Deprecate interface names in the SOURCE column of /etc/shorewall/masq

Samples/three-interfaces/masq

@@ -15,6 +15,8 @@
 #
 ##############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
-eth0			eth1
+eth0			10.0.0.0/8,\
-eth0			eth2
+			169.254.0.0/16,\
+			172.16.0.0/12,\
+			192.168.0.0/16
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Samples/two-interfaces/masq

@@ -15,5 +15,8 @@
 #
 ###############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
-eth0                    eth1
+eth0			10.0.0.0/8,\
+			169.254.0.0/16,\
+			172.16.0.0/12,\
+			192.168.0.0/16
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Shorewall/Perl/Shorewall/Chains.pm

@@ -246,6 +246,7 @@ use constant { NO_RESTRICT        => 0,   # FORWARD chain rule     - Both -i and
 our $exclseq;
 our $iprangematch;
 our $chainseq;
+our $idiotcount;
 
 our $global_variables;
 
@@ -352,6 +353,7 @@ sub initialize( $ ) {
     %interfacegateways  = ();
 
     $global_variables   = 0;
+    $idiotcount         = 0;
 
 }
 
@@ -2457,6 +2459,7 @@ sub expand_rule( $$$$$$$$$$ )
 	    # An interface in the SOURCE column of a masq file
 	    #
 	    fatal_error "Bridge ports may not appear in the SOURCE column of this file" if port_to_bridge( $iiface );
+	    warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount++;
 
 	    push_command $chainref, join( '', 'for source in ', get_interface_nets( $iiface) , '; do' ), 'done';
 

Shorewall/changelog.txt

@@ -8,6 +8,8 @@ Changes in Shorewall 4.3.10
 
 4) Fix handling of class IDs.
 
+5) Deprecate use of an interface in the SOURCE column of /etc/shorewall/masq.
+
 Changes in Shorewall 4.3.9
 
 1) Logging rules now create separate chain.

Shorewall/releasenotes.txt

@@ -55,6 +55,10 @@ released late in 2009.
     /etc/shorewall/rules has been removed, following the removal of the
     underlying support in the Linux kernel.
 
+4)  Supplying an interface name in the SOURCE column of
+    /etc/shorewall/masq is now deprecated. Entering the name of an
+    interface there will result in a compile-time warning.
+
 ----------------------------------------------------------------------------
           P R O B L E M S   C O R R E C T E D   I N   4 . 3 . 10
 ----------------------------------------------------------------------------
@@ -84,7 +88,7 @@ None.
                 N E W   F E A T U R E S   I N   4 . 3 . 10
 ----------------------------------------------------------------------------
 
-1.  The change that implemented IPMARK support in 4.3.9 resulted in a
+1)  The change that implemented IPMARK support in 4.3.9 resulted in a
     lack of upward compatibility which could break some
     configurations. The incompatibility stems from the way in which
     Shorewall generates a TC class Id from a mark value. 
@@ -112,7 +116,7 @@ None.
     column) must be >= 65536 (0x10000) and must be a multiple of 65536
     (0x1000, 0x20000, 0x30000, ...).
 
-2.  In the 'shorewall compile' command, the filename '-' is now causes
+2)  In the 'shorewall compile' command, the filename '-' is now causes
     the compiled script to be written to Standard Out. As a side
     effect, the effective VERBOSITY is set to -1 (silent).
 
@@ -125,6 +129,10 @@ None.
 		  	  	# current working directory
 		  	    	# and send the output to STDOUT
 
+3)  Supplying an interface name in the SOURCE column of
+    /etc/shorewall/masq is now deprecated. Entering the name of an
+    interface there will result in a compile-time warning.
+
 ----------------------------------------------------------------------------
                  N E W   F E A T U R E S   IN   4 . 3
 ----------------------------------------------------------------------------

docs/three-interface.xml

@@ -671,16 +671,15 @@ root@lists:~# </programlisting>
     <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
 
     <para>If your external firewall interface is <filename
-    class="devicefile">eth0</filename>, your local interface <filename
+    class="devicefile">eth0</filename> then you do not need to modify the file
-    class="devicefile">eth1</filename> and your DMZ interface is <filename
-    class="devicefile">eth2</filename> then you do not need to modify the file
     provided with the sample. Otherwise, edit <filename
     class="directory">/etc/shorewall/</filename><filename>masq</filename> and
     change it to match your configuration.</para>
 
     <para>If, in spite of all advice to the contrary, you are using this guide
-    and want to use one-to-one NAT or Proxy ARP for your DMZ, remove the entry
+    and want to use one-to-one NAT or Proxy ARP for your DMZ, you will need to
-    for eth2 from <filename>/etc/shorewall/masq</filename>.</para>
+    modify the SOURCE column to list just your local interface (10.10.10.0/24
+    in the above example).</para>
 
     <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
 

docs/two-interface.xml

@@ -632,8 +632,7 @@ root@lists:~# </programlisting>
     provided with <link linkend="Concepts">the sample</link>. Otherwise, edit
     <filename
     class="directory">/etc/shorewall/</filename><filename>masq</filename> and
-    change the first column to the name of your external interface and the
+    change the first column to the name of your external interface.</para>
-    second column to the name of your internal interface.</para>
 
     <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>