extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Eliminate rawpost table support

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-12-26 14:20:08 -08:00
parent 7b96d41065
commit c4bbb46e3f
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
9 changed files with 50 additions and 197 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
Shorewall-core/lib.cli
View File

@ -1007,13 +1007,6 @@ show_raw() {
$g_tool -t raw -L $g_ipt_options | $output_filter $g_tool -t raw -L $g_ipt_options | $output_filter
} }
show_rawpost() {
echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
echo
show_reset
$g_tool -t rawpost -L $g_ipt_options | $output_filter
}
show_mangle() { show_mangle() {
echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)" echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
echo echo
@ -1264,7 +1257,7 @@ show_command() {
[ $# -eq 1 ] && missing_option_value -t [ $# -eq 1 ] && missing_option_value -t
case $2 in case $2 in
mangle|nat|filter|raw|rawpost) mangle|nat|filter|raw)
table=$2 table=$2
table_given=Yes table_given=Yes
;; ;;
@ -1318,10 +1311,6 @@ show_command() {
[ $# -gt 1 ] && too_many_arguments $2 [ $# -gt 1 ] && too_many_arguments $2
eval show_raw $g_pager eval show_raw $g_pager
;; ;;
rawpost)
[ $# -gt 1 ] && too_many_arguments $2
eval show_rawpost $g_pager
;;
tos|mangle) tos|mangle)
[ $# -gt 1 ] && too_many_arguments $2 [ $# -gt 1 ] && too_many_arguments $2
eval show_mangle $g_pager eval show_mangle $g_pager
@ -1710,11 +1699,6 @@ do_dump_command() {
$g_tool -t raw -L $g_ipt_options $g_tool -t raw -L $g_ipt_options
fi fi
if qt $g_tool -t rawpost -L -n; then
heading "Rawpost Table"
$g_tool -t rawpost -L $g_ipt_options
fi
local count local count
local max local max
@ -2765,7 +2749,6 @@ determine_capabilities() {
CONNMARK_MATCH= CONNMARK_MATCH=
XCONNMARK_MATCH= XCONNMARK_MATCH=
RAW_TABLE= RAW_TABLE=
RAWPOST_TABLE=
IPP2P_MATCH= IPP2P_MATCH=
OLD_IPP2P_MATCH= OLD_IPP2P_MATCH=
LENGTH_MATCH= LENGTH_MATCH=
@ -3017,7 +3000,6 @@ determine_capabilities() {
fi fi
qt $g_tool -t raw -L -n && RAW_TABLE=Yes qt $g_tool -t raw -L -n && RAW_TABLE=Yes
qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes
if [ -n "$RAW_TABLE" ]; then if [ -n "$RAW_TABLE" ]; then
qt $g_tool -t raw -F $chain qt $g_tool -t raw -F $chain
@ -3243,7 +3225,6 @@ report_capabilities_unsorted() {
report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH [ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
@ -3372,7 +3353,6 @@ report_capabilities_unsorted1() {
report_capability1 CONNMARK_MATCH report_capability1 CONNMARK_MATCH
report_capability1 XCONNMARK_MATCH report_capability1 XCONNMARK_MATCH
report_capability1 RAW_TABLE report_capability1 RAW_TABLE
report_capability1 RAWPOST_TABLE
report_capability1 IPP2P_MATCH report_capability1 IPP2P_MATCH
report_capability1 OLD_IPP2P_MATCH report_capability1 OLD_IPP2P_MATCH
report_capability1 CLASSIFY_TARGET report_capability1 CLASSIFY_TARGET
@ -4323,7 +4303,7 @@ usage() # $1 = exit status
echo " [ show | list | ls ] ipsec" echo " [ show | list | ls ] ipsec"
echo " [ show | list | ls ] [ -m ] log [<regex>]" echo " [ show | list | ls ] [ -m ] log [<regex>]"
echo " [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost" echo " [ show | list | ls ] [ -x ] mangle|nat|raw"
ecko " [ show | list | ls ] macro <macro>" ecko " [ show | list | ls ] macro <macro>"
ecko " [ show | list | ls ] macros" ecko " [ show | list | ls ] macros"
echo " [ show | list | ls ] nfacct" echo " [ show | list | ls ] nfacct"

6
Shorewall-core/manpages/shorewall.xml
View File

@ -665,7 +665,7 @@
<arg><option>-l</option></arg> <arg><option>-l</option></arg>
<arg><option>-t</option> <arg><option>-t</option>
{<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg> {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>}</arg>
<arg><arg choice="plain" <arg><arg choice="plain"
rep="repeat"><replaceable>chain</replaceable></arg></arg> rep="repeat"><replaceable>chain</replaceable></arg></arg>
@ -749,7 +749,7 @@
<arg><option>-x</option></arg> <arg><option>-x</option></arg>
<arg choice="req"><option>mangle|nat|raw|rawpost</option></arg> <arg choice="req"><option>mangle|nat|raw</option></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
@ -2395,7 +2395,7 @@
<varlistentry> <varlistentry>
<term>[-<option>b</option>] [-<option>x</option>] <term>[-<option>b</option>] [-<option>x</option>]
[-<option>l</option>] [-<option>t</option> [-<option>l</option>] [-<option>t</option>
{<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}] {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>}]
[ <emphasis>chain</emphasis>... ]</term> [ <emphasis>chain</emphasis>... ]</term>
<listitem> <listitem>

24
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -120,7 +120,6 @@ our @EXPORT = ( qw(
%chain_table %chain_table
%targets %targets
$raw_table $raw_table
$rawpost_table
$nat_table $nat_table
$mangle_table $mangle_table
$filter_table $filter_table
@ -197,7 +196,6 @@ our %EXPORT_TAGS = (
ensure_mangle_chain ensure_mangle_chain
ensure_nat_chain ensure_nat_chain
ensure_raw_chain ensure_raw_chain
ensure_rawpost_chain
new_standard_chain new_standard_chain
new_action_chain new_action_chain
new_builtin_chain new_builtin_chain
@ -418,7 +416,6 @@ our $VERSION = 'MODULEVERSION';
# #
our %chain_table; our %chain_table;
our $raw_table; our $raw_table;
our $rawpost_table;
our $nat_table; our $nat_table;
our $mangle_table; our $mangle_table;
our $filter_table; our $filter_table;
@ -759,13 +756,11 @@ sub initialize( $$$ ) {
( $family, my $hard, $export ) = @_; ( $family, my $hard, $export ) = @_;
%chain_table = ( raw => {}, %chain_table = ( raw => {},
rawpost => {},
mangle => {}, mangle => {},
nat => {}, nat => {},
filter => {} ); filter => {} );
$raw_table = $chain_table{raw}; $raw_table = $chain_table{raw};
$rawpost_table = $chain_table{rawpost};
$nat_table = $chain_table{nat}; $nat_table = $chain_table{nat};
$mangle_table = $chain_table{mangle}; $mangle_table = $chain_table{mangle};
$filter_table = $chain_table{filter}; $filter_table = $chain_table{filter};
@ -2764,14 +2759,6 @@ sub ensure_raw_chain($) {
$chainref; $chainref;
} }
sub ensure_rawpost_chain($) {
my $chain = $_[0];
my $chainref = ensure_chain 'rawpost', $chain;
$chainref->{referenced} = 1;
$chainref;
}
# #
# Add a builtin chain # Add a builtin chain
# #
@ -2970,8 +2957,6 @@ sub initialize_chain_table($) {
new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0; new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
} }
new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
for my $chain ( qw(INPUT OUTPUT FORWARD) ) { for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
new_builtin_chain 'filter', $chain, 'DROP'; new_builtin_chain 'filter', $chain, 'DROP';
} }
@ -3034,8 +3019,6 @@ sub initialize_chain_table($) {
new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0; new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
} }
new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
for my $chain ( qw(INPUT OUTPUT FORWARD) ) { for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
new_builtin_chain 'filter', $chain, 'DROP'; new_builtin_chain 'filter', $chain, 'DROP';
} }
@ -3339,7 +3322,7 @@ sub check_optimization( $ ) {
# When an unreferenced chain is found, it is deleted unless its 'dont_delete' flag is set. # When an unreferenced chain is found, it is deleted unless its 'dont_delete' flag is set.
# #
sub optimize_level0() { sub optimize_level0() {
for my $table ( qw/raw rawpost mangle nat filter/ ) { for my $table ( qw/raw mangle nat filter/ ) {
my $tableref = $chain_table{$table}; my $tableref = $chain_table{$table};
next unless $tableref; next unless $tableref;
@ -4258,7 +4241,6 @@ sub valid_tables() {
my @table_list; my @table_list;
push @table_list, 'raw' if have_capability( 'RAW_TABLE' ); push @table_list, 'raw' if have_capability( 'RAW_TABLE' );
push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
push @table_list, 'nat' if have_capability( 'NAT_ENABLED' ); push @table_list, 'nat' if have_capability( 'NAT_ENABLED' );
push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED}; push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
push @table_list, 'filter'; #MUST BE LAST!!! push @table_list, 'filter'; #MUST BE LAST!!!
@ -8939,7 +8921,7 @@ sub create_chainlist_reload($) {
for my $chain ( @chains ) { for my $chain ( @chains ) {
( $table , $chain ) = split ':', $chain if $chain =~ /:/; ( $table , $chain ) = split ':', $chain if $chain =~ /:/;
fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw|rawpost)$/; fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
$chains{$table} = {} unless $chains{$table}; $chains{$table} = {} unless $chains{$table};
@ -8968,7 +8950,7 @@ sub create_chainlist_reload($) {
enter_cat_mode; enter_cat_mode;
for $table ( qw(raw rawpost nat mangle filter) ) { for $table ( qw(raw nat mangle filter) ) {
my $tableref=$chains{$table}; my $tableref=$chains{$table};
next unless $tableref; next unless $tableref;

8
Shorewall/Perl/Shorewall/Config.pm
View File

@ -389,7 +389,6 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
HEADER_MATCH => 'Header Match', HEADER_MATCH => 'Header Match',
ACCOUNT_TARGET => 'ACCOUNT Target', ACCOUNT_TARGET => 'ACCOUNT Target',
AUDIT_TARGET => 'AUDIT Target', AUDIT_TARGET => 'AUDIT Target',
RAWPOST_TABLE => 'Rawpost Table',
CONDITION_MATCH => 'Condition Match', CONDITION_MATCH => 'Condition Match',
IPTABLES_S => 'iptables -S', IPTABLES_S => 'iptables -S',
BASIC_FILTER => 'Basic Filter', BASIC_FILTER => 'Basic Filter',
@ -980,7 +979,6 @@ sub initialize( $;$$) {
CONNMARK_MATCH => undef, CONNMARK_MATCH => undef,
XCONNMARK_MATCH => undef, XCONNMARK_MATCH => undef,
RAW_TABLE => undef, RAW_TABLE => undef,
RAWPOST_TABLE => undef,
IPP2P_MATCH => undef, IPP2P_MATCH => undef,
OLD_IPP2P_MATCH => undef, OLD_IPP2P_MATCH => undef,
CLASSIFY_TARGET => undef, CLASSIFY_TARGET => undef,
@ -4516,10 +4514,6 @@ sub Raw_Table() {
qt1( "$iptables $iptablesw -t raw -L -n" ); qt1( "$iptables $iptablesw -t raw -L -n" );
} }
sub Rawpost_Table() {
qt1( "$iptables $iptablesw -t rawpost -L -n" );
}
sub Old_IPSet_Match() { sub Old_IPSet_Match() {
my $ipset = $config{IPSET} || 'ipset'; my $ipset = $config{IPSET} || 'ipset';
my $result = 0; my $result = 0;
@ -4926,7 +4920,6 @@ our %detect_capability =
POLICY_MATCH => \&Policy_Match, POLICY_MATCH => \&Policy_Match,
PPTP_HELPER => \&PPTP_Helper, PPTP_HELPER => \&PPTP_Helper,
RAW_TABLE => \&Raw_Table, RAW_TABLE => \&Raw_Table,
RAWPOST_TABLE => \&Rawpost_Table,
REALM_MATCH => \&Realm_Match, REALM_MATCH => \&Realm_Match,
REAP_OPTION => \&Reap_Option, REAP_OPTION => \&Reap_Option,
RECENT_MATCH => \&Recent_Match, RECENT_MATCH => \&Recent_Match,
@ -5054,7 +5047,6 @@ sub determine_capabilities() {
$capabilities{TPROXY_TARGET} = detect_capability( 'TPROXY_TARGET' ); $capabilities{TPROXY_TARGET} = detect_capability( 'TPROXY_TARGET' );
$capabilities{MANGLE_FORWARD} = detect_capability( 'MANGLE_FORWARD' ); $capabilities{MANGLE_FORWARD} = detect_capability( 'MANGLE_FORWARD' );
$capabilities{RAW_TABLE} = detect_capability( 'RAW_TABLE' ); $capabilities{RAW_TABLE} = detect_capability( 'RAW_TABLE' );
$capabilities{RAWPOST_TABLE} = detect_capability( 'RAWPOST_TABLE' );
$capabilities{IPSET_MATCH} = detect_capability( 'IPSET_MATCH' ); $capabilities{IPSET_MATCH} = detect_capability( 'IPSET_MATCH' );
$capabilities{USEPKTTYPE} = detect_capability( 'USEPKTTYPE' ); $capabilities{USEPKTTYPE} = detect_capability( 'USEPKTTYPE' );
$capabilities{ADDRTYPE} = detect_capability( 'ADDRTYPE' ); $capabilities{ADDRTYPE} = detect_capability( 'ADDRTYPE' );

6
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -1679,12 +1679,6 @@ sub add_interface_jumps {
addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface ); addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface ); addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );
if ( have_capability 'RAWPOST_TABLE' ) {
insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $rawpost_table->{postrouting_chain $interface};
insert_ijump ( $raw_table->{PREROUTING}, j => prerouting_chain( $interface ), 0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
insert_ijump ( $raw_table->{OUTPUT}, j => output_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $raw_table->{output_chain $interface};
}
add_ijump( $mangle_table->{PREROUTING}, j => 'rpfilter' , imatch_source_dev( $interface ) ) if interface_has_option( $interface, 'rpfilter', $dummy ); add_ijump( $mangle_table->{PREROUTING}, j => 'rpfilter' , imatch_source_dev( $interface ) ) if interface_has_option( $interface, 'rpfilter', $dummy );
} }
# #

51
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -790,7 +790,6 @@ sub setup_netmap() {
my @rule = do_iproto( $proto, $dport, $sport ); my @rule = do_iproto( $proto, $dport, $sport );
unless ( $type =~ /:/ ) {
my @rulein; my @rulein;
my @ruleout; my @ruleout;
@ -821,57 +820,9 @@ sub setup_netmap() {
$net1 , $net1 ,
@ruleout , @ruleout ,
imatch_dest_net( $net3 ) ); imatch_dest_net( $net3 ) );
} else {
fatal_error "Invalid type ($type)";
}
} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
my ( $target , $chain ) = ( $1, $2 );
my $table = 'raw';
my @match;
require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
$net2 = validate_net $net2, 0;
unless ( $interfaceref->{root} ) {
@match = imatch_dest_dev( $interface );
$interface = $interfaceref->{name};
}
if ( $chain eq 'P' ) {
$chain = prerouting_chain $interface;
@match = imatch_source_dev( $iface ) unless $iface eq $interface;
} elsif ( $chain eq 'O' ) {
$chain = output_chain $interface;
} else {
$chain = postrouting_chain $interface;
$table = 'rawpost';
}
my $chainref = ensure_chain( $table, $chain );
if ( $target eq 'DNAT' ) {
dest_iexclusion( $chainref ,
j => 'RAWDNAT' ,
"--to-dest $net2" ,
$net1 ,
imatch_source_net( $net3 ) ,
@rule ,
@match
);
} else {
source_iexclusion( $chainref ,
j => 'RAWSNAT' ,
"--to-source $net2" ,
$net1 ,
imatch_dest_net( $net3 ) ,
@rule ,
@match );
}
} else { } else {
fatal_error 'TYPE must be specified' if $type eq '-'; fatal_error 'TYPE must be specified' if $type eq '-';
fatal_error "Invalid TYPE ($type)"; fatal_error "Invalid type ($type)";
} }
progress_message " Network $net1 on $iface mapped to $net2 ($type)"; progress_message " Network $net1 on $iface mapped to $net2 ($type)";

10
Shorewall/Perl/lib.runtime
View File

@ -526,13 +526,6 @@ debug_restore_input() {
qt1 $g_tool -t raw -P $chain ACCEPT qt1 $g_tool -t raw -P $chain ACCEPT
done done
qt1 $g_tool -t rawpost -F
qt1 $g_tool -t rawpost -X
for chain in POSTROUTING; do
qt1 $g_tool -t rawpost -P $chain ACCEPT
done
qt1 $g_tool -t nat -F qt1 $g_tool -t nat -F
qt1 $g_tool -t nat -X qt1 $g_tool -t nat -X
@ -582,9 +575,6 @@ debug_restore_input() {
'*'raw) '*'raw)
table=raw table=raw
;; ;;
'*'rawpost)
table=rawpost
;;
'*'mangle) '*'mangle)
table=mangle table=mangle
;; ;;

36
Shorewall/manpages/shorewall-netmap.xml
View File

@ -41,38 +41,18 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">TYPE</emphasis> - <emphasis <term><emphasis role="bold">TYPE</emphasis> - <emphasis
role="bold">{DNAT</emphasis>|<emphasis role="bold">{DNAT</emphasis>|<emphasis
role="bold">SNAT}[:{P|O|T}</emphasis>]</term> role="bold">SNAT}</emphasis></term>
<listitem> <listitem>
<para>Must be DNAT or SNAT; beginning with Shorewall 4.4.23, may be <para>Must be DNAT or SNAT</para>
optionally followed by :P, :O or :T to perform <firstterm>stateless
NAT</firstterm>. Stateless NAT requires <firstterm>Rawpost Table
support</firstterm> in your kernel and iptables (see the output of
<command>shorewall show capabilities</command>).</para>
<para>If DNAT or DNAT:P, traffic entering INTERFACE and addressed to <para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
NET1 has its destination address rewritten to the corresponding its destination address rewritten to the corresponding address in
address in NET2.</para> NET2.</para>
<para>If SNAT or SNAT:T, traffic leaving INTERFACE with a source <para>If SNAT, traffic leaving INTERFACE with a source address in
address in NET1 has it's source address rewritten to the NET1 has it's source address rewritten to the corresponding address
corresponding address in NET2.</para> in NET2.</para>
<para>If DNAT:O, traffic originating on the firewall and leaving via
INTERFACE and addressed to NET1 has its destination address
rewritten to the corresponding address in NET2.</para>
<para>If DNAT:P, traffic entering via INTERFACE and addressed to
NET1 has its destination address rewritten to the corresponding
address in NET2.</para>
<para>If SNAT:P, traffic entering via INTERFACE with a destination
address in NET1 has it's source address rewritten to the
corresponding address in NET2.</para>
<para>If SNAT:O, traffic originating on the firewall and leaving via
INTERFACE with a source address in NET1 has it's source address
rewritten to the corresponding address in NET2.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

30
Shorewall6/manpages/shorewall6-netmap.xml
View File

@ -29,8 +29,8 @@
addresses in a second network. It was added in Shorewall6 4.4.23.3.</para> addresses in a second network. It was added in Shorewall6 4.4.23.3.</para>
<warning> <warning>
<para>To use this file, your kernel and ip6tables must have RAWPOST <para>To use this file, your kernel and ip6tables must have NETMAP
table support included.</para> support included.</para>
</warning> </warning>
<para>The columns in the file are as follows (where the column name is <para>The columns in the file are as follows (where the column name is
@ -41,7 +41,7 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">TYPE</emphasis> - <emphasis <term><emphasis role="bold">TYPE</emphasis> - <emphasis
role="bold">{DNAT</emphasis>|<emphasis role="bold">{DNAT</emphasis>|<emphasis
role="bold">SNAT}:{P|O|T}</emphasis></term> role="bold">SNAT}</emphasis></term>
<listitem> <listitem>
<para>Must be DNAT or SNAT followed by :P, :O or :T to perform <para>Must be DNAT or SNAT followed by :P, :O or :T to perform
@ -50,29 +50,13 @@
iptables (see the output of <command>shorewall6 show iptables (see the output of <command>shorewall6 show
capabilities</command>).</para> capabilities</command>).</para>
<para>If DNAT:P, traffic entering INTERFACE and addressed to NET1 <para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
has its destination address rewritten to the corresponding address its destination address rewritten to the corresponding address in
in NET2.</para> NET2.</para>
<para>If SNAT:T, traffic leaving INTERFACE with a source address in <para>If SNAT, traffic leaving INTERFACE with a source address in
NET1 has it's source address rewritten to the corresponding address NET1 has it's source address rewritten to the corresponding address
in NET2.</para> in NET2.</para>
<para>If DNAT:O, traffic originating on the firewall and leaving via
INTERFACE and addressed to NET1 has its destination address
rewritten to the corresponding address in NET2.</para>
<para>If DNAT:P, traffic entering via INTERFACE and addressed to
NET1 has its destination address rewritten to the corresponding
address in NET2.</para>
<para>If SNAT:P, traffic entering via INTERFACE with a destination
address in NET1 has it's source address rewritten to the
corresponding address in NET2.</para>
<para>If SNAT:O, traffic originating on the firewall and leaving via
INTERFACE with a source address in NET1 has it's source address
rewritten to the corresponding address in NET2.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>