Allow overriding ADD_IP_ALIASES

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1480 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-26 12:42:40 +02:00 · 2004-07-15 20:29:06 +00:00 · 2004-07-15 20:29:06 +00:00 · 997c722946
commit 997c722946
parent 43ac5e4799
5 changed files with 63 additions and 45 deletions
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -22,3 +22,8 @@ Changes since 2.0.3

       masq
       firewall
+
+8) Allow overriding ADD_IP_ALIASES=Yes
+
+       nat
+       firewall
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -437,14 +437,6 @@ masq_chain() # $1 = interface
   echo $(chain_base $1)_masq
 }

-#
-# SNAT Chain for an interface
-#
-snat_chain() # $1 = interface
-{
-   echo $(chain_base $1)_snat
-}
-
 #
 # MAC Verification Chain for an interface
 #
@ -487,7 +479,7 @@ dnat_chain() # $1 = zone
 }

 #
-# SNAT Chain to a zone
+# SNAT Chain to a zone or from an interface
 #
 snat_chain() # $1 = zone
 {
@ -1884,32 +1876,31 @@ delete_proxy_arp() {
 # Setup Static Network Address Translation (NAT)
 #
 setup_nat() {
-    local allints
-    #
-    # At this point, we're just interested in the network translation
-    #
-    > ${STATEDIR}/nat
+    local external, interface, internal, allints, localnat

-    save_progress_message "Restoring one-to-one NAT..."
+    do_one_nat() {
+	local add_ip_aliases=$ADD_IP_ALIASES, iface=${interface%:*}
 	
-    while read external interface internal allints localnat; do
-	expandv external interface internal allints localnat
-
-	iface=${interface%:*}
-
-	if [ -n "$ADD_IP_ALIASES" ]; then
-	    run_and_save_command qt ip addr del $external dev $iface
+	if [ -n "$add_ip_aliases" ]; then
+	    case $interface in
+		*:)
+		    interface=${interface%:}
+		    add_ip_aliases=
+		    ;;
+		*)
+		    run_and_save_command qt ip addr del $external dev $iface
+		    ;;
+	    esac
+	else
+	    interface=${interface%:}
 	fi
 	
 	if [ "x$allints" = "xYes" -o "x$allints" = "xyes" ]; then
 	    addnatrule nat_in  -d $external -j DNAT --to-destination $internal
 	    addnatrule nat_out -s $internal -j SNAT --to-source $external
-
 	elif [ -z "$allints" -o "x$allints" = "x-" -o "x$allints" = "xNo" -o "x$allints" = "xno" ]; then       
-	    addnatrule $(input_chain $iface) \
-		-d $external -j DNAT --to-destination $internal
-	    addnatrule $(output_chain $iface) \
-		-s $internal -j SNAT --to-source $external
+	    addnatrule $(input_chain $iface) -d $external -j DNAT --to-destination $internal
+	    addnatrule $(output_chain $iface) -s $internal -j SNAT --to-source $external
 	else
 	    fatal_error "Invalid value ($allints) for ALL INTERFACES in entry \"$external $interface $internal $allints $localnat\""
 	fi
@ -1920,11 +1911,22 @@ setup_nat() {
 	    fatal_error "Invalid value ($allints) for LOCAL in entry \"$external $interface $internal $allints $localnat\""	    
 	fi

-
-	if [ -n "$ADD_IP_ALIASES" ]; then
+	if [ -n "$add_ip_aliases" ]; then
 	    list_search $external $aliases_to_add || \
 		aliases_to_add="$aliases_to_add $external $interface"
 	fi
+    }
+    #
+    # At this point, we're just interested in the network translation
+    #
+    > ${STATEDIR}/nat
+
+    save_progress_message "Restoring one-to-one NAT..."
+
+    while read external interface internal allints localnat; do
+	expandv external interface internal allints localnat
+	
+	do_one_nat

 	progress_message "   Host $internal NAT $external on $interface"
    done < $TMP_DIR/nat
@ -5358,7 +5360,7 @@ activate_rules()

    #
    # Jump to a RULES chain from one of the builtin nat chains. These jumps are
-    # are inserted before jumps to static NAT chains.
+    # are inserted before jumps to one-to-one NAT chains.
    #
    addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
    {
@ -5375,12 +5377,11 @@ activate_rules()
 	fi
    }
    #
-    # Add early SNAT jumps
+    # Add jumps to early SNAT chains
    #
    for interface in $all_interfaces; do
-	addrulejump POSTROUTING $(snat_chain $interface) -o $interface 
+	addnatjump POSTROUTING $(snat_chain $interface) -o $interface
    done
-
    #
    # Add jumps for dynamic nat chains
    #
--- a/Shorewall2/masq
+++ b/Shorewall2/masq
@ -35,6 +35,10 @@
 #			+eth0:192.0.2.32/27
 #			+eth0:2
 #
+#		     This feature should only be required if you need to 
+#		     insert rules in this file that preempt entries in
+#		     /etc/shorewall/nat.
+#
 #	SUBNET -- Subnet that you wish to masquerade. You can specify this as
 #		  a subnet or as an interface. If you give the name of an
 #		  interface, you must have iproute installed and the interface
--- a/Shorewall2/nat
+++ b/Shorewall2/nat
@ -24,6 +24,10 @@
 #			see the alias with ifconfig. THAT IS THE ONLY THING
 #			THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
 #			ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
+#
+#			If you want to override ADD_IP_ALIASES=Yes for a
+#			particular entry, follow the interface name with
+#			":" and no digit (e.g., "eth0:").
 #	INTERNAL	Internal Address (must not be a DNS Name).
 #       ALL INTERFACES  If Yes or yes, NAT will be effective from all hosts.
 #                       If No or no (or left empty) then NAT will be effective
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -60,4 +60,8 @@ New Features:
 	eth1::192.0.2.32/27
 	+eth3:

+3)  Similar to 2), the /etc/shorewall/nat file INTERFACE column now allows
+    you to override the setting of ADD_IP_ALIASES=Yes by following the
+    interface name with ":" but no digit.
+