diff options
| author | An-Cheng Huang <ancheng@vyatta.com> | 2007-12-19 18:35:03 -0800 |
|---|---|---|
| committer | An-Cheng Huang <ancheng@vyatta.com> | 2007-12-19 18:35:03 -0800 |
| commit | 3403cd4376015167008ea558f6672a75a0e2842c (patch) | |
| tree | d2c5e92e75584c16f971da73210cfb39b6c6ff9b | |
| parent | 56880bec43eef6af8301cdfbe9c764b4257bd24b (diff) | |
| download | vyatta-nat-3403cd4376015167008ea558f6672a75a0e2842c.tar.gz vyatta-nat-3403cd4376015167008ea558f6672a75a0e2842c.zip | |
fix for bug 2067: add "exclude" option for NAT rules to allow users to
exclude certain packets from NAT.
| -rw-r--r-- | scripts/VyattaNatRule.pm | 13 | ||||
| -rwxr-xr-x | scripts/vyatta-show-nat.pl | 2 | ||||
| -rw-r--r-- | templates-cfg/service/nat/rule/node.tag/exclude/node.def | 1 |
3 files changed, 13 insertions, 3 deletions
diff --git a/scripts/VyattaNatRule.pm b/scripts/VyattaNatRule.pm index 5bcfac6..c2f2c34 100644 --- a/scripts/VyattaNatRule.pm +++ b/scripts/VyattaNatRule.pm @@ -10,6 +10,7 @@ my %fields = ( _inbound_if => undef, _outbound_if => undef, _proto => undef, + _exclude => undef, _source => { _addr => undef, _net => undef, @@ -78,6 +79,7 @@ sub setup { $self->{_inbound_if} = $config->returnValue("inbound-interface"); $self->{_outbound_if} = $config->returnValue("outbound-interface"); $self->{_proto} = $config->returnValue("protocols"); + $self->{_exclude} = $config->exists("exclude"); $self->{_source}->{_addr} = $config->returnValue("source address"); $self->{_source}->{_net} = $config->returnValue("source network"); @@ -141,6 +143,7 @@ sub setupOrig { $self->{_inbound_if} = $config->returnOrigValue("inbound-interface"); $self->{_outbound_if} = $config->returnOrigValue("outbound-interface"); $self->{_proto} = $config->returnOrigValue("protocols"); + $self->{_exclude} = $config->existsOrig("exclude"); $self->{_source}->{_addr} = $config->returnOrigValue("source address"); $self->{_source}->{_net} = $config->returnOrigValue("source network"); @@ -279,7 +282,9 @@ sub rule_str { $can_use_port = 0; } if (($self->{_type} eq "source") || ($self->{_type} eq "masquerade")) { - if ($self->{_type} eq "masquerade") { + if ($self->{_exclude}) { + $rule_str .= "-j RETURN"; + } elsif ($self->{_type} eq "masquerade") { $rule_str .= "-j MASQUERADE"; } else { $rule_str .= "-j SNAT"; @@ -346,7 +351,11 @@ sub rule_str { } } else { # type is destination - $rule_str .= "-j DNAT"; + if ($self->{_exclude}) { + $rule_str .= "-j RETURN"; + } else { + $rule_str .= "-j DNAT"; + } if (defined($self->{_inbound_if})) { $rule_str .= " -i $self->{_inbound_if}"; diff --git a/scripts/vyatta-show-nat.pl b/scripts/vyatta-show-nat.pl index bb25500..d046ab5 100755 --- a/scripts/vyatta-show-nat.pl +++ b/scripts/vyatta-show-nat.pl @@ -25,7 +25,7 @@ while (<STATS>) { $skey = ""; } - if ($skey ne "" && (m/SNAT/ || m/DNAT/ || m/MASQUERADE/)) { + if ($skey ne "" && (m/SNAT/ || m/DNAT/ || m/MASQUERADE/ || m/RETURN/)) { m/^\s*(\d+)\s+(\d+)\s/; push @{$stats{$skey}}, ($1, $2); } diff --git a/templates-cfg/service/nat/rule/node.tag/exclude/node.def b/templates-cfg/service/nat/rule/node.tag/exclude/node.def new file mode 100644 index 0000000..b6a2991 --- /dev/null +++ b/templates-cfg/service/nat/rule/node.tag/exclude/node.def @@ -0,0 +1 @@ +help: "Exclude packets matching this rule from NAT" |