Add DNAT ONLY column to /etc/shorewall/nat

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1531 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-18 23:57:14 +02:00 · 2004-08-10 20:18:15 +00:00 · 2004-08-10 20:18:15 +00:00 · 3aff092003
commit 3aff092003
parent 968bff363c
4 changed files with 43 additions and 17 deletions
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -32,3 +32,5 @@ Changes since 2.0.3
 14) Show the iptables/ip/tc command that failed when failure is fatal.
 15) Implement STARTUP_ENABLED.
 16) Added DNAT ONLY column to /etc/shorewall/nat.
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -1231,7 +1231,7 @@ setup_forwarding() {
 # Disable IPV6
 #
 disable_ipv6() {
-    local foo=$(ip -f inet6 addr ls 2> /dev/null)
+    local foo="$(ip -f inet6 addr ls 2> /dev/null)"
    if [ -n "$foo" ]; then
 	if qt which ip6tables; then
@ -1900,7 +1900,22 @@ delete_proxy_arp() {
 # Setup Static Network Address Translation (NAT)
 #
 setup_nat() {
-    local external= interface= internal= allints= localnat=
+    local external= interface= internal= allints= localnat= dnatonly=
    validate_one() #1 = Variable Name, $2 = Column name, $3 = value 
    {
 	case $3 in
 	    Yes|yes)
                ;;
 	    No|no)
 		eval ${1}=
 		;;
 	    *)
 		[ -n "$3" ] && \
 		    fatal_error "Invalid value ($3) for $2 in entry \"$external $interface $internal $allints $localnat\""
 		;;
 	esac
    }
    do_one_nat() {
 	local add_ip_aliases=$ADD_IP_ALIASES, iface=${interface%:*}
@ -1918,22 +1933,21 @@ setup_nat() {
 	else
 	    interface=${interface%:}
 	fi
 	validate_one allints  "ALL INTERFACES" $allints
 	validate_one localnat "LOCAL"          $localnat
 	validate_one dnatonly "DNAT ONLY"      $dnatonly
-	if [ "x$allints" = "xYes" -o "x$allints" = "xyes" ]; then
+	if [ -n "$allints" ]; then
 	    addnatrule nat_in  -d $external -j DNAT --to-destination $internal
-	    addnatrule nat_out -s $internal -j SNAT --to-source $external
+	    [ -n "$dnatonly" ] || addnatrule nat_out -s $internal -j SNAT --to-source $external
 	elif [ -z "$allints" -o "x$allints" = "x-" -o "x$allints" = "xNo" -o "x$allints" = "xno" ]; then       
 	    addnatrule $(input_chain $iface) -d $external -j DNAT --to-destination $internal
 	    addnatrule $(output_chain $iface) -s $internal -j SNAT --to-source $external
 	else
-	    fatal_error "Invalid value ($allints) for ALL INTERFACES in entry \"$external $interface $internal $allints $localnat\""
+	    addnatrule $(input_chain $iface) -d $external -j DNAT --to-destination $internal
 	    [ -n "$dnatonly" ] || addnatrule $(output_chain $iface) -s $internal -j SNAT --to-source $external
 	fi
-	if [ "x$localnat" = "xYes" -o "x$localnat" = "xyes" ]; then
+	[ -n "$localnat" ] && \
 	    run_iptables2 -t nat -A OUTPUT -d $external -j DNAT --to-destination $internal
 	elif [ "x$localnat" != "x-" -a -n "$localnat" -a "x$localnat" != "xNo" -a "x$localnat" != "xno" ]; then
 	    fatal_error "Invalid value ($allints) for LOCAL in entry \"$external $interface $internal $allints $localnat\""	    
 	fi
 	if [ -n "$add_ip_aliases" ]; then
 	    list_search $external $aliases_to_add || \
@ -1947,8 +1961,8 @@ setup_nat() {
    save_progress_message "Restoring one-to-one NAT..."
-    while read external interface internal allints localnat; do
+    while read external interface internal allints localnat dnatonly; do
-	expandv external interface internal allints localnat
+	expandv external interface internal allints localnat dnatonly
 	do_one_nat
--- a/Shorewall2/nat
+++ b/Shorewall2/nat
@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 2.0  -- Network Address Translation Table
+# Shorewall 2.1  -- Network Address Translation Table
 #
 # /etc/shorewall/nat
 #
@ -16,6 +16,7 @@
 #	EXTERNAL	External IP Address - this should NOT be the primary
 #			IP address of the interface named in the next
 #			column and must not be a DNS Name.
 #
 #	INTERFACE	Interface that you want to EXTERNAL address to appear
 #                       on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
 #			follow the interface name with ":" and a digit to
@ -29,13 +30,18 @@
 #			particular entry, follow the interface name with
 #			":" and no digit (e.g., "eth0:").
 #	INTERNAL	Internal Address (must not be a DNS Name).
 #
 #       ALL INTERFACES  If Yes or yes, NAT will be effective from all hosts.
 #                       If No or no (or left empty) then NAT will be effective
 #                       only through the interface named in the INTERFACE
 #                       column
 #
 #       LOCAL           If Yes or yes, NAT will be effective from the firewall
 #                       system
 #
 #	DNAT ONLY	If Yes or yes, no SNAT will occur.	
 ##############################################################################
-#EXTERNAL	INTERFACE	INTERNAL	ALL	 		LOCAL
+#EXTERNAL	INTERFACE	INTERNAL	ALL		LOCAL	DNAT
-#						INTERFACES
+#						INTERFACES		ONLY
 #
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -223,3 +223,7 @@ New Features:
 	/etc/shorewall/hosts:
 	vpn	eth0:0.0.0.0/0	ipsec
 8)  A new DNAT ONLY column has been added to the /etc/shorewall/nat
    file. If that column contains "Yes" or "yes", then no SNAT rules
    will be generated by the entry.