Fix DETECT_DNAT_IPADDRS=No bug; more config file comment improvements

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3786 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -5,6 +5,8 @@ Changes in 3.2.0 Beta 5
 2)  Remove traffic shaping code from the 'firewall' script to avoid
     unmaintainable code duplication.
 
+3)  Fix DETECT_DNAT_IPADDRS=No bug.
+
 Changes in 3.2.0 Beta 4
 
 1)  Fix 'routeback' with bridge ports.

Shorewall/compiler

@@ -5035,13 +5035,15 @@ add_nat_rule() {
 		if [ $(list_count1 $interfaces) -eq 1 ]; then
 		    save_command "addr=\$(find_first_interface_address $interface)"
 		else
-		    savecomment "addr="
+		    save_command "addr="
 		    for interface in $interfaces; do
 			    ident >&3 << __EOF__
 addr="\$addr \$(find_first_interface_address $interface)"
 __EOF__
 		    done
 		fi
+	    else
+		addr=
 	    fi
 	    ;;
 	!*)

Shorewall/interfaces

@@ -42,11 +42,10 @@
 #			addresses on multiple subnets then list the broadcast
 #			addresses as a comma-separated list.
 #
-#			If you use the special value "detect", the firewall
+#			If you use the special value "detect", Shorewall
-#			will detect the broadcast address for you. If you
+#			will detect the broadcast address(es) for you. If you
 #			select this option, the interface must be up before
-#			the firewall is started, you must have iproute
+#			the firewall is started.
-#			installed.
 #
 #			If you don't want to give a value for this column but
 #			you want to enter a value in the OPTIONS column, enter
@@ -72,7 +71,7 @@
 #				       any packets whose source is in one
 #				       of the ranges reserved by RFC 1918
 #				       (i.e., private or "non-routable"
-#				       addresses. If packet mangling or
+#				       addresses). If packet mangling or
 #				       connection-tracking match is enabled in
 #				       your kernel, packets whose destination
 #				       addresses are reserved by RFC 1918 are

Shorewall/providers

@@ -41,11 +41,11 @@
 #
 #	OPTIONS		A comma-separated list selected from the following:
 #
-#		track	If specified, connections FROM this interface are
+#		track	If specified, inbound connections on this interface
-#			to be tracked so that responses may be routed back
+#			are to be tracked so that responses may be routed back
 #			out this same interface.
 #
-#			You want specify 'track' if internet hosts will be
+#			You want to specify 'track' if internet hosts will be
 #			connecting to local servers through this provider.
 #
 #		balance The providers that have 'balance' specified will
@@ -56,10 +56,12 @@
 #			where <weight> is the weight of the route out of
 #			this interface.
 #
-#		loose	Normally, Shorewall adds routing rules to prohibit
+#		loose	Shorewall normally adds a routing rule for each
-#			firewall marks from working with traffic generated
+#			IP address on an interface which forces traffic
-#			on the firewall itself. By setting the 'loose'
+#			whose source is that IP address to be sent using
-#			option, generation of these rules is avoided.
+#			the routing table for that interface. Setting
+#			'loose' prevents creation of such rules on this
+#			interface.
 #
 #	COPY		A comma-separated lists of other interfaces on your
 #			firewall. Only makes sense when DUPLICATE is 'main'.

Shorewall/releasenotes.txt

@@ -38,6 +38,8 @@ Problems Corrected in 3.2.0 Beta 5
     after a shell error message indicating that the stripped interfaces
     file in /tmp/shorewall-NNNN/ couldn't be opened.
 
+2)  With DETECT_DNAT_IPADDRS=No in shorewall.conf, DNAT rules didn't work.
+
 Other changes in 3.2.0 Beta 5
 
 1)  The "shorewall refresh" command no longer refreshes traffic shaping.