'DOCKER' , ''; + default_yes_no 'DOCKER' , ''; if ( $config{DOCKER} ) { fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6; @@ -6002,8 +6003,9 @@ sub get_configuration( $$$$ ) { default_yes_no 'IGNOREUNKNOWNVARIABLES' , 'Yes'; default_yes_no 'WARNOLDCAPVERSION' , 'Yes'; default_yes_no 'DEFER_DNS_RESOLUTION' , 'Yes'; + default_yes_no 'MINIUPNPD' , 'No'; - $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset'; + $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset'; require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK}; diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 561ff029d..d0c49bb84 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -1095,10 +1095,18 @@ sub add_common_rules ( $ ) { add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' ); + my $chainref1; + + if ( $config{MINIUPNPD} ) { + $chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); + add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' ); + } + $announced = 1; for $interface ( @$list ) { - add_ijump_extended $nat_table->{PREROUTING} , j => 'UPnP', get_interface_origin($interface), imatch_source_dev ( $interface ); + add_ijump_extended $nat_table->{PREROUTING} , j => 'UPnP', get_interface_origin($interface), imatch_source_dev ( $interface ); + add_ijump_extended $nat_table->{POSTROUTING} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD} , imatch_dest_dev ( $interface ) if $chainref1; } } diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf index 65daa3403..480d34aad 100644 --- a/Shorewall/Samples/Universal/shorewall.conf +++ b/Shorewall/Samples/Universal/shorewall.conf @@ -192,6 +192,8 @@ MANGLE_ENABLED=Yes MAPOLDACTIONS=No +MINIUPNPD=No + MARK_IN_FORWARD_CHAIN=No MODULE_SUFFIX="ko ko.xz" diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf index 4679850b3..80adddcb0 100644 --- a/Shorewall/Samples/one-interface/shorewall.conf +++ b/Shorewall/Samples/one-interface/shorewall.conf @@ -203,6 +203,8 @@ MANGLE_ENABLED=Yes MAPOLDACTIONS=No +MINIUPNPD=No + MARK_IN_FORWARD_CHAIN=No MODULE_SUFFIX="ko ko.xz" diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf index 33ca292ef..b93db14dd 100644 --- a/Shorewall/Samples/three-interfaces/shorewall.conf +++ b/Shorewall/Samples/three-interfaces/shorewall.conf @@ -200,6 +200,8 @@ MANGLE_ENABLED=Yes MAPOLDACTIONS=No +MINIUPNPD=No + MARK_IN_FORWARD_CHAIN=No MODULE_SUFFIX="ko ko.xz" diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf index 62029df12..a47422844 100644 --- a/Shorewall/Samples/two-interfaces/shorewall.conf +++ b/Shorewall/Samples/two-interfaces/shorewall.conf @@ -203,6 +203,8 @@ MANGLE_ENABLED=Yes MAPOLDACTIONS=No +MINIUPNPD=No + MARK_IN_FORWARD_CHAIN=No MODULE_SUFFIX="ko ko.xz" diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index d11743ef2..0c969eb45 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -194,6 +194,8 @@ MAPOLDACTIONS=No MARK_IN_FORWARD_CHAIN=No +MINIUPNPD=No + MODULE_SUFFIX=ko MULTICAST=No diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index e789478d9..3621f6b40 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -1548,6 +1548,18 @@ LOG:info:,bar net fw + + MINIUPNPD=[Yes|No] + + + Added in Shorewall 5.0.8. If set to Yes, Shorewall will create + a chain in the nat table named MINIUPNPD-POSTROUTING and will add + jumps from POSTROUTING to that chain for each interface with the + option specified. Default is No. + + + MARK_IN_FORWARD_CHAIN=[