mirror of
https://github.com/firehol/firehol.git
synced 2024-06-28 18:02:33 +00:00
all NAT helpers support keyword "at" to specify the chain to be attached
This commit is contained in:
parent
c8720f3d7d
commit
6bb642b901
@ -14,11 +14,11 @@ extra-manpage: firehol-redirect.5
|
||||
|
||||
# SYNOPSIS
|
||||
|
||||
{ nat to-destination | dnat [to] } *ipaddr*[:*port*] [*rule-params*]
|
||||
{ nat to-destination | dnat [to] } *ipaddr*[:*port*] [at *chain*] [*rule-params*]
|
||||
|
||||
{ nat to-source | snat [to] } *ipaddr*[:*port*] [*rule-params*]
|
||||
{ nat to-source | snat [to] } *ipaddr*[:*port*] [at *chain*] [*rule-params*]
|
||||
|
||||
{ nat redirect-to | redirect [to] } *port*[-*range*] [*rule-params*]
|
||||
{ nat redirect-to | redirect [to] } *port*[-*range*] [at *chain*] [*rule-params*]
|
||||
|
||||
# DESCRIPTION
|
||||
|
||||
@ -59,6 +59,11 @@ a transformation is happening.
|
||||
> See the [netfilter flow diagram][netfilter flow diagram] if you would
|
||||
> like to see how network packets are processed by the kernel in detail.
|
||||
|
||||
The `at` keyword allows setting a different chain to attach the rules.
|
||||
For `dnat` and `redirect` the default is PREROUTING, but OUTPUT is also
|
||||
supported. For `snat` the default is POSTROUTING, but INPUT is also
|
||||
supported.
|
||||
|
||||
The `nat` helper takes one of the following sub-commands:
|
||||
|
||||
to-destination *ipaddr*[:*port*]
|
||||
|
@ -4146,58 +4146,33 @@ nat_helper() {
|
||||
|
||||
require_work clear || ( error "NAT cannot be used in '${work_cmd}'. Put all NAT related commands before any '${work_cmd}' definition."; return 1 )
|
||||
|
||||
local type="${1}" \
|
||||
to="${2}" \
|
||||
chain= \
|
||||
action= \
|
||||
options= \
|
||||
requirements= \
|
||||
overwrite=
|
||||
local type="${1}" to="${2}" \
|
||||
chain= action= options= requirements= overwrite= \
|
||||
possible_chains= x=
|
||||
shift 2
|
||||
|
||||
while [ ! -z "${1}" ]
|
||||
do
|
||||
case "${1}" in
|
||||
random|--random)
|
||||
options="${options} random"
|
||||
shift
|
||||
;;
|
||||
|
||||
persistent|--persistent)
|
||||
# REDIRECT does not support persistence, but anyway
|
||||
# if the user gives this on REDIRECT, he/she will get
|
||||
# an error later
|
||||
options="${options} persistent"
|
||||
shift
|
||||
;;
|
||||
|
||||
*) break
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
nat_count=$[nat_count + 1]
|
||||
set_work_function -ne "Rules for NAT type: '${type}'"
|
||||
|
||||
case ${type} in
|
||||
to-source)
|
||||
#create_chain nat "nat.${nat_count}" POSTROUTING nolog "${@}" inface any || return 1
|
||||
chain=POSTROUTING
|
||||
possible_chains="POSTROUTING INPUT"
|
||||
action=snat
|
||||
overwrite="inface any"
|
||||
;;
|
||||
|
||||
to-destination)
|
||||
#create_chain nat "nat.${nat_count}" PREROUTING noowner nolog "${@}" outface any || return 1
|
||||
chain=PREROUTING
|
||||
possible_chains="PREROUTING OUTPUT"
|
||||
action=dnat
|
||||
requirements=noowner
|
||||
overwrite="outface any"
|
||||
;;
|
||||
|
||||
redirect-to)
|
||||
#create_chain nat "nat.${nat_count}" PREROUTING noowner nolog "${@}" outface any || return 1
|
||||
chain=PREROUTING
|
||||
possible_chains="PREROUTING OUTPUT"
|
||||
action=redirect
|
||||
requirements=noowner
|
||||
overwrite="outface any"
|
||||
@ -4209,12 +4184,52 @@ nat_helper() {
|
||||
;;
|
||||
esac
|
||||
|
||||
while [ ! -z "${1}" ]
|
||||
do
|
||||
case "${1,,}" in
|
||||
random|--random)
|
||||
options="${options} random"
|
||||
shift
|
||||
;;
|
||||
|
||||
persistent|--persistent)
|
||||
options="${options} persistent"
|
||||
[ "${action}" = "redirect" ] && ( error "Persistence is not supported by redirect."; return 1 )
|
||||
shift
|
||||
;;
|
||||
|
||||
at) chain=
|
||||
for x in ${2//,/ }
|
||||
do
|
||||
case "${x^^}" in
|
||||
PRE|PREROUTING) chain="${chain} PREROUTING" ;;
|
||||
IN|INPUT) chain="${chain} INPUT" ;;
|
||||
OUT|OUTPUT) chain="${chain} OUTPUT" ;;
|
||||
PASS|FORWARD) chain="${chain} FORWARD" ;;
|
||||
POST|POSTROUTING) chain="${chain} POSTROUTING" ;;
|
||||
*) chain="${chain} ${x}";;
|
||||
esac
|
||||
done
|
||||
shift 2
|
||||
;;
|
||||
|
||||
*) break
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
set_work_function "Rules for ${action} to ${to}"
|
||||
|
||||
# we now need to keep the protocol
|
||||
# rule table nat chain "nat.${nat_count}" noowner "${@}" nosoftwarnings src any dst any inface any outface any sport any dport any action "${action}" to "${to}" ${options} || return 1
|
||||
rule table nat chain "${chain}" ${requirements} "${@}" ${overwrite} action "${action}" to "${to}" ${options} || return 1
|
||||
for x in ${chain}
|
||||
do
|
||||
# check the chain
|
||||
if [[ ! " ${possible_chains} " =~ " ${x} " ]]
|
||||
then
|
||||
error "Cannot setup ${type} at ${x}, only these are allowed: ${possible_chains}"
|
||||
return 1
|
||||
fi
|
||||
|
||||
set_work_function "Rules for ${action} to ${to} at ${x}"
|
||||
rule table nat chain "${x}" ${requirements} "${@}" ${overwrite} action "${action}" to "${to}" ${options} || return 1
|
||||
done
|
||||
|
||||
FIREHOL_NAT=1
|
||||
FIREHOL_ROUTING=1
|
||||
|
Loading…
Reference in New Issue
Block a user