forked from extern/shorewall_code
Allow loose match for interfaces names in masq, nat and netmap
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8079 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
44f8dc96cc
commit
e2e827cdbc
@ -12,6 +12,8 @@ Changes in 4.1.4
|
||||
|
||||
5) Allow interface lists in the masq and nat files.
|
||||
|
||||
6) Allow loose match of interface names used in masq, nat and netmap.
|
||||
|
||||
Changes in 4.1.3
|
||||
|
||||
1) Fix NFLOG/ULOG upcasing problem.
|
||||
|
@ -138,6 +138,22 @@ Other changes in Shorewall 4.1.4.
|
||||
206.124.146.178 eth0 192.168.1.3
|
||||
206.124.146.178 wlan0 192.168.1.3
|
||||
|
||||
4) Previously, the INTERFACE name used in the masq, nat and netmap
|
||||
files had to exactly match the name of an interface from the
|
||||
interfaces file. Beginning with Shorewall-perl 4.1.4, the
|
||||
interface may loosely match a wildcard entry in the interfaces
|
||||
file.
|
||||
|
||||
Example:
|
||||
|
||||
/etc/shorewall/interfaces:
|
||||
|
||||
vpn tun+
|
||||
|
||||
/etc/shorewall/masq:
|
||||
|
||||
tun1 192.168.4.0/24
|
||||
|
||||
Migration Issues.
|
||||
|
||||
1) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
|
||||
|
@ -196,7 +196,12 @@ sub setup_one_masq($$$$$$$)
|
||||
$rule .= "-m realm --realm $realm ";
|
||||
}
|
||||
|
||||
fatal_error "Unknown interface ($interface)" unless find_interface( $interface )->{root};
|
||||
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
|
||||
|
||||
unless ( $interfaceref->{root} ) {
|
||||
$rule .= "-o $interface ";
|
||||
$interface = $interfaceref->{name};
|
||||
}
|
||||
|
||||
my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
|
||||
|
||||
@ -368,6 +373,16 @@ sub do_one_nat( $$$$$ )
|
||||
|
||||
my $policyin = '';
|
||||
my $policyout = '';
|
||||
my $rulein = '';
|
||||
my $ruleout = '';
|
||||
|
||||
fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
|
||||
|
||||
unless ( $interfaceref->{root} ) {
|
||||
$rulein = "-i $interface ";
|
||||
$ruleout = "-o $interface ";
|
||||
$interface = $interfaceref->{name};
|
||||
}
|
||||
|
||||
if ( $capabilities{POLICY_MATCH} ) {
|
||||
$policyin = ' -m policy --pol none --dir in';
|
||||
@ -391,8 +406,8 @@ sub do_one_nat( $$$$$ )
|
||||
add_nat_rule 'nat_in' , "-d $external $policyin -j DNAT --to-destination $internal";
|
||||
add_nat_rule 'nat_out' , "-s $internal $policyout -j SNAT --to-source $external";
|
||||
} else {
|
||||
add_nat_rule input_chain( $interface ) , "-d $external $policyin -j DNAT --to-destination $internal";
|
||||
add_nat_rule output_chain( $interface ) , "-s $internal $policyout -j SNAT --to-source $external";
|
||||
add_nat_rule input_chain( $interface ) , $rulein . "-d $external $policyin -j DNAT --to-destination $internal";
|
||||
add_nat_rule output_chain( $interface ) , $ruleout . "-s $internal $policyout -j SNAT --to-source $external";
|
||||
}
|
||||
|
||||
add_nat_rule 'OUTPUT' , "-d $external $policyout -j DNAT --to-destination $internal " if $localnat;
|
||||
@ -449,20 +464,32 @@ sub setup_netmap() {
|
||||
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $type, $net1, $interface, $net2 ) = split_line 4, 4, 'netmap file';
|
||||
my ( $type, $net1, $interfacelist, $net2 ) = split_line 4, 4, 'netmap file';
|
||||
|
||||
fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
|
||||
for my $interface ( split /,/, $interfacelist ) {
|
||||
|
||||
if ( $type eq 'DNAT' ) {
|
||||
add_rule ensure_chain( 'nat' , input_chain $interface ) , "-d $net1 -j NETMAP --to $net2";
|
||||
} elsif ( $type eq 'SNAT' ) {
|
||||
add_rule ensure_chain( 'nat' , output_chain $interface ) , "-s $net1 -j NETMAP --to $net2";
|
||||
} else {
|
||||
fatal_error "Invalid type ($type)";
|
||||
my $rulein = '';
|
||||
my $ruleout = '';
|
||||
my $iface = $interface;
|
||||
|
||||
fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface );
|
||||
|
||||
unless ( $interfaceref->{root} ) {
|
||||
$rulein = "-i $interface ";
|
||||
$ruleout = "-o $interface ";
|
||||
$interface = $interfaceref->{name};
|
||||
}
|
||||
|
||||
if ( $type eq 'DNAT' ) {
|
||||
add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein . "-d $net1 -j NETMAP --to $net2";
|
||||
} elsif ( $type eq 'SNAT' ) {
|
||||
add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . "-s $net1 -j NETMAP --to $net2";
|
||||
} else {
|
||||
fatal_error "Invalid type ($type)";
|
||||
}
|
||||
|
||||
progress_message " Network $net1 on $iface mapped to $net2 ($type)";
|
||||
}
|
||||
|
||||
progress_message " Network $net1 on $interface mapped to $net2 ($type)";
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -121,7 +121,8 @@ our %reservedName = ( all => 1,
|
||||
#
|
||||
# @interfaces lists the interface names in the order that they appear in the interfaces file.
|
||||
#
|
||||
# %interfaces { <interface1> => { root => <name without trailing '+'>
|
||||
# %interfaces { <interface1> => { name => <name of interface>
|
||||
# root => <name without trailing '+'>
|
||||
# options => { <option1> = <val1> ,
|
||||
# ...
|
||||
# }
|
||||
@ -643,6 +644,8 @@ sub validate_interfaces_file( $ )
|
||||
$interfaces{$interface}{bridge} = $interface;
|
||||
}
|
||||
|
||||
$interfaces{$interface}{name} = $interface;
|
||||
|
||||
my $wildcard = 0;
|
||||
|
||||
if ( $interface =~ /\+$/ ) {
|
||||
@ -772,19 +775,19 @@ sub validate_interfaces_file( $ )
|
||||
sub known_interface($)
|
||||
{
|
||||
my $interface = $_[0];
|
||||
my $interfaceref = $interfaces{$interface};
|
||||
|
||||
return 1 if $interfaces{$interface};
|
||||
return $interfaceref if $interfaceref;
|
||||
|
||||
for my $i ( @interfaces ) {
|
||||
my $interfaceref = $interfaces{$i};
|
||||
$interfaceref = $interfaces{$i};
|
||||
my $val = $interfaceref->{root};
|
||||
next if $val eq $i;
|
||||
if ( substr( $interface, 0, length $val ) eq $val ) {
|
||||
#
|
||||
# Cache this result for future reference
|
||||
# Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces.
|
||||
#
|
||||
$interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} };
|
||||
return 1;
|
||||
return $interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} , name => $i };
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -227,7 +227,7 @@ setup_masq()
|
||||
build_exclusion_chain newchain nat "$nomasq" "$destnets"
|
||||
|
||||
if [ -n "$networks" ]; then
|
||||
for s in $networks; do
|
||||
for s in $(separate_list networks); do
|
||||
addnatrule $chain $(source_ip_range $s) $proto $ports $mark $policy -j $newchain
|
||||
done
|
||||
networks=
|
||||
@ -261,7 +261,7 @@ __EOF__
|
||||
build_exclusion_chain newchain nat $nomasq
|
||||
|
||||
if [ -n "$networks" ]; then
|
||||
for s in $networks; do
|
||||
for s in $(separate_list $networks); do
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports $mark $policy -j $newchain
|
||||
done
|
||||
@ -388,7 +388,7 @@ __EOF__
|
||||
fi
|
||||
|
||||
if [ -n "$networks" ]; then
|
||||
for network in $networks; do
|
||||
for network in $(separate_list $networks); do
|
||||
for destnet in $(separate_list $destnets); do
|
||||
addnatrule $chain $(both_ip_ranges $network $destnet) $proto $ports $mark $policy -j $target $addrlist
|
||||
done
|
||||
|
@ -59,6 +59,18 @@
|
||||
the only use for the alias name; it may not appear in any other
|
||||
place in your Shorewall configuratio</emphasis>n.</para>
|
||||
|
||||
<para>Each interface must match an entry in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||
Prior to Shorewall 4.1.4, this must be an exact match.
|
||||
Shorewall-perl 4.1.4 and later allow loose matches to wildcard
|
||||
entries in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
||||
example, <filename class="devicefile">ppp0</filename> in this file
|
||||
will match a <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
entry that defines <filename
|
||||
class="devicefile">ppp+</filename>.</para>
|
||||
|
||||
<para>The interface may be qualified by adding the character ":"
|
||||
followed by a comma-separated list of destination host or subnet
|
||||
addresses to indicate that you only want to change the source IP
|
||||
|
@ -73,6 +73,18 @@
|
||||
cannot use it anwhere else in your Shorewall configuration.
|
||||
</emphasis></para>
|
||||
|
||||
<para>Each interface must match an entry in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
|
||||
Prior to Shorewall 4.1.4, this must be an exact match.
|
||||
Shorewall-perl 4.1.4 and later allow loose matches to wildcard
|
||||
entries in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
||||
example, <filename class="devicefile">ppp0</filename> in this file
|
||||
will match a <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
entry that defines <filename
|
||||
class="devicefile">ppp+</filename>.</para>
|
||||
|
||||
<para>Prior to Shorewall 4.1.4,
|
||||
<replaceable>interfacelist</replaceable> must be a single interface
|
||||
name. Beginning with Shorewall-perl 4.1.4, Shorewall-perl users may
|
||||
|
@ -66,7 +66,16 @@
|
||||
<listitem>
|
||||
<para>The name of a network interface. The interface must be defined
|
||||
in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
||||
Prior to Shorewall 4.1.4, this must be an exact match.
|
||||
Shorewall-perl 4.1.4 and later allow loose matches to wildcard
|
||||
entries in <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
|
||||
example, <filename class="devicefile">ppp0</filename> in this file
|
||||
will match a <ulink
|
||||
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(8)
|
||||
entry that defines <filename
|
||||
class="devicefile">ppp+</filename>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -684,9 +684,10 @@
|
||||
<para>1. MAC addresses are not allowed (this is a Netfilter
|
||||
restriction).</para>
|
||||
|
||||
<para>2. In <emphasis role="bold">DNAT</emphasis> rules, only IP
|
||||
addresses are allowed; no FQDNs or subnet addresses are
|
||||
permitted.</para>
|
||||
<para>2.Prior to Shorewall 4.1.4, only IP addresses are allowed in
|
||||
<emphasis role="bold">DNAT</emphasis> rules; no DNS names are
|
||||
permitted. In no case may a network be specified as the
|
||||
server.</para>
|
||||
|
||||
<para>3. You may not specify both an interface and an
|
||||
address.</para>
|
||||
|
Loading…
Reference in New Issue
Block a user