diff --git a/Shorewall2/firewall b/Shorewall2/firewall index ab3e364b8..e11669d29 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -1787,23 +1787,26 @@ setup_nat() { qt ip addr del $external dev $iface fi - if [ "$allints" = "Yes" -o "$allints" = "yes" ]; then + if [ "x$allints" = "xYes" -o "$xallints" = "xyes" ]; then addnatrule nat_in -d $external -j DNAT --to-destination $internal addnatrule nat_out -s $internal -j SNAT --to-source $external - if [ "$localnat" = "Yes" -o "$localnat" = "yes" ]; then - run_iptables2 -t nat -A OUTPUT -d $external \ - -j DNAT --to-destination $internal - fi - elif [ -z "$allints" -o "$allints" = "No" -o "$allints" = "no" ]; then + elif [ "x$allints" = "x" -o "x$allints" = "x-" -o "x$allints" = "xNo" -o "x$allints" = "xno" ]; then addnatrule $(input_chain $iface) \ -d $external -j DNAT --to-destination $internal addnatrule $(output_chain $iface) \ -s $internal -j SNAT --to-source $external else - fatal_error "Invalid value ($allints) for ALL INTERFACES in entry \"$external $interface $internal $allints $localnet\"" + fatal_error "Invalid value ($allints) for ALL INTERFACES in entry \"$external $interface $internal $allints $localnat\"" fi + if [ "x$localnat" = "xYes" -o "x$localnat" = "xyes" ]; then + run_iptables2 -t nat -A OUTPUT -d $external -j DNAT --to-destination $internal + elif [ "x$localnat" != "x-" -a "x$localnat" != "x" -a "x$localnat" != "xNo" -a "x$localnat" != "xno" ]; then + fatal_error "Invalid value ($allints) for LOCAL in entry \"$external $interface $internal $allints $localnat\"" + fi + + if [ -n "$ADD_IP_ALIASES" ]; then list_search $external $aliases_to_add || \ aliases_to_add="$aliases_to_add $external $interface" @@ -5387,7 +5390,7 @@ add_to_zone() # $1 = [:] $2 = zone fi if ! chain_exists $(dynamic_in $interface) ; then - startup_error "Interface $interface is not dynamic" + startup_error "At last Shorewall [re]start, DYNAMIC_ZONES=No in shorewall.conf" fi # # Normalize the first argument to this function @@ -5453,7 +5456,7 @@ add_to_zone() # $1 = [:] $2 = zone elif [ "$z2" = "$zone" ]; then if [ "$z1" = "$FW" ]; then # - # Add a rule to the OUTPUT chain -- always after the icmp * ACCEPT rule + # Add a rule to the dynamic out chain for the interface # do_iptables -A $(dynamic_out $interface) -d $host -j $chain else diff --git a/Shorewall2/nat b/Shorewall2/nat index 7d3afb532..dbd44c4f0 100755 --- a/Shorewall2/nat +++ b/Shorewall2/nat @@ -29,8 +29,7 @@ # If No or no (or left empty) then NAT will be effective # only through the interface named in the INTERFACE # column -# LOCAL If Yes or yes and the ALL INTERFACES column contains -# Yes or yes, NAT will be effective from the firewall +# LOCAL If Yes or yes, NAT will be effective from the firewall # system ############################################################################## #EXTERNAL INTERFACE INTERNAL ALL LOCAL diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 662c69df5..1ee4bc895 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -49,5 +49,10 @@ New Features: directory specified via -c or in a try command, in /etc/shorewall or in /usr/share/shorewall. +3) Previously, in /etc/shorewall/nat a Yes (or yes) in the LOCAL column + would only take effect if the ALL INTERFACES column also contained + Yes or yes. Now, the LOCAL columns contents are treated + independently of the contents of the ALL INTERFACES column. +