Implement REDIRECT-

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@564 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -1,13 +1,4 @@
-Changes since 1.4.2
+Changes since 1.4.3a
 
-1. The 'add' and 'delete' commands no longer leave behind a temporary
-   directory in /tmp.
-
-2. Added support for 6to4 tunnels.
-
-3. Added $LOGMARKER for fireparse support
-
-4. Return more appropriate ICMP responses if the systems supports them.
-
-5. Silently drop UDP 135 in common.def.
+1. Implement REDIRECT-.
 

Shorewall/firewall

@@ -2123,6 +2123,17 @@ process_rule() # $1 = target
 	    servers="$FW::$servers"
 	fi
 	;;
+    REDIRECT-)
+	target=ACCEPT
+	logtarget=REDIRECT
+	dnat_only=Yes
+	address=${address:=all}
+	if [ "x-" = "x$servers" ]; then
+	    servers=$FW
+	else
+	    servers="$FW::$servers"
+	fi
+	;;
     esac
 
     # Parse and validate source
@@ -2263,7 +2274,7 @@ process_rules() # $1 = name of rules file
     while read xtarget xclients xservers xprotocol xports xcports xaddress; do
 	case "${xtarget%:*}" in
 
-	    ACCEPT|DROP|REJECT|DNAT|DNAT|DNAT-|REDIRECT|LOG|CONTINUE)
+	    ACCEPT|DROP|REJECT|DNAT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE)
 		expandv xclients xservers xprotocol xports xcports xaddress
 
 		if [ "x$xclients" = xall ]; then

Shorewall/releasenotes.txt

@@ -2,36 +2,10 @@ This is a minor release of Shorewall.
 
 Problems Corrected:
 
-1) There were several cases where Shorewall would fail to remove a
-   temporary directory from /tmp. These cases have been corrected.
-
-2) The rules for allowing all traffic via the loopback interface have
-   been moved to before the rule that drops status=INVALID
-   packets. This insures that all loopback traffic is allowed even if
-   Netfilter connection tracking is confused.
-
 New Features:
 
-1) IPV6-IPV4 (6to4) tunnels are now supported in the
-   /etc/shorewall/tunnels file.
+1) A REDIRECT- rule target has been added. This target behaves for
+   REDIRECT in the same was as DNAT- does for DNAT in that the
+   Netfilter nat table REDIRECT rule is added but not the companion
+   filter table ACCEPT rule.
 
-2) Shorewall can now be easily integrated with fireparse
-   (http://www.fireparse.com) by setting LOGMARKER="fp=" in
-   /etc/shorewall/shorewall.conf. Note: You may not use ULOG
-   with fireparse unless you modify fireparse. 
-
-3) If you are running iptables 1.2.7a and kernel 2.4.20, then
-   Shorewall will return reject replies as follows:
-
-   a) tcp - RST
-   b) udp - ICMP port unreachable
-   c) icmp - ICMP host unreachable
-   d) Otherwise - ICMP host prohibited
-
-   If you are running earlier software, Shorewall will follow it's
-   traditional convention:
-
-   a) tcp - RST
-   b) Otherwise - ICMP port unreachable
-
-4) UDP Port 135 is now silently dropped in the common.def chain.

Shorewall/rules

@@ -31,6 +31,11 @@
 #					    the companion ACCEPT rule.
 #				REDIRECT -- Redirect the request to a local
 #					    port on the firewall.
+#				REDIRECT-
+#					 -- Advanced users only.
+#					    Like REDIRET but only generates the
+#					    REDIRECT iptables rule and not
+#					    the companion ACCEPT rule.
 #				CONTINUE -- (For experts only). Do not process
 #					    any of the following rules for this
 #					    (source zone,destination zone). If