holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Allow loose match for interfaces names in masq, nat and netmap

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8079 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-01-19 23:36:27 +00:00
parent 44f8dc96cc
commit e2e827cdbc
9 changed files with 110 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-common/changelog.txt
View File

@ -12,6 +12,8 @@ Changes in 4.1.4
5) Allow interface lists in the masq and nat files. 5) Allow interface lists in the masq and nat files.
6) Allow loose match of interface names used in masq, nat and netmap.
Changes in 4.1.3 Changes in 4.1.3
1) Fix NFLOG/ULOG upcasing problem. 1) Fix NFLOG/ULOG upcasing problem.

16
Shorewall-common/releasenotes.txt
View File

@ -138,6 +138,22 @@ Other changes in Shorewall 4.1.4.
206.124.146.178 eth0 192.168.1.3 206.124.146.178 eth0 192.168.1.3
206.124.146.178 wlan0 192.168.1.3 206.124.146.178 wlan0 192.168.1.3
4) Previously, the INTERFACE name used in the masq, nat and netmap
files had to exactly match the name of an interface from the
interfaces file. Beginning with Shorewall-perl 4.1.4, the
interface may loosely match a wildcard entry in the interfaces
file.
Example:
/etc/shorewall/interfaces:
vpn tun+
/etc/shorewall/masq:
tun1 192.168.4.0/24
Migration Issues. Migration Issues.
1) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero 1) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero

55
Shorewall-perl/Shorewall/Nat.pm
View File

@ -196,7 +196,12 @@ sub setup_one_masq($$$$$$$)
$rule .= "-m realm --realm $realm "; $rule .= "-m realm --realm $realm ";
} }
fatal_error "Unknown interface ($interface)" unless find_interface( $interface )->{root}; fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
unless ( $interfaceref->{root} ) {
$rule .= "-o $interface ";
$interface = $interfaceref->{name};
}
my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface); my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
@ -368,6 +373,16 @@ sub do_one_nat( $$$$$ )
my $policyin = ''; my $policyin = '';
my $policyout = ''; my $policyout = '';
my $rulein = '';
my $ruleout = '';
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
unless ( $interfaceref->{root} ) {
$rulein = "-i $interface ";
$ruleout = "-o $interface ";
$interface = $interfaceref->{name};
}
if ( $capabilities{POLICY_MATCH} ) { if ( $capabilities{POLICY_MATCH} ) {
$policyin = ' -m policy --pol none --dir in'; $policyin = ' -m policy --pol none --dir in';
@ -391,8 +406,8 @@ sub do_one_nat( $$$$$ )
add_nat_rule 'nat_in' , "-d $external $policyin -j DNAT --to-destination $internal"; add_nat_rule 'nat_in' , "-d $external $policyin -j DNAT --to-destination $internal";
add_nat_rule 'nat_out' , "-s $internal $policyout -j SNAT --to-source $external"; add_nat_rule 'nat_out' , "-s $internal $policyout -j SNAT --to-source $external";
} else { } else {
add_nat_rule input_chain( $interface ) , "-d $external $policyin -j DNAT --to-destination $internal"; add_nat_rule input_chain( $interface ) , $rulein . "-d $external $policyin -j DNAT --to-destination $internal";
add_nat_rule output_chain( $interface ) , "-s $internal $policyout -j SNAT --to-source $external"; add_nat_rule output_chain( $interface ) , $ruleout . "-s $internal $policyout -j SNAT --to-source $external";
} }
add_nat_rule 'OUTPUT' , "-d $external $policyout -j DNAT --to-destination $internal " if $localnat; add_nat_rule 'OUTPUT' , "-d $external $policyout -j DNAT --to-destination $internal " if $localnat;
@ -449,20 +464,32 @@ sub setup_netmap() {
while ( read_a_line ) { while ( read_a_line ) {
my ( $type, $net1, $interface, $net2 ) = split_line 4, 4, 'netmap file'; my ( $type, $net1, $interfacelist, $net2 ) = split_line 4, 4, 'netmap file';
fatal_error "Unknown Interface ($interface)" unless known_interface $interface; for my $interface ( split /,/, $interfacelist ) {
my $rulein = '';
my $ruleout = '';
my $iface = $interface;
fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface );
unless ( $interfaceref->{root} ) {
$rulein = "-i $interface ";
$ruleout = "-o $interface ";
$interface = $interfaceref->{name};
}
if ( $type eq 'DNAT' ) { if ( $type eq 'DNAT' ) {
add_rule ensure_chain( 'nat' , input_chain $interface ) , "-d $net1 -j NETMAP --to $net2"; add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein . "-d $net1 -j NETMAP --to $net2";
} elsif ( $type eq 'SNAT' ) { } elsif ( $type eq 'SNAT' ) {
add_rule ensure_chain( 'nat' , output_chain $interface ) , "-s $net1 -j NETMAP --to $net2"; add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . "-s $net1 -j NETMAP --to $net2";
} else { } else {
fatal_error "Invalid type ($type)"; fatal_error "Invalid type ($type)";
}
progress_message " Network $net1 on $iface mapped to $net2 ($type)";
} }
progress_message " Network $net1 on $interface mapped to $net2 ($type)";
} }
} }

17
Shorewall-perl/Shorewall/Zones.pm
View File

@ -121,7 +121,8 @@ our %reservedName = ( all => 1,
# #
# @interfaces lists the interface names in the order that they appear in the interfaces file. # @interfaces lists the interface names in the order that they appear in the interfaces file.
# #
# %interfaces { <interface1> => { root => <name without trailing '+'> # %interfaces { <interface1> => { name => <name of interface>
# root => <name without trailing '+'>
# options => { <option1> = <val1> , # options => { <option1> = <val1> ,
# ... # ...
# } # }
@ -643,6 +644,8 @@ sub validate_interfaces_file( $ )
$interfaces{$interface}{bridge} = $interface; $interfaces{$interface}{bridge} = $interface;
} }
$interfaces{$interface}{name} = $interface;
my $wildcard = 0; my $wildcard = 0;
if ( $interface =~ /\+$/ ) { if ( $interface =~ /\+$/ ) {
@ -772,19 +775,19 @@ sub validate_interfaces_file( $ )
sub known_interface($) sub known_interface($)
{ {
my $interface = $_[0]; my $interface = $_[0];
my $interfaceref = $interfaces{$interface};
return 1 if $interfaces{$interface};
return $interfaceref if $interfaceref;
for my $i ( @interfaces ) { for my $i ( @interfaces ) {
my $interfaceref = $interfaces{$i}; $interfaceref = $interfaces{$i};
my $val = $interfaceref->{root}; my $val = $interfaceref->{root};
next if $val eq $i; next if $val eq $i;
if ( substr( $interface, 0, length $val ) eq $val ) { if ( substr( $interface, 0, length $val ) eq $val ) {
# #
# Cache this result for future reference # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces.
# #
$interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} }; return $interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} , name => $i };
return 1;
} }
} }

6
Shorewall-shell/lib.nat
View File

@ -227,7 +227,7 @@ setup_masq()
build_exclusion_chain newchain nat "$nomasq" "$destnets" build_exclusion_chain newchain nat "$nomasq" "$destnets"
if [ -n "$networks" ]; then if [ -n "$networks" ]; then
for s in $networks; do for s in $(separate_list networks); do
addnatrule $chain $(source_ip_range $s) $proto $ports $mark $policy -j $newchain addnatrule $chain $(source_ip_range $s) $proto $ports $mark $policy -j $newchain
done done
networks= networks=
@ -261,7 +261,7 @@ __EOF__
build_exclusion_chain newchain nat $nomasq build_exclusion_chain newchain nat $nomasq
if [ -n "$networks" ]; then if [ -n "$networks" ]; then
for s in $networks; do for s in $(separate_list $networks); do
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports $mark $policy -j $newchain addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports $mark $policy -j $newchain
done done
@ -388,7 +388,7 @@ __EOF__
fi fi
if [ -n "$networks" ]; then if [ -n "$networks" ]; then
for network in $networks; do for network in $(separate_list $networks); do
for destnet in $(separate_list $destnets); do for destnet in $(separate_list $destnets); do
addnatrule $chain $(both_ip_ranges $network $destnet) $proto $ports $mark $policy -j $target $addrlist addnatrule $chain $(both_ip_ranges $network $destnet) $proto $ports $mark $policy -j $target $addrlist
done done

12
manpages/shorewall-masq.xml
View File

@ -59,6 +59,18 @@
the only use for the alias name; it may not appear in any other the only use for the alias name; it may not appear in any other
place in your Shorewall configuratio</emphasis>n.</para> place in your Shorewall configuratio</emphasis>n.</para>
<para>Each interface must match an entry in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
Prior to Shorewall 4.1.4, this must be an exact match.
Shorewall-perl 4.1.4 and later allow loose matches to wildcard
entries in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
example, <filename class="devicefile">ppp0</filename> in this file
will match a <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
entry that defines <filename
class="devicefile">ppp+</filename>.</para>
<para>The interface may be qualified by adding the character ":" <para>The interface may be qualified by adding the character ":"
followed by a comma-separated list of destination host or subnet followed by a comma-separated list of destination host or subnet
addresses to indicate that you only want to change the source IP addresses to indicate that you only want to change the source IP

12
manpages/shorewall-nat.xml
View File

@ -73,6 +73,18 @@
cannot use it anwhere else in your Shorewall configuration. cannot use it anwhere else in your Shorewall configuration.
</emphasis></para> </emphasis></para>
<para>Each interface must match an entry in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
Prior to Shorewall 4.1.4, this must be an exact match.
Shorewall-perl 4.1.4 and later allow loose matches to wildcard
entries in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
example, <filename class="devicefile">ppp0</filename> in this file
will match a <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
entry that defines <filename
class="devicefile">ppp+</filename>.</para>
<para>Prior to Shorewall 4.1.4, <para>Prior to Shorewall 4.1.4,
<replaceable>interfacelist</replaceable> must be a single interface <replaceable>interfacelist</replaceable> must be a single interface
name. Beginning with Shorewall-perl 4.1.4, Shorewall-perl users may name. Beginning with Shorewall-perl 4.1.4, Shorewall-perl users may

11
manpages/shorewall-netmap.xml
View File

@ -66,7 +66,16 @@
<listitem> <listitem>
<para>The name of a network interface. The interface must be defined <para>The name of a network interface. The interface must be defined
in <ulink in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para> url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
Prior to Shorewall 4.1.4, this must be an exact match.
Shorewall-perl 4.1.4 and later allow loose matches to wildcard
entries in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
example, <filename class="devicefile">ppp0</filename> in this file
will match a <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(8)
entry that defines <filename
class="devicefile">ppp+</filename>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

7
manpages/shorewall-rules.xml
View File

@ -684,9 +684,10 @@
<para>1. MAC addresses are not allowed (this is a Netfilter <para>1. MAC addresses are not allowed (this is a Netfilter
restriction).</para> restriction).</para>
<para>2. In <emphasis role="bold">DNAT</emphasis> rules, only IP <para>2.Prior to Shorewall 4.1.4, only IP addresses are allowed in
addresses are allowed; no FQDNs or subnet addresses are <emphasis role="bold">DNAT</emphasis> rules; no DNS names are
permitted.</para> permitted. In no case may a network be specified as the
server.</para>
<para>3. You may not specify both an interface and an <para>3. You may not specify both an interface and an
address.</para> address.</para>