holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add SPORT column to the snat file (FORMAT 2)

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2020-06-27 13:15:22 -07:00
parent e4f24f41fd
commit e3f139bbdb
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
7 changed files with 167 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

165
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1800,7 +1800,7 @@ sub isolate_basic_target( $ ) {
sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
sub process_snat1( $$$$$$$$$$$$ );
sub process_snat1( $$$$$$$$$$$$$ );
sub perl_action_helper( $$;$$ );
#
@ -1994,23 +1994,49 @@ sub process_action(\$\$$) {
set_inline_matches( $matches );
}
} else {
my ( $action, $source, $dest, $protos, $port, $ipsec, $mark, $user, $condition, $origdest, $probability) =
split_line2( 'snat file',
{ action =>0,
source => 1,
dest => 2,
proto => 3,
port => 4,
ipsec => 5,
mark => 6,
user => 7,
switch => 8,
origdest => 9,
probability => 10,
},
{},
11,
1 );
my ( $action, $source, $dest, $protos, $port, $sport, $ipsec, $mark, $user, $condition, $origdest, $probability);
if ( $file_format == 1 ) {
( $action, $source, $dest, $protos, $port, $ipsec, $mark, $user, $condition, $origdest, $probability) =
split_line2( 'snat file',
{ action =>0,
source => 1,
dest => 2,
proto => 3,
port => 4,
dport => 4,
ipsec => 5,
mark => 6,
user => 7,
switch => 8,
origdest => 9,
probability => 10,
},
{},
11,
1 );
$sport = '-';
} else {
( $action, $source, $dest, $protos, $port, $sport, $ipsec, $mark, $user, $condition, $origdest, $probability) =
split_line2( 'snat file',
{ action =>0,
source => 1,
dest => 2,
proto => 3,
port => 4,
dport => 4,
sport => 5,
ipsec => 6,
mark => 7,
user => 8,
switch => 9,
origdest => 10,
probability => 11,
},
{},
12,
1 );
}
fatal_error 'ACTION must be specified' if $action eq '-';
@ -2026,6 +2052,7 @@ sub process_action(\$\$$) {
$dest,
$proto,
$port,
$sport,
$ipsec,
$mark,
$user,
@ -5401,8 +5428,8 @@ sub process_mangle_rule( $ ) {
}
}
sub process_snat_inline( $$$$$$$$$$$$$$ ) {
my ($inline, $chainref, $params, $loglevel, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
sub process_snat_inline( $$$$$$$$$$$$$$$ ) {
my ($inline, $chainref, $params, $loglevel, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
my ( $level,
$tag ) = split( ':', $loglevel, 2 );
@ -5421,28 +5448,54 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
progress_message "..Expanding inline action $inlinefile...";
push_open $inlinefile, 2, 1, undef , 2;
push_open $inlinefile, 2, 1, undef , 1;
my $save_comment = push_comment;
while ( read_a_line( NORMAL_READ ) ) {
my ( $maction, $msource, $mdest, $mprotos, $mports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
split_line2( 'snat file',
{ action =>0,
source => 1,
dest => 2,
proto => 3,
port => 4,
ipsec => 5,
mark => 6,
user => 7,
switch => 8,
origdest => 9,
probability => 10,
},
{},
11,
1 );
my ( $maction, $msource, $mdest, $mprotos, $mports, $msports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability);
if ( $file_format == 1 ) {
( $maction, $msource, $mdest, $mprotos, $mports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
split_line2( 'snat file',
{ action =>0,
source => 1,
dest => 2,
proto => 3,
port => 4,
dport => 4,
ipsec => 5,
mark => 6,
user => 7,
switch => 8,
origdest => 9,
probability => 10,
},
{},
11,
1 );
$msports = '-';
} else {
( $maction, $msource, $mdest, $mprotos, $mports, $msports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
split_line2( 'snat file',
{ action =>0,
source => 1,
dest => 2,
proto => 3,
port => 4,
dport => 4,
sport => 5,
ipsec => 6,
mark => 7,
user => 8,
switch => 9,
origdest => 10,
probability => 11,
},
{},
12,
1 );
}
fatal_error 'ACTION must be specified' if $maction eq '-';
@ -5470,6 +5523,7 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
$mdest,
$proto,
merge_macro_column( $mports, $ports ),
merge_macro_column( $msports, $sports ),
merge_macro_column( $mipsec, $ipsec ),
merge_macro_column( $mmark, $mark ),
merge_macro_column( $muser, $user ),
@ -5496,8 +5550,8 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
#
# Process a record in the snat file
#
sub process_snat1( $$$$$$$$$$$$ ) {
my ( $chainref, $origaction, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
sub process_snat1( $$$$$$$$$$$$$ ) {
my ( $chainref, $origaction, $source, $dest, $proto, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
my $inchain;
my $inaction;
@ -5609,7 +5663,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
#
# Handle Protocol, Ports and Condition
#
$baserule .= do_proto( $proto, $ports, '' );
$baserule .= do_proto( $proto, $ports, $sports );
#
# Handle Mark
#
@ -5856,6 +5910,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
supplied( $destnets ) && $destnets ne '-' ? $inaction || $interface ? join( ':', $interface, $destnets ) : $destnets : $inaction ? '-' : $interface,
$proto,
$ports,
$sports,
$ipsec,
$mark,
$user,
@ -5968,18 +6023,30 @@ sub process_snat1( $$$$$$$$$$$$ ) {
sub process_snat( )
{
my ($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
split_line2( 'snat file',
{ action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
{}, #Nopad
11, #Columns
1 ); #Allow inline matches
my ($action, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability );
if ( $file_format == 1 ) {
($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
split_line2( 'snat file',
{ action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
{}, #Nopad
11, #Columns
1 ); #Allow inline matches
$sports = '-';
} else {
($action, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
split_line2( 'snat file',
{ action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, sport => 5, ipsec => 6, mark => 7, user => 8, switch => 9, origdest => 10, probability => 11 },
{}, #Nopad
12, #Columns
1 ); #Allow inline matches
}
fatal_error 'ACTION must be specified' if $action eq '-';
fatal_error 'DEST must be specified' if $dest eq '-';
for my $proto ( split_list $protos, 'Protocol' ) {
process_snat1( undef, $action, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
process_snat1( undef, $action, $source, $dest, $proto, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability );
}
}
@ -5994,7 +6061,7 @@ sub setup_snat()
#
# Masq file was empty or didn't exist
#
if ( $fn = open_file( 'snat', 1, 1 ) ) {
if ( $fn = open_file( 'snat', 2, 1, undef, 1 ) ) {
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );
process_snat while read_a_line( NORMAL_READ );
}

5
Shorewall/Samples/three-interfaces/snat
View File

@ -12,8 +12,9 @@
# For information about entries in this file, type "man shorewall-snat"
#
# See https://shorewall.org/manpages/shorewall-snat.html for more information
###########################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
?FORMAT 2
###################################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
#
# Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016
#

5
Shorewall/Samples/two-interfaces/snat
View File

@ -12,8 +12,9 @@
# For information about entries in this file, type "man shorewall-snat"
#
# See https://shorewall.org/manpages/shorewall-snat.html for more information
###########################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
?FORMAT 2
###################################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
#
# Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
#

5
Shorewall/configfiles/snat
View File

@ -5,5 +5,6 @@
#
# See https://shorewall.org/manpages/shorewall-snat.html for more information
#
###########################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
?FORMAT 2
###################################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY

35
Shorewall/manpages/shorewall-snat.xml
View File

@ -45,6 +45,20 @@
that.</para>
</warning>
<para>Beginning with Shorewall 5.2.6, the snat file supports two different
formats:</para>
<orderedlist>
<listitem>
<para>The SPORT (source port) column is omitted. This is the default
unless a "?FORMAT 2" compiler directive is included.</para>
</listitem>
<listitem>
<para>The SPORT column immediately follows the DPORT column.</para>
</listitem>
</orderedlist>
<para>The columns in the file are as follows.</para>
<variablelist>
@ -378,6 +392,27 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SPORT
{-|[!]<replaceable>port-name-or-number</replaceable>[,<replaceable>port-name-or-number</replaceable>]...|+<replaceable>ipset</replaceable>}</emphasis></term>
<listitem>
<para>FORMAT 2 only.</para>
<para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
SCTP (132) or UDPLITE (136) then you may list one or more port
numbers (or names from services(5)) or port ranges separated by
commas.</para>
<para>Port ranges are of the form
<emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
<para>An <replaceable>ipset</replaceable> name can be specified in
this column. This is intended to be used with
<firstterm>bitmap:port</firstterm> ipsets.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">IPSEC</emphasis> (Optional) -
[<emphasis>option</emphasis>[<emphasis

6
Shorewall6/configfiles/snat
View File

@ -5,5 +5,7 @@
#
# See https://shorewall.org/manpages/shorewall-snat.html for more information
#
###########################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
?FORMAT 2
###################################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY

6
docs/configuration_file_basics.xml
View File

@ -741,9 +741,9 @@ ACCEPT net:\
<row>
<entry>snat</entry>
<entry>action,source,dest,proto,port,ipsec,mark,user,switch,origdest,probability
(Note: 'port' may be specified as 'dport' beginning with Shorewall
5.2.6).</entry>
<entry>action,source,dest,proto,port,sport,ipsec,mark,user,switch,origdest,probability
(Note: 'port' may be specified as 'dport', beginning with
Shorewall 5.2.6).</entry>
</row>
<row>