Allow overriding ADD_IP_ALIASES

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1480 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/changelog.txt

@@ -22,3 +22,8 @@ Changes since 2.0.3
 
        masq
        firewall
+
+8) Allow overriding ADD_IP_ALIASES=Yes
+
+       nat
+       firewall

Shorewall2/firewall

@@ -437,14 +437,6 @@ masq_chain() # $1 = interface
    echo $(chain_base $1)_masq
 }
 
-#
-# SNAT Chain for an interface
-#
-snat_chain() # $1 = interface
-{
-   echo $(chain_base $1)_snat
-}
-
 #
 # MAC Verification Chain for an interface
 #
@@ -487,7 +479,7 @@ dnat_chain() # $1 = zone
 }
 
 #
-# SNAT Chain to a zone
+# SNAT Chain to a zone or from an interface
 #
 snat_chain() # $1 = zone
 {
@@ -1884,7 +1876,46 @@ delete_proxy_arp() {
 # Setup Static Network Address Translation (NAT)
 #
 setup_nat() {
-    local allints
+    local external, interface, internal, allints, localnat
+
+    do_one_nat() {
+	local add_ip_aliases=$ADD_IP_ALIASES, iface=${interface%:*}
+	
+	if [ -n "$add_ip_aliases" ]; then
+	    case $interface in
+		*:)
+		    interface=${interface%:}
+		    add_ip_aliases=
+		    ;;
+		*)
+		    run_and_save_command qt ip addr del $external dev $iface
+		    ;;
+	    esac
+	else
+	    interface=${interface%:}
+	fi
+	
+	if [ "x$allints" = "xYes" -o "x$allints" = "xyes" ]; then
+	    addnatrule nat_in  -d $external -j DNAT --to-destination $internal
+	    addnatrule nat_out -s $internal -j SNAT --to-source $external
+	elif [ -z "$allints" -o "x$allints" = "x-" -o "x$allints" = "xNo" -o "x$allints" = "xno" ]; then       
+	    addnatrule $(input_chain $iface) -d $external -j DNAT --to-destination $internal
+	    addnatrule $(output_chain $iface) -s $internal -j SNAT --to-source $external
+	else
+	    fatal_error "Invalid value ($allints) for ALL INTERFACES in entry \"$external $interface $internal $allints $localnat\""
+	fi
+	
+	if [ "x$localnat" = "xYes" -o "x$localnat" = "xyes" ]; then
+	    run_iptables2 -t nat -A OUTPUT -d $external -j DNAT --to-destination $internal
+	elif [ "x$localnat" != "x-" -a -n "$localnat" -a "x$localnat" != "xNo" -a "x$localnat" != "xno" ]; then
+	    fatal_error "Invalid value ($allints) for LOCAL in entry \"$external $interface $internal $allints $localnat\""	    
+	fi
+
+	if [ -n "$add_ip_aliases" ]; then
+	    list_search $external $aliases_to_add || \
+		aliases_to_add="$aliases_to_add $external $interface"
+	fi
+    }
     #
     # At this point, we're just interested in the network translation
     #
@@ -1894,37 +1925,8 @@ setup_nat() {
 
     while read external interface internal allints localnat; do
 	expandv external interface internal allints localnat
-
+	
-	iface=${interface%:*}
+	do_one_nat
-
-	if [ -n "$ADD_IP_ALIASES" ]; then
-	    run_and_save_command qt ip addr del $external dev $iface
-	fi
-
-	if [ "x$allints" = "xYes" -o "x$allints" = "xyes" ]; then
-	    addnatrule nat_in  -d $external -j DNAT --to-destination $internal
-	    addnatrule nat_out -s $internal -j SNAT --to-source $external
-
-	elif [ -z "$allints" -o "x$allints" = "x-" -o "x$allints" = "xNo" -o "x$allints" = "xno" ]; then       
-	    addnatrule $(input_chain $iface) \
-		-d $external -j DNAT --to-destination $internal
-	    addnatrule $(output_chain $iface) \
-		-s $internal -j SNAT --to-source $external
-	else
-	    fatal_error "Invalid value ($allints) for ALL INTERFACES in entry \"$external $interface $internal $allints $localnat\""
-	fi
-
-	if [ "x$localnat" = "xYes" -o "x$localnat" = "xyes" ]; then
-	    run_iptables2 -t nat -A OUTPUT -d $external -j DNAT --to-destination $internal
-	elif [ "x$localnat" != "x-" -a -n "$localnat" -a "x$localnat" != "xNo" -a "x$localnat" != "xno" ]; then
-	    fatal_error "Invalid value ($allints) for LOCAL in entry \"$external $interface $internal $allints $localnat\""	    
-	fi
-
-
-	if [ -n "$ADD_IP_ALIASES" ]; then
-	    list_search $external $aliases_to_add || \
-		aliases_to_add="$aliases_to_add $external $interface"
-	fi
 
 	progress_message "   Host $internal NAT $external on $interface"
     done < $TMP_DIR/nat
@@ -5358,7 +5360,7 @@ activate_rules()
 
     #
     # Jump to a RULES chain from one of the builtin nat chains. These jumps are
-    # are inserted before jumps to static NAT chains.
+    # are inserted before jumps to one-to-one NAT chains.
     #
     addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
     {
@@ -5375,12 +5377,11 @@ activate_rules()
 	fi
     }
     #
-    # Add early SNAT jumps
+    # Add jumps to early SNAT chains
     #
     for interface in $all_interfaces; do
-	addrulejump POSTROUTING $(snat_chain $interface) -o $interface 
+	addnatjump POSTROUTING $(snat_chain $interface) -o $interface
     done
-
     #
     # Add jumps for dynamic nat chains
     #

Shorewall2/masq

@@ -35,6 +35,10 @@
 #			+eth0:192.0.2.32/27
 #			+eth0:2
 #
+#		     This feature should only be required if you need to 
+#		     insert rules in this file that preempt entries in
+#		     /etc/shorewall/nat.
+#
 #	SUBNET -- Subnet that you wish to masquerade. You can specify this as
 #		  a subnet or as an interface. If you give the name of an
 #		  interface, you must have iproute installed and the interface

Shorewall2/nat

@@ -24,6 +24,10 @@
 #			see the alias with ifconfig. THAT IS THE ONLY THING
 #			THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
 #			ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
+#
+#			If you want to override ADD_IP_ALIASES=Yes for a
+#			particular entry, follow the interface name with
+#			":" and no digit (e.g., "eth0:").
 #	INTERNAL	Internal Address (must not be a DNS Name).
 #       ALL INTERFACES  If Yes or yes, NAT will be effective from all hosts.
 #                       If No or no (or left empty) then NAT will be effective

Shorewall2/releasenotes.txt

@@ -60,4 +60,8 @@ New Features:
 	eth1::192.0.2.32/27
 	+eth3:
 
+3)  Similar to 2), the /etc/shorewall/nat file INTERFACE column now allows
+    you to override the setting of ADD_IP_ALIASES=Yes by following the
+    interface name with ":" but no digit.
+