diff --git a/Samples/one-interface/shorewall.conf b/Samples/one-interface/shorewall.conf index 5898a3283..539a47704 100644 --- a/Samples/one-interface/shorewall.conf +++ b/Samples/one-interface/shorewall.conf @@ -207,6 +207,8 @@ LOAD_HELPERS_ONLY=Yes REQUIRE_INTERFACE=No +FORWARD_CLEAR_MARK=Yes + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Samples/three-interfaces/shorewall.conf b/Samples/three-interfaces/shorewall.conf index c25e30b9e..3d8f3e399 100644 --- a/Samples/three-interfaces/shorewall.conf +++ b/Samples/three-interfaces/shorewall.conf @@ -207,6 +207,8 @@ LOAD_HELPERS_ONLY=Yes REQUIRE_INTERFACE=No +FORWARD_CLEAR_MARK=Yes + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Samples/two-interfaces/shorewall.conf b/Samples/two-interfaces/shorewall.conf index 26df5e99f..190dce031 100644 --- a/Samples/two-interfaces/shorewall.conf +++ b/Samples/two-interfaces/shorewall.conf @@ -214,6 +214,8 @@ LOAD_HELPERS_ONLY=Yes REQUIRE_INTERFACE=No +FORWARD_CLEAR_MARK=Yes + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Samples6/one-interface/shorewall6.conf b/Samples6/one-interface/shorewall6.conf index 35fb44c3b..64752ac0e 100644 --- a/Samples6/one-interface/shorewall6.conf +++ b/Samples6/one-interface/shorewall6.conf @@ -155,6 +155,8 @@ LOAD_HELPERS_ONLY=Yes REQUIRE_INTERFACE=No +FORWARD_CLEAR_MARK=Yes + ############################################################################## # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Samples6/three-interfaces/shorewall6.conf b/Samples6/three-interfaces/shorewall6.conf index 00e71426b..e5d149338 100644 --- a/Samples6/three-interfaces/shorewall6.conf +++ b/Samples6/three-interfaces/shorewall6.conf @@ -155,6 +155,8 @@ LOAD_HELPERS_ONLY=Yes REQUIRE_INTERFACE=No +FORWARD_CLEAR_MARK=Yes + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Samples6/two-interfaces/shorewall6.conf b/Samples6/two-interfaces/shorewall6.conf index 80546aef6..c12899af0 100644 --- a/Samples6/two-interfaces/shorewall6.conf +++ b/Samples6/two-interfaces/shorewall6.conf @@ -155,6 +155,8 @@ LOAD_HELPERS_ONLY=Yes REQUIRE_INTERFACE=No +FORWARD_CLEAR_MARK=Yes + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index c65b72c27..4c6f4c6d4 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -461,15 +461,15 @@ sub setup_netmap() { fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface ); unless ( $interfaceref->{root} ) { - $rulein = match_source_dev( $interface ) . match_source_net ( $net3 ); - $ruleout = match_dest_dev( $interface ) . match_dest_net ( $net3 ); + $rulein = match_source_dev( $interface ); + $ruleout = match_dest_dev( $interface ); $interface = $interfaceref->{name}; } if ( $type eq 'DNAT' ) { - add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein . "-d $net1 -j NETMAP --to $net2"; + add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2"; } elsif ( $type eq 'SNAT' ) { - add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . "-s $net1 -j NETMAP --to $net2"; + add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 ) . "-s $net1 -j NETMAP --to $net2"; } else { fatal_error "Invalid type ($type)"; } diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 4dfbde734..745a0ec78 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -196,6 +196,8 @@ LOAD_HELPERS_ONLY=No REQUIRE_INTERFACE=No +FORWARD_CLEAR_MARK=Yes + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index feeeb9fb4..c914f6332 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -278,12 +278,12 @@ None. See http://www.shorewall.net/Vserver.html for details. -2) A new CLEAR_FORWARD_MARK option has been added to shorewall.conf +2) A new FORWARD_CLEAR_MARK option has been added to shorewall.conf and shorewall6.conf. Traditionally, Shorewall has cleared the packet mark in the first rule in the mangle FORWARD chain. This behavior is maintained with - the default setting (CLEAR_FORWARD_MARK=Yes). If the new option is + the default setting (FORWARD_CLEAR_MARK=Yes). If the new option is set to No, packet marks set in the PREROUTING chain are retained in the FORWARD chains. diff --git a/Shorewall6/shorewall6.conf b/Shorewall6/shorewall6.conf index 9cf1cb726..299bf91db 100644 --- a/Shorewall6/shorewall6.conf +++ b/Shorewall6/shorewall6.conf @@ -151,6 +151,8 @@ DYNAMIC_BLACKLIST=Yes LOAD_HELPERS_ONLY=No +FORWARD_CLEAR_MARK=yes + ############################################################################### # P A C K E T D I S P O S I T I O N ###############################################################################