Deprecate interface names in the SOURCE column of /etc/shorewall/masq

2024-12-23 14:48:51 +01:00 · 2009-04-29 15:13:22 -07:00 · 2009-04-29 15:13:22 -07:00 · c1cf1695c0
commit c1cf1695c0
parent 89f0aa0081
7 changed files with 29 additions and 13 deletions
--- a/Samples/three-interfaces/masq
+++ b/Samples/three-interfaces/masq
@ -15,6 +15,8 @@
 #
 ##############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
-eth0			eth1
-eth0			eth2
+eth0			10.0.0.0/8,\
+			169.254.0.0/16,\
+			172.16.0.0/12,\
+			192.168.0.0/16
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--- a/Samples/two-interfaces/masq
+++ b/Samples/two-interfaces/masq
@ -15,5 +15,8 @@
 #
 ###############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
-eth0                    eth1
+eth0			10.0.0.0/8,\
+			169.254.0.0/16,\
+			172.16.0.0/12,\
+			192.168.0.0/16
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -246,6 +246,7 @@ use constant { NO_RESTRICT        => 0,   # FORWARD chain rule     - Both -i and
 our $exclseq;
 our $iprangematch;
 our $chainseq;
+our $idiotcount;

 our $global_variables;

@ -352,6 +353,7 @@ sub initialize( $ ) {
    %interfacegateways  = ();

    $global_variables   = 0;
+    $idiotcount         = 0;

 }

@ -2457,6 +2459,7 @@ sub expand_rule( $$$$$$$$$$ )
 	    # An interface in the SOURCE column of a masq file
 	    #
 	    fatal_error "Bridge ports may not appear in the SOURCE column of this file" if port_to_bridge( $iiface );
+	    warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount++;

 	    push_command $chainref, join( '', 'for source in ', get_interface_nets( $iiface) , '; do' ), 'done';

--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -8,6 +8,8 @@ Changes in Shorewall 4.3.10

 4) Fix handling of class IDs.

+5) Deprecate use of an interface in the SOURCE column of /etc/shorewall/masq.
+
 Changes in Shorewall 4.3.9

 1) Logging rules now create separate chain.
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -53,7 +53,11 @@ released late in 2009.

 3)  Support for the SAME target in /etc/shorewall/masq and
    /etc/shorewall/rules has been removed, following the removal of the
-    underlying support in the Linux kernel. 
+    underlying support in the Linux kernel.
+
+4)  Supplying an interface name in the SOURCE column of
+    /etc/shorewall/masq is now deprecated. Entering the name of an
+    interface there will result in a compile-time warning.

 ----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 3 . 10
@ -84,7 +88,7 @@ None.
                N E W   F E A T U R E S   I N   4 . 3 . 10
 ----------------------------------------------------------------------------

-1.  The change that implemented IPMARK support in 4.3.9 resulted in a
+1)  The change that implemented IPMARK support in 4.3.9 resulted in a
    lack of upward compatibility which could break some
    configurations. The incompatibility stems from the way in which
    Shorewall generates a TC class Id from a mark value. 
@ -112,7 +116,7 @@ None.
    column) must be >= 65536 (0x10000) and must be a multiple of 65536
    (0x1000, 0x20000, 0x30000, ...).

-2.  In the 'shorewall compile' command, the filename '-' is now causes
+2)  In the 'shorewall compile' command, the filename '-' is now causes
    the compiled script to be written to Standard Out. As a side
    effect, the effective VERBOSITY is set to -1 (silent).

@ -125,6 +129,10 @@ None.
 		  	  	# current working directory
 		  	    	# and send the output to STDOUT

+3)  Supplying an interface name in the SOURCE column of
+    /etc/shorewall/masq is now deprecated. Entering the name of an
+    interface there will result in a compile-time warning.
+
 ----------------------------------------------------------------------------
                 N E W   F E A T U R E S   IN   4 . 3
 ----------------------------------------------------------------------------
--- a/docs/three-interface.xml
+++ b/docs/three-interface.xml
@ -671,16 +671,15 @@ root@lists:~# </programlisting>
    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>

    <para>If your external firewall interface is <filename
-    class="devicefile">eth0</filename>, your local interface <filename
-    class="devicefile">eth1</filename> and your DMZ interface is <filename
-    class="devicefile">eth2</filename> then you do not need to modify the file
+    class="devicefile">eth0</filename> then you do not need to modify the file
    provided with the sample. Otherwise, edit <filename
    class="directory">/etc/shorewall/</filename><filename>masq</filename> and
    change it to match your configuration.</para>

    <para>If, in spite of all advice to the contrary, you are using this guide
-    and want to use one-to-one NAT or Proxy ARP for your DMZ, remove the entry
-    for eth2 from <filename>/etc/shorewall/masq</filename>.</para>
+    and want to use one-to-one NAT or Proxy ARP for your DMZ, you will need to
+    modify the SOURCE column to list just your local interface (10.10.10.0/24
+    in the above example).</para>

    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>

--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@ -632,8 +632,7 @@ root@lists:~# </programlisting>
    provided with <link linkend="Concepts">the sample</link>. Otherwise, edit
    <filename
    class="directory">/etc/shorewall/</filename><filename>masq</filename> and
-    change the first column to the name of your external interface and the
-    second column to the name of your internal interface.</para>
+    change the first column to the name of your external interface.</para>

    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>