diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index ab4f2b8d0..89404c8a5 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -3,3 +3,11 @@ Changes since 1.3.13 1. Fix 'shorewall add' bug. 2. Add OLD_PING_HANDLING option + +3. Allow adding alias labels under ADD_IP_ALIASES=Yes. + +4. Allow adding alias labels under ADD_SNAT_ALIASES=Yes. + +5. Use the routing table to generate list of subnets to be masqueraded + when an interface name appears in the SUBNET column of + /etc/shorewall/masq. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index ad1414bc3..ad19fc43a 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -12,4 +12,86 @@ New features include: 'filterping' options in /etc/shorewall/interfaces will generate an error. +2) It is now possible to direct Shorewall to create a "label" such as + "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes + and ADD_SNAT_ALIASES=Yes. This is done by specifying the label + instead of just the interface name: + a) In the INTERFACE column of /etc/shorewall/masq + b) In the INTERFACE column of /etc/shorewall/nat + +3) When an interface name is entered in the SUBNET column of the + /etc/shorewall/masq file, Shorewall previously masqueraded traffic + from only the first subnet defined on that interface. It did not + masquerade traffic from: + + a) The subnets associated with other addresses on the interface. + b) Subnets accessed through local routers. + + Beginning with Shorewall 1.3.14, if you enter an interface name in + the SUBNET column, shorewall will use the firewall's routing table + to construct the masquerading/SNAT rules. + + Example 1 -- This is how it works in 1.3.14. + + [root@gateway test]# cat /etc/shorewall/masq + #INTERFACE SUBNET ADDRESS + eth0 eth2 206.124.146.176 + #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + [root@gateway test]# ip route show dev eth2 + 192.168.1.0/24 scope link + 192.168.10.0/24 proto kernel scope link src 192.168.10.254 + [root@gateway test]# ADDRESS + eth0 eth2 206.124.146.176 + #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + [root@gateway test]# ip route show dev eth2 + 192.168.1.0/24 scope link + 192.168.10.0/24 proto kernel scope link src 192.168.10.254 + [root@gateway test]# shorewall start + ... + Masqueraded Subnets and Hosts: + To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176 + To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176 + Processing /etc/shorewall/tos... + + When upgrading to Shorewall 1.3.14, if you have multiple local + subnets connected to an interface that is specified in the SUBNET + column of an /etc/shorewall/masq entry, your /etc/shorewall/masq + file will need changing. In most cases, you will simply be able to + remove redundant entries. In some cases though, you might want to change + from using the interface name to listing specific subnetworks if the + change described above will cause masquerading to occur on + subnetworks that you don't wish to masquerade. + + Example 2 -- Suppose that your current config is as follows: + + [root@gateway test]# cat /etc/shorewall/masq + #INTERFACE SUBNET ADDRESS + eth0 eth2 206.124.146.176 + eth0 192.168.10.0/24 206.124.146.176 + #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + [root@gateway test]# ip route show dev eth2 + 192.168.1.0/24 scope link + 192.168.10.0/24 proto kernel scope link src 192.168.10.254 + [root@gateway test]# + + In this case, the second entry in /etc/shorewall/masq is no longer + required. + + Example 3 -- What if your current configuration is like this? + + [root@gateway test]# cat /etc/shorewall/masq + #INTERFACE SUBNET ADDRESS + eth0 eth2 206.124.146.176 + #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + [root@gateway test]# ip route show dev eth2 + 192.168.1.0/24 scope link + 192.168.10.0/24 proto kernel scope link src 192.168.10.254 + [root@gateway test]# + + In this case, you would want to change the entry in + /etc/shorewall/masq to: + + #INTERFACE SUBNET ADDRESS + eth0 192.168.1.0/24 206.124.146.176 + #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE