Remove SNAT in DNAT rules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1532 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-01-12 08:38:14 +01:00 · 2004-08-11 00:17:54 +00:00 · 2004-08-11 00:17:54 +00:00 · a193b7bbba
commit a193b7bbba
parent 3aff092003
4 changed files with 36 additions and 31 deletions
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -34,3 +34,5 @@ Changes since 2.0.3
 15) Implement STARTUP_ENABLED.

 16) Added DNAT ONLY column to /etc/shorewall/nat.
+
+17) Removed SNAT from ORIGINAL DESTINATION column.
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -3287,10 +3287,7 @@ add_nat_rule() {
    # Parse SNAT address if any

    if [ "$addr" != "${addr%:*}" ]; then
-	snat="${addr#*:}"
-	addr="${addr%:*}"
-    else
-	snat=""
+	fatal_error "SNAT may no longer be specified in a DNAT rule; use /etc/shorewall/masq instead"
    fi

    # Set original destination address
@ -3420,24 +3417,6 @@ add_nat_rule() {
 	fi
    fi

-    # Handle SNAT
-
-    if [ -n "$snat" ]; then
-	if [ -n "$cli" ]; then
-	    [ $COMMAND = check ] || addnatrule $(snat_chain $dest) $proto $cli $multiport \
-		$sports -d $serv $dports -j SNAT --to-source $snat
-	else
-	    for source_host in $source_hosts; do
-		[ "x${source_host#*:}" = "x0.0.0.0/0" ] && \
-		    error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\""
-
-		[ $COMMAND = check ] || addnatrule $(snat_chain $dest) \
-		    $(match_source_hosts ${source_host#*:}) $proto $sports $multiport \
-		    -d $serv $dports -j SNAT --to-source $snat
-	    done
-	fi
-    fi
-
    [ "x$addr" = "x0.0.0.0/0" ] && addr=
    ratelimit=
 }
@ -4472,7 +4451,6 @@ get_routed_networks() # $1 = interface name
    ip route show dev $1 2> /dev/null |
 	while read address rest; do
 	    if [ "x$address" = xdefault ]; then
-//*-+9
 		error_message "Warning: default route ignored on interface $1"
 	    else
 		[ "$address" = "${address%/*}" ] && address="${address}/32"
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -60,6 +60,39 @@ Issues when migrating from Shorewall 2.0 to Shorewall 2.1:
    Simply rename that file to 'shorwall.lrp' when installing it on your
    LEAF/Bering system.

+5)  The ORIGINAL DEST column of the /etc/shorewall/rules file may no
+    longer contain a second (SNAT) address. You must use an entry in
+    /etc/shorewall/masq instead.
+
+    Example from Shorewall FAQ #1:
+
+    Prior to Shorewall 2.1:
+
+	  /etc/shorewall/interfaces
+
+		loc	eth1	detect	routeback,...
+
+	  /etc/shorewall/rules
+
+		DNAT	loc	loc:192.168.1.12	tcp	80 \
+			-	130.252.100.69:192.168.1.254
+
+    Shorewall 2.1 and Later:
+
+	  /etc/shorewall/interfaces
+
+		loc	eth1	detect	routeback,...
+
+	  /etc/shorewall/masq:
+
+		eth1	eth1	192.168.1.254	tcp	80	
+
+		
+	  /etc/shorewall/rules:
+
+		DNAT	loc	loc:192.168.1.12	tcp	80 \
+			-	130.252.100.69
+
 -----------------------------------------------------------------------
 New Features:

--- a/Shorewall2/rules
+++ b/Shorewall2/rules
@ -237,14 +237,6 @@
 #			destination address in the connection request does not
 #			match any of the addresses listed.
 #
-#			The address (list) may optionally be followed by
-#			a colon (":") and a second IP address. This causes
-#			Shorewall to use the second IP address as the source
-#			address in forwarded packets. See the Shorewall
-#			documentation for restrictions concerning this feature.
-#			If no source IP address is given, the original source
-#			address is not altered.
-#
 #	RATE LIMIT	You may rate-limit the rule by placing a value in 
 #			this colume:
 #