From e3f139bbdb2b2a5885877374e6fc049fa63d7436 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 27 Jun 2020 13:15:22 -0700 Subject: [PATCH] Add SPORT column to the snat file (FORMAT 2) Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 165 +++++++++++++++++------- Shorewall/Samples/three-interfaces/snat | 5 +- Shorewall/Samples/two-interfaces/snat | 5 +- Shorewall/configfiles/snat | 5 +- Shorewall/manpages/shorewall-snat.xml | 35 +++++ Shorewall6/configfiles/snat | 6 +- docs/configuration_file_basics.xml | 6 +- 7 files changed, 167 insertions(+), 60 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index e9e8d6148..64dfc2c13 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1800,7 +1800,7 @@ sub isolate_basic_target( $ ) { sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ); sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ); -sub process_snat1( $$$$$$$$$$$$ ); +sub process_snat1( $$$$$$$$$$$$$ ); sub perl_action_helper( $$;$$ ); # @@ -1994,23 +1994,49 @@ sub process_action(\$\$$) { set_inline_matches( $matches ); } } else { - my ( $action, $source, $dest, $protos, $port, $ipsec, $mark, $user, $condition, $origdest, $probability) = - split_line2( 'snat file', - { action =>0, - source => 1, - dest => 2, - proto => 3, - port => 4, - ipsec => 5, - mark => 6, - user => 7, - switch => 8, - origdest => 9, - probability => 10, - }, - {}, - 11, - 1 ); + my ( $action, $source, $dest, $protos, $port, $sport, $ipsec, $mark, $user, $condition, $origdest, $probability); + + if ( $file_format == 1 ) { + ( $action, $source, $dest, $protos, $port, $ipsec, $mark, $user, $condition, $origdest, $probability) = + split_line2( 'snat file', + { action =>0, + source => 1, + dest => 2, + proto => 3, + port => 4, + dport => 4, + ipsec => 5, + mark => 6, + user => 7, + switch => 8, + origdest => 9, + probability => 10, + }, + {}, + 11, + 1 ); + $sport = '-'; + } else { + ( $action, $source, $dest, $protos, $port, $sport, $ipsec, $mark, $user, $condition, $origdest, $probability) = + split_line2( 'snat file', + { action =>0, + source => 1, + dest => 2, + proto => 3, + port => 4, + dport => 4, + sport => 5, + ipsec => 6, + mark => 7, + user => 8, + switch => 9, + origdest => 10, + probability => 11, + }, + {}, + 12, + 1 ); + } fatal_error 'ACTION must be specified' if $action eq '-'; @@ -2026,6 +2052,7 @@ sub process_action(\$\$$) { $dest, $proto, $port, + $sport, $ipsec, $mark, $user, @@ -5401,8 +5428,8 @@ sub process_mangle_rule( $ ) { } } -sub process_snat_inline( $$$$$$$$$$$$$$ ) { - my ($inline, $chainref, $params, $loglevel, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_; +sub process_snat_inline( $$$$$$$$$$$$$$$ ) { + my ($inline, $chainref, $params, $loglevel, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_; my ( $level, $tag ) = split( ':', $loglevel, 2 ); @@ -5421,28 +5448,54 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) { progress_message "..Expanding inline action $inlinefile..."; - push_open $inlinefile, 2, 1, undef , 2; + push_open $inlinefile, 2, 1, undef , 1; my $save_comment = push_comment; while ( read_a_line( NORMAL_READ ) ) { - my ( $maction, $msource, $mdest, $mprotos, $mports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) = - split_line2( 'snat file', - { action =>0, - source => 1, - dest => 2, - proto => 3, - port => 4, - ipsec => 5, - mark => 6, - user => 7, - switch => 8, - origdest => 9, - probability => 10, - }, - {}, - 11, - 1 ); + my ( $maction, $msource, $mdest, $mprotos, $mports, $msports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability); + + if ( $file_format == 1 ) { + ( $maction, $msource, $mdest, $mprotos, $mports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) = + split_line2( 'snat file', + { action =>0, + source => 1, + dest => 2, + proto => 3, + port => 4, + dport => 4, + ipsec => 5, + mark => 6, + user => 7, + switch => 8, + origdest => 9, + probability => 10, + }, + {}, + 11, + 1 ); + $msports = '-'; + } else { + ( $maction, $msource, $mdest, $mprotos, $mports, $msports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) = + split_line2( 'snat file', + { action =>0, + source => 1, + dest => 2, + proto => 3, + port => 4, + dport => 4, + sport => 5, + ipsec => 6, + mark => 7, + user => 8, + switch => 9, + origdest => 10, + probability => 11, + }, + {}, + 12, + 1 ); + } fatal_error 'ACTION must be specified' if $maction eq '-'; @@ -5470,6 +5523,7 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) { $mdest, $proto, merge_macro_column( $mports, $ports ), + merge_macro_column( $msports, $sports ), merge_macro_column( $mipsec, $ipsec ), merge_macro_column( $mmark, $mark ), merge_macro_column( $muser, $user ), @@ -5496,8 +5550,8 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) { # # Process a record in the snat file # -sub process_snat1( $$$$$$$$$$$$ ) { - my ( $chainref, $origaction, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_; +sub process_snat1( $$$$$$$$$$$$$ ) { + my ( $chainref, $origaction, $source, $dest, $proto, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_; my $inchain; my $inaction; @@ -5609,7 +5663,7 @@ sub process_snat1( $$$$$$$$$$$$ ) { # # Handle Protocol, Ports and Condition # - $baserule .= do_proto( $proto, $ports, '' ); + $baserule .= do_proto( $proto, $ports, $sports ); # # Handle Mark # @@ -5856,6 +5910,7 @@ sub process_snat1( $$$$$$$$$$$$ ) { supplied( $destnets ) && $destnets ne '-' ? $inaction || $interface ? join( ':', $interface, $destnets ) : $destnets : $inaction ? '-' : $interface, $proto, $ports, + $sports, $ipsec, $mark, $user, @@ -5968,18 +6023,30 @@ sub process_snat1( $$$$$$$$$$$$ ) { sub process_snat( ) { - my ($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = - split_line2( 'snat file', - { action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 }, - {}, #Nopad - 11, #Columns - 1 ); #Allow inline matches + my ($action, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ); + + if ( $file_format == 1 ) { + ($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = + split_line2( 'snat file', + { action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 }, + {}, #Nopad + 11, #Columns + 1 ); #Allow inline matches + $sports = '-'; + } else { + ($action, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = + split_line2( 'snat file', + { action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, sport => 5, ipsec => 6, mark => 7, user => 8, switch => 9, origdest => 10, probability => 11 }, + {}, #Nopad + 12, #Columns + 1 ); #Allow inline matches + } fatal_error 'ACTION must be specified' if $action eq '-'; fatal_error 'DEST must be specified' if $dest eq '-'; for my $proto ( split_list $protos, 'Protocol' ) { - process_snat1( undef, $action, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ); + process_snat1( undef, $action, $source, $dest, $proto, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ); } } @@ -5994,7 +6061,7 @@ sub setup_snat() # # Masq file was empty or didn't exist # - if ( $fn = open_file( 'snat', 1, 1 ) ) { + if ( $fn = open_file( 'snat', 2, 1, undef, 1 ) ) { first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } ); process_snat while read_a_line( NORMAL_READ ); } diff --git a/Shorewall/Samples/three-interfaces/snat b/Shorewall/Samples/three-interfaces/snat index 386aa6fc1..bc808e70f 100644 --- a/Shorewall/Samples/three-interfaces/snat +++ b/Shorewall/Samples/three-interfaces/snat @@ -12,8 +12,9 @@ # For information about entries in this file, type "man shorewall-snat" # # See https://shorewall.org/manpages/shorewall-snat.html for more information -########################################################################################################################################### -#ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY +?FORMAT 2 +################################################################################################################################################### +#ACTION SOURCE DEST PROTO DPORT SPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY # # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016 # diff --git a/Shorewall/Samples/two-interfaces/snat b/Shorewall/Samples/two-interfaces/snat index 48c659ea8..774dd9c15 100644 --- a/Shorewall/Samples/two-interfaces/snat +++ b/Shorewall/Samples/two-interfaces/snat @@ -12,8 +12,9 @@ # For information about entries in this file, type "man shorewall-snat" # # See https://shorewall.org/manpages/shorewall-snat.html for more information -########################################################################################################################################### -#ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY +?FORMAT 2 +################################################################################################################################################### +#ACTION SOURCE DEST PROTO DPORT SPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY # # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016 # diff --git a/Shorewall/configfiles/snat b/Shorewall/configfiles/snat index 7ab873317..d4e359c6d 100644 --- a/Shorewall/configfiles/snat +++ b/Shorewall/configfiles/snat @@ -5,5 +5,6 @@ # # See https://shorewall.org/manpages/shorewall-snat.html for more information # -########################################################################################################################################### -#ACTION SOURCE DEST PROTO DPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY +?FORMAT 2 +################################################################################################################################################### +#ACTION SOURCE DEST PROTO DPORT SPORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY diff --git a/Shorewall/manpages/shorewall-snat.xml b/Shorewall/manpages/shorewall-snat.xml index 276b6d0dd..6d6bbf4d5 100644 --- a/Shorewall/manpages/shorewall-snat.xml +++ b/Shorewall/manpages/shorewall-snat.xml @@ -45,6 +45,20 @@ that. + Beginning with Shorewall 5.2.6, the snat file supports two different + formats: + + + + The SPORT (source port) column is omitted. This is the default + unless a "?FORMAT 2" compiler directive is included. + + + + The SPORT column immediately follows the DPORT column. + + + The columns in the file are as follows. @@ -378,6 +392,27 @@ + + SPORT + {-|[!]port-name-or-number[,port-name-or-number]...|+ipset} + + + FORMAT 2 only. + + If the PROTO column specifies TCP (6), UDP (17), DCCP (33), + SCTP (132) or UDPLITE (136) then you may list one or more port + numbers (or names from services(5)) or port ranges separated by + commas. + + Port ranges are of the form + lowport:highport. + + An ipset name can be specified in + this column. This is intended to be used with + bitmap:port ipsets. + + + IPSEC (Optional) - [option[ snat - action,source,dest,proto,port,ipsec,mark,user,switch,origdest,probability - (Note: 'port' may be specified as 'dport' beginning with Shorewall - 5.2.6). + action,source,dest,proto,port,sport,ipsec,mark,user,switch,origdest,probability + (Note: 'port' may be specified as 'dport', beginning with + Shorewall 5.2.6).