Re: [Shorewall-devel] Shorewall 4.5.14 Beta 3

Tom Eastep Wed, 27 Feb 2013 07:32:33 -0800

On 02/27/2013 04:43 AM, Steven Jan Springl wrote:

> Kernel 3.8 has config. option CONFIG_IP6_NF_TARGET_MASQUERADE
> 
> Shorewall6 snat entry:
> 
> eth0  2001:2::/56  :random
> 
> Produces ip6tables rule:
> 
> -A eth0_masq -s 2001:2::/56 -j MASQUERADE --random
> 
> Which ip6tables-restore accepts.
> 
> I am using ip6tables 1.4.17.
> 
> Note, kernel 3.7 also has the above config. option, but I haven't tried it.


This is a fine kettle of fish; my 3.7.4 Fedora 18 Kernel does not enable
that option.

Attached are three patches which:

- Correct the 'NONAT:random' error you reported in an earlier post.
- Rename /etc/shorewall6/snat to /etc/shorewall6/masq
- Add a MASQUERADE Target capability and bump the current CAPSVERSION
- Requires MASQUERADE Target support for MASQUERADE rules

Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index 2a00c04..f6f022d 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=40512
+SHOREWALL_CAPVERSION=40514
 
 [ -n "${g_program:=shorewall}" ]
 
@@ -2197,6 +2197,7 @@ determine_capabilities() {
     NFACCT_MATCH=
     CHECKSUM_TARGET=
     ARPTABLESJF=
+    MASQUERADE_TGT=
     AMANDA_HELPER=
     FTP_HELPER=
     FTP0_HELPER=
@@ -2228,6 +2229,7 @@ determine_capabilities() {
 	    else
 		qt $g_tool -t nat -A $chain -j SNAT --to-source 2001::1 --persistent && PERSISTENT_SNAT=Yes
 	    fi
+	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
 	    qt $g_tool -t nat -F $chain
 	    qt $g_tool -t nat -X $chain
 	fi
@@ -2602,6 +2604,7 @@ report_capabilities_unsorted() {
     report_capability "NFAcct match" $NFACCT_MATCH
     report_capability "Checksum Target" $CHECKSUM_TARGET
     report_capability "Arptables JF" $ARPTABLESJF
+    report_capability "MASQUERADE Target" $MASQUERADE_TGT
 
     report_capability "Amanda Helper" $AMANDA_HELPER
     report_capability "FTP Helper" $FTP_HELPER
@@ -2720,6 +2723,7 @@ report_capabilities_unsorted1() {
     report_capability1 NFACCT_MATCH
     report_capability1 CHECKSUM_TARGET
     report_capability1 ARPTABLESJF
+    report_capability1 MASQUERADE_TGT
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER

diff --git a/Shorewall6/configfiles/masq b/Shorewall6/configfiles/masq
index c7f3773..cc39de5 100644
--- a/Shorewall6/configfiles/masq
+++ b/Shorewall6/configfiles/masq
@@ -1,10 +1,10 @@
 #
-# Shorewall6 version 4 - SNAT file
+# Shorewall6 version 4 - MASQUERADE/SNAT file
 #
-# For information about entries in this file, type "man shorewall6-snat"
+# For information about entries in this file, type "man shorewall6-masq"
 #
 # The manpage is also online at
-# http://www.shorewall.net/manpages6/shorewall6-snat.html
+# http://www.shorewall.net/manpages6/shorewall6-masq.html
 #
 ########################################################################################################################
 #INTERFACE	SOURCE			ADDRESS			PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL

diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 5bf08ce..c5c0bf8 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -357,6 +357,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 NFACCT_MATCH    => 'NFAcct Match',
 		 CHECKSUM_TARGET => 'Checksum Target',
 		 ARPTABLESJF     => 'Arptables JF',
+		 MASQUERADE_TGT  => 'MASQUERADE Target',
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
 		 FTP0_HELPER     => 'FTP-0 Helper',
@@ -649,7 +650,7 @@ sub initialize( $;$$) {
 		    KLUDGEFREE              => '',
 		    STATEMATCH              => '-m state --state',
 		    VERSION                 => "4.5.13-Beta3",
-		    CAPVERSION              => 40512 ,
+		    CAPVERSION              => 40514 ,
 		  );
     #
     # From shorewall.conf file
@@ -901,6 +902,7 @@ sub initialize( $;$$) {
 	       NFACCT_MATCH => undef,
 	       CHECKSUM_TARGET => undef,
 	       ARPTABLESJF => undef,
+	       MASQUERADE_TGT => undef,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -3561,6 +3563,22 @@ sub Persistent_Snat() {
     $result;
 }
 
+sub Masquerade_Tgt() {
+    have_capability( 'NAT_ENABLED' ) || return '';
+
+    my $result = '';
+    my $address = $family == F_IPV4 ? '1.2.3.4' : '2001::1';
+
+    if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
+	$result = qt1( "$iptables -t nat -A $sillyname -j MASQUERADE" );
+	qt1( "$iptables -t nat -F $sillyname" );
+	qt1( "$iptables -t nat -X $sillyname" );
+
+    }
+
+    $result;
+}
+
 sub Mangle_Enabled() {
     if ( qt1( "$iptables -t mangle -L -n" ) ) {
 	system( "$iptables -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
@@ -4075,6 +4093,7 @@ our %detect_capability =
       MANGLE_FORWARD => \&Mangle_Forward,
       MARK => \&Mark,
       MARK_ANYWHERE => \&Mark_Anywhere,
+      MASQUERADE_TGT => \&Masquerade_Tgt,
       MULTIPORT => \&Multiport,
       NAT_ENABLED => \&Nat_Enabled,
       NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm
index ca2c8e9..8f5538d 100644
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -172,7 +172,7 @@ sub process_one_masq1( $$$$$$$$$$ )
 	#
 	if ( $addresses ne '-' ) {
 	    if ( $addresses eq 'random' ) {
-		fatal_error 'Invalid IPv6 address (random)' if $family == F_IPV6;
+		require_capability 'MASQUERADE_TGT', 'Masquerade rules', '';
 		$randomize = '--random ';
 	    } else {
 		$addresses =~ s/:persistent$// and $persistent = ' --persistent ';
@@ -194,6 +194,8 @@ sub process_one_masq1( $$$$$$$$$$ )
 			$detectaddress = 1;
 		    }
 		} elsif ( $addresses eq 'NONAT' ) {
+		    fatal_error "'persistent' may not be specified with 'NONAT'" if $persistent;
+		    fatal_error "'random' may not be specified with 'NONAT'"     if $randomize;
 		    $target = 'RETURN';
 		    $add_snat_aliases = 0;
 		} else {
@@ -311,7 +313,7 @@ sub process_one_masq1( $$$$$$$$$$ )
 	    $target .= $randomize;
 	    $target .= $persistent;
 	} else {
-	    fatal_error "IPv6 does does not support MASQUERADE -- you must use SNAT" if $family == F_IPV6;
+	    require_capability 'MASQUERADE_TGT', 'Masquerade rules', '';
 	    $add_snat_aliases = 0;
 	}
 	#
@@ -373,11 +375,9 @@ sub process_one_masq( )
 #
 sub setup_masq()
 {
-    my $name = $family == F_IPV4 ? 'masq' : 'snat';
+    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
 
-    if ( my $fn = open_file( $name, 1, 1 ) ) {
-
-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty $name file" , 's'; } );
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
 
 	process_one_masq while read_a_line( NORMAL_READ );
     }

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Re: [Shorewall-devel] Shorewall 4.5.14 Beta 3

Reply via email to