extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-26 12:42:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Allow specification of destination addresses in Shorewall6 masq.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-02-19 08:34:03 -08:00
parent ce28c70c60
commit b562f7f311
2 changed files with 18 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -92,6 +92,9 @@ sub process_one_masq1( $$$$$$$$$$ )
$destnets = $two; $destnets = $two;
} }
} }
} elsif ( $interfacelist =~ /^(.+?):(.+)$/ ) {
$interfacelist = $1;
$destnets = $2;
} }
# #
# If there is no source or destination then allow all addresses # If there is no source or destination then allow all addresses

47
Shorewall6/manpages/shorewall6-masq.xml
View File

@ -16,14 +16,15 @@
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/masq</command> <command>/etc/shorewall6/masq</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
<refsect1> <refsect1>
<title>Description</title> <title>Description</title>
<para>Use this file to define Source NAT (SNAT).</para> <para>Use this file to define Source NAT (SNAT). Requires Shorewall 4.5.14
or later.</para>
<note> <note>
<para>Unlike with IPv4, Netfilter does not support the MASQUERADE target <para>Unlike with IPv4, Netfilter does not support the MASQUERADE target
@ -50,7 +51,9 @@
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term><emphasis role="bold">INTERFACE:DEST</emphasis> - {[<emphasis <term><emphasis role="bold">INTERFACE:DEST</emphasis> - {[<emphasis
role="bold">+</emphasis>]<emphasis>interfacelist</emphasis>|[?]COMMENT}</term> role="bold">+</emphasis>]<emphasis>interfacelist</emphasis>|[<emphasis
role="bold">:</emphasis>[<emphasis>dest-address</emphasis>[<emphasis
role="bold">,</emphasis><emphasis>dest-address</emphasis>]...[<emphasis>exclusion</emphasis>]]|[?]COMMENT}</term>
<listitem> <listitem>
<para>Outgoing <emphasis>interfacelist</emphasis>. This may be a <para>Outgoing <emphasis>interfacelist</emphasis>. This may be a
@ -83,28 +86,8 @@
addresses to indicate that you only want to change the source IP addresses to indicate that you only want to change the source IP
address for packets being sent to those particular destinations. address for packets being sent to those particular destinations.
Exclusion is allowed (see <ulink Exclusion is allowed (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)) as
are ipset names preceded by a plus sign '+';</para> are ipset names preceded by a plus sign '+'.</para>
<para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
entry then include the ":" but omit the digit:</para>
<programlisting> eth0(Avvanta):
eth2::192.0.2.32/27</programlisting>
<para>Normally Masq/SNAT rules are evaluated after those for
one-to-one NAT (defined in <ulink
url="shorewall-nat.html">shorewall-nat</ulink>(5)). If you want the
rule to be applied before one-to-one NAT rules, prefix the interface
name with "+":</para>
<programlisting> +eth0
+eth0:192.0.2.32/27
+eth0:2</programlisting>
<para>This feature should only be required if you need to insert
rules in this file that preempt entries in <ulink
url="shorewall-nat.html">shorewall-nat</ulink>(5).</para>
<para>Comments may be attached to Netfilter rules generated from <para>Comments may be attached to Netfilter rules generated from
entries in this file through the use of COMMENT lines. These lines entries in this file through the use of COMMENT lines. These lines
@ -492,13 +475,13 @@
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term> role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
<listitem> <listitem>
<para>(Optional) Added in Shorewall 4.5.6. This column may be <para>(Optional) This column may be included and may contain one or
included and may contain one or more addresses (host or network) more addresses (host or network) separated by commas. Address ranges
separated by commas. Address ranges are not allowed. When this are not allowed. When this column is supplied, rules are generated
column is supplied, rules are generated that require that the that require that the original destination address matches one of
original destination address matches one of the listed addresses. It the listed addresses. It is useful for specifying that SNAT should
is useful for specifying that SNAT should occur only for connections occur only for connections that were acted on by a DNAT when they
that were acted on by a DNAT when they entered the firewall.</para> entered the firewall.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>