forked from extern/shorewall_code
Add clib.nat module
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4401 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
94ad76f97d
commit
e48207bbae
153
Shorewall/clib.nat
Normal file
153
Shorewall/clib.nat
Normal file
@ -0,0 +1,153 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall 3.2 -- /usr/share/shorewall/clib.nat
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2005,2006 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Complete documentation is available at http://shorewall.net
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of Version 2 of the GNU General Public License
|
||||
# as published by the Free Software Foundation.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
||||
|
||||
|
||||
#
|
||||
# Setup Static Network Address Translation (NAT)
|
||||
#
|
||||
setup_nat() {
|
||||
local external= interface= internal= allints= localnat= policyin= policyout=
|
||||
|
||||
validate_one() #1 = Variable Name, $2 = Column name, $3 = value
|
||||
{
|
||||
case $3 in
|
||||
Yes|yes)
|
||||
;;
|
||||
No|no)
|
||||
eval ${1}=
|
||||
;;
|
||||
*)
|
||||
[ -n "$3" ] && \
|
||||
fatal_error "Invalid value ($3) for $2 in entry \"$external $interface $internal $allints $localnat\""
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
do_one_nat() {
|
||||
local add_ip_aliases=$ADD_IP_ALIASES iface=${interface%:*}
|
||||
|
||||
if [ -n "$add_ip_aliases" ]; then
|
||||
case $interface in
|
||||
*:)
|
||||
interface=${interface%:}
|
||||
add_ip_aliases=
|
||||
;;
|
||||
*)
|
||||
[ -n "$RETAIN_ALIASES" ] || save_command del_ip_addr $external $iface
|
||||
;;
|
||||
esac
|
||||
else
|
||||
interface=${interface%:}
|
||||
fi
|
||||
|
||||
validate_one allints "ALL INTERFACES" $allints
|
||||
validate_one localnat "LOCAL" $localnat
|
||||
|
||||
if [ -n "$allints" ]; then
|
||||
addnatrule nat_in -d $external $policyin -j DNAT --to-destination $internal
|
||||
addnatrule nat_out -s $internal $policyout -j SNAT --to-source $external
|
||||
else
|
||||
addnatrule $(input_chain $iface) -d $external $policyin -j DNAT --to-destination $internal
|
||||
addnatrule $(output_chain $iface) -s $internal $policyout -j SNAT --to-source $external
|
||||
fi
|
||||
|
||||
[ -n "$localnat" ] && \
|
||||
run_iptables2 -t nat -A OUTPUT -d $external $policyout -j DNAT --to-destination $internal
|
||||
|
||||
if [ -n "$add_ip_aliases" ]; then
|
||||
list_search $external $ALIASES_TO_ADD || \
|
||||
ALIASES_TO_ADD="$ALIASES_TO_ADD $external $interface"
|
||||
fi
|
||||
}
|
||||
#
|
||||
# At this point, we're just interested in the network translation
|
||||
#
|
||||
> $STATEDIR/nat
|
||||
|
||||
if [ -n "$POLICY_MATCH" ]; then
|
||||
policyin="-m policy --pol none --dir in"
|
||||
policyout="-m policy --pol none --dir out"
|
||||
fi
|
||||
|
||||
[ -n "$RETAIN_ALIASES" ] || save_progress_message "Setting up one-to-one NAT..."
|
||||
|
||||
while read external interface internal allints localnat; do
|
||||
expandv external interface internal allints localnat
|
||||
|
||||
do_one_nat
|
||||
|
||||
progress_message_and_save " Host $internal NAT $external on $interface"
|
||||
done < $TMP_DIR/nat
|
||||
}
|
||||
|
||||
#
|
||||
# Delete existing Static NAT
|
||||
#
|
||||
delete_nat() {
|
||||
run_iptables -t nat -F
|
||||
run_iptables -t nat -X
|
||||
|
||||
[ -d $STATEDIR ] && touch $STATEDIR/nat
|
||||
|
||||
indent >&3 << __EOF__
|
||||
|
||||
if [ -f \${VARDIR}/nat ]; then
|
||||
while read external interface; do
|
||||
del_ip_addr \$external \$interface
|
||||
done < \${VARDIR}/nat
|
||||
|
||||
rm -f \${VARDIR}/nat
|
||||
fi
|
||||
|
||||
__EOF__
|
||||
}
|
||||
|
||||
#
|
||||
# Setup Network Mapping (NETMAP)
|
||||
#
|
||||
setup_netmap() {
|
||||
|
||||
while read type net1 interface net2 ; do
|
||||
expandv type net1 interface net2
|
||||
|
||||
list_search $interface $ALL_INTERFACES || \
|
||||
fatal_error "Unknown interface $interface in entry \"$type $net1 $interface $net2\""
|
||||
|
||||
case $type in
|
||||
DNAT)
|
||||
addnatrule $(input_chain $interface) -d $net1 -j NETMAP --to $net2
|
||||
;;
|
||||
SNAT)
|
||||
addnatrule $(output_chain $interface) -s $net1 -j NETMAP --to $net2
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid type $type in entry \"$type $net1 $interface $net2\""
|
||||
;;
|
||||
esac
|
||||
|
||||
progress_message_and_save " Network $net1 on $interface mapped to $net2 ($type)"
|
||||
|
||||
done < $TMP_DIR/netmap
|
||||
}
|
||||
|
||||
CLIB_NAT_LOADED=Yes
|
@ -1496,7 +1496,6 @@ process_routestopped() # $1 = command
|
||||
|
||||
done < $TMP_DIR/routestopped
|
||||
|
||||
|
||||
for host in $hosts; do
|
||||
interface=${host%:*}
|
||||
networks=${host#*:}
|
||||
@ -1624,134 +1623,6 @@ setup_syn_flood_chains()
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Setup Static Network Address Translation (NAT)
|
||||
#
|
||||
setup_nat() {
|
||||
local external= interface= internal= allints= localnat= policyin= policyout=
|
||||
|
||||
validate_one() #1 = Variable Name, $2 = Column name, $3 = value
|
||||
{
|
||||
case $3 in
|
||||
Yes|yes)
|
||||
;;
|
||||
No|no)
|
||||
eval ${1}=
|
||||
;;
|
||||
*)
|
||||
[ -n "$3" ] && \
|
||||
fatal_error "Invalid value ($3) for $2 in entry \"$external $interface $internal $allints $localnat\""
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
do_one_nat() {
|
||||
local add_ip_aliases=$ADD_IP_ALIASES iface=${interface%:*}
|
||||
|
||||
if [ -n "$add_ip_aliases" ]; then
|
||||
case $interface in
|
||||
*:)
|
||||
interface=${interface%:}
|
||||
add_ip_aliases=
|
||||
;;
|
||||
*)
|
||||
[ -n "$RETAIN_ALIASES" ] || save_command del_ip_addr $external $iface
|
||||
;;
|
||||
esac
|
||||
else
|
||||
interface=${interface%:}
|
||||
fi
|
||||
|
||||
validate_one allints "ALL INTERFACES" $allints
|
||||
validate_one localnat "LOCAL" $localnat
|
||||
|
||||
if [ -n "$allints" ]; then
|
||||
addnatrule nat_in -d $external $policyin -j DNAT --to-destination $internal
|
||||
addnatrule nat_out -s $internal $policyout -j SNAT --to-source $external
|
||||
else
|
||||
addnatrule $(input_chain $iface) -d $external $policyin -j DNAT --to-destination $internal
|
||||
addnatrule $(output_chain $iface) -s $internal $policyout -j SNAT --to-source $external
|
||||
fi
|
||||
|
||||
[ -n "$localnat" ] && \
|
||||
run_iptables2 -t nat -A OUTPUT -d $external $policyout -j DNAT --to-destination $internal
|
||||
|
||||
if [ -n "$add_ip_aliases" ]; then
|
||||
list_search $external $ALIASES_TO_ADD || \
|
||||
ALIASES_TO_ADD="$ALIASES_TO_ADD $external $interface"
|
||||
fi
|
||||
}
|
||||
#
|
||||
# At this point, we're just interested in the network translation
|
||||
#
|
||||
> $STATEDIR/nat
|
||||
|
||||
if [ -n "$POLICY_MATCH" ]; then
|
||||
policyin="-m policy --pol none --dir in"
|
||||
policyout="-m policy --pol none --dir out"
|
||||
fi
|
||||
|
||||
[ -n "$RETAIN_ALIASES" ] || save_progress_message "Setting up one-to-one NAT..."
|
||||
|
||||
while read external interface internal allints localnat; do
|
||||
expandv external interface internal allints localnat
|
||||
|
||||
do_one_nat
|
||||
|
||||
progress_message_and_save " Host $internal NAT $external on $interface"
|
||||
done < $TMP_DIR/nat
|
||||
}
|
||||
|
||||
#
|
||||
# Delete existing Static NAT
|
||||
#
|
||||
delete_nat() {
|
||||
run_iptables -t nat -F
|
||||
run_iptables -t nat -X
|
||||
|
||||
[ -d $STATEDIR ] && touch $STATEDIR/nat
|
||||
|
||||
indent >&3 << __EOF__
|
||||
|
||||
if [ -f \${VARDIR}/nat ]; then
|
||||
while read external interface; do
|
||||
del_ip_addr \$external \$interface
|
||||
done < \${VARDIR}/nat
|
||||
|
||||
rm -f \${VARDIR}/nat
|
||||
fi
|
||||
|
||||
__EOF__
|
||||
}
|
||||
|
||||
#
|
||||
# Setup Network Mapping (NETMAP)
|
||||
#
|
||||
setup_netmap() {
|
||||
|
||||
while read type net1 interface net2 ; do
|
||||
expandv type net1 interface net2
|
||||
|
||||
list_search $interface $ALL_INTERFACES || \
|
||||
fatal_error "Unknown interface $interface in entry \"$type $net1 $interface $net2\""
|
||||
|
||||
case $type in
|
||||
DNAT)
|
||||
addnatrule $(input_chain $interface) -d $net1 -j NETMAP --to $net2
|
||||
;;
|
||||
SNAT)
|
||||
addnatrule $(output_chain $interface) -s $net1 -j NETMAP --to $net2
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid type $type in entry \"$type $net1 $interface $net2\""
|
||||
;;
|
||||
esac
|
||||
|
||||
progress_message_and_save " Network $net1 on $interface mapped to $net2 ($type)"
|
||||
|
||||
done < $TMP_DIR/netmap
|
||||
}
|
||||
|
||||
#
|
||||
# Set up an exclusion chain
|
||||
#
|
||||
@ -6962,7 +6833,7 @@ do_initialize() {
|
||||
[ -n "${RESTOREFILE:=restore}" ]
|
||||
|
||||
#
|
||||
# Strip the files and load modules
|
||||
# Strip the configuration files and load modules
|
||||
#
|
||||
strip_file zones
|
||||
strip_file policy
|
||||
@ -6975,11 +6846,14 @@ do_initialize() {
|
||||
strip_file blacklist
|
||||
strip_file rules
|
||||
strip_file proxyarp
|
||||
[ -s $TMP_DIR/proxyarp ] && clib_load proxyarp CLIB_PROXYARP_LOADED "Use of the proxyarp file requires the Shorewall clib.proxyarp modules which is not installed"
|
||||
[ -s $TMP_DIR/proxyarp ] && clib_load proxyarp CLIB_PROXYARP_LOADED "Use of the proxyarp file requires the Shorewall compiler module clib.proxyarp which is not installed"
|
||||
strip_file maclist
|
||||
[ -s $TMP_DIR/maclist ] && clib_load maclist CLIB_MACLIST_LOADED "Use of the maclist file requires the Shorewall clib.maclist modules which is not installed"
|
||||
[ -s $TMP_DIR/maclist ] && clib_load maclist CLIB_MACLIST_LOADED "Use of the maclist file requires the Shorewall compiler module clib.maclist module which is not installed"
|
||||
strip_file nat
|
||||
strip_file netmap
|
||||
if [ -s $TMP_DIR/nat -o -s $TMP_DIR/netmap ]; then
|
||||
clib_load nat CLIB_NAT_LOADED "Use of the nat or netmap files requires the Shorewall compiler module clib.nat which is not installed"
|
||||
fi
|
||||
strip_file tcrules
|
||||
if [ -s $TMP_DIR/tcrules ]; then
|
||||
clib_load tcrules CLIB_TCRULES_LOADED "Entries in the tcrules file require Shorewall compiler module clib.tcrules which is not installed"
|
||||
|
@ -117,7 +117,7 @@
|
||||
#
|
||||
fatal_error() # $@ = Message
|
||||
{
|
||||
echo " $@" >&2
|
||||
echo " ERROR: $@" >&2
|
||||
exit 2
|
||||
}
|
||||
|
||||
|
@ -114,6 +114,7 @@ fi
|
||||
%attr(0555,root,root) /usr/share/shorewall/clib.ecn
|
||||
%attr(0555,root,root) /usr/share/shorewall/clib.maclist
|
||||
%attr(0555,root,root) /usr/share/shorewall/clib.macros
|
||||
%attr(0555,root,root) /usr/share/shorewall/clib.nat
|
||||
%attr(0555,root,root) /usr/share/shorewall/clib.providers
|
||||
%attr(0555,root,root) /usr/share/shorewall/clib.proxyarp
|
||||
%attr(0555,root,root) /usr/share/shorewall/clib.tcrules
|
||||
|
Loading…
Reference in New Issue
Block a user