From dbf23f64e2a1633633fa91d3cd0c2c659251cfc9 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 1 Apr 2009 01:31:04 +0000
Subject: [PATCH] Removal of SAME support

Signed-off-by: Tom Eastep <teastep@shorewall.net>

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9774 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/Perl/Shorewall/Chains.pm |  3 ---
 Shorewall/Perl/Shorewall/Nat.pm    | 16 +-------------
 Shorewall/Perl/Shorewall/Rules.pm  | 11 +---------
 Shorewall/changelog.txt            |  2 ++
 Shorewall/releasenotes.txt         |  4 ++++
 manpages/shorewall-masq.xml        | 18 +---------------
 manpages/shorewall-rules.xml       | 34 +++---------------------------
 7 files changed, 12 insertions(+), 76 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 12764636b..38b8f4dd9 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -284,7 +284,6 @@ our %builtin_target = ( ACCEPT   => 1,
 			RETURN   => 1,
 			COUNT    => 1,
 			DNAT     => 1,
-			SAME     => 1,
 			LOG      => 1,
 			NFLOG    => 1,
 			QUEUE    => 1,
@@ -1084,8 +1083,6 @@ sub initialize_chain_table()
 		    'QUEUE!'          => STANDARD,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
-		    'SAME'            => NATRULE,
-		    'SAME-'           => NATRULE  + NATONLY,
 		    'dropBcast'       => BUILTIN  + ACTION,
 		    'allowBcast'      => BUILTIN  + ACTION,
 		    'dropNotSyn'      => BUILTIN  + ACTION,
diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm
index c36808926..8e2fd1ce4 100644
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -219,21 +219,7 @@ sub setup_one_masq($$$$$$$)
 	    } else {
 		$addresses =~ s/:random$// and $randomize = '--random ';
 
-		if ( $addresses =~ /^SAME:nodst:/ ) {
-		    fatal_error "':random' is not supported by the SAME target" if $randomize;
-		    $target = '-j SAME --nodst ';
-		    $addresses =~ s/.*://;
-		    for my $addr ( split_list $addresses, 'address' ) {
-			$target .= "--to $addr ";
-		    }
-		} elsif ( $addresses =~ /^SAME:/ ) {
-		    fatal_error "':random' is not supported by the SAME target" if $randomize;
-		    $target = '-j SAME ';
-		    $addresses =~ s/.*://;
-		    for my $addr ( split_list $addresses, 'address' ) {
-			$target .= "--to $addr ";
-		    }
-		} elsif ( $addresses eq 'detect' ) {
+		if ( $addresses eq 'detect' ) {
 		    my $variable = get_interface_address $interface;
 		    $target = "-j SNAT --to-source $variable";
 
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index a4406298e..01c16b4c9 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1275,16 +1275,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		$server = join ',', @servers;
 	    }
 
-	    if ( $action eq 'SAME' ) {
-		fatal_error 'Port mapping not allowed in SAME rules' if $serverport;
-		fatal_error 'SAME not allowed with SOURCE=$FW'       if $sourcezone eq firewall_zone;
-		fatal_error "':random' is not supported by the SAME target" if $randomize;
-		warning_message 'Netfilter support for SAME is being dropped in early 2008';
-		$target = '-j SAME ';
-		for my $serv ( split /,/, $server ) {
-		    $target .= "--to $serv ";
-		}
-	    } elsif ( $action eq 'DNAT' ) {
+	    if ( $action eq 'DNAT' ) {
 		$target = '-j DNAT ';
 		$serverport = ":$serverport" if $serverport;
 		for my $serv ( split /,/, $server ) {
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 3db0692e0..28931a89d 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -14,6 +14,8 @@ Changes in Shorewall 4.3.8
 
 7) Add AUTOMAKE option
 
+8) Remove SAME support.
+
 Changes in Shorewall 4.3.7
 
 1)  Fix forward treatment of interface options.
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 293f3e34e..34b82ae94 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -35,6 +35,10 @@ released late in 2009.
     uses the new syntax exclusively, although the old syntax
     continues to be supported.
 
+3)  Support for the SAME target in /etc/shorewall/masq and
+    /etc/shorewall/rules has been removed, following the removal of the
+    underlying support in the Linux kernel. 
+
 ----------------------------------------------------------------------------
           P R O B L E M S   C O R R E C T E D   I N   4 . 3 . 8
 ----------------------------------------------------------------------------
diff --git a/manpages/shorewall-masq.xml b/manpages/shorewall-masq.xml
index e97fac3d8..e7882bc04 100644
--- a/manpages/shorewall-masq.xml
+++ b/manpages/shorewall-masq.xml
@@ -147,9 +147,7 @@
       <varlistentry>
         <term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
         role="bold">-</emphasis>|<emphasis
-        role="bold">NONAT</emphasis>|[<emphasis
-        role="bold">SAME:</emphasis>[<emphasis
-        role="bold">nodst:</emphasis>]][<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
+        role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
         role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
         role="bold">:random</emphasis>]|<emphasis
         role="bold">detect</emphasis>|<emphasis
@@ -197,20 +195,6 @@
           <programlisting>        192.0.2.4:5000-6000
         :4000-5000</programlisting>
 
-          <para>You can invoke the SAME target rather than the SNAT target by
-          prefixing the column contents with <option>SAME:</option>.</para>
-
-          <para>SAME works like SNAT with the exception that the same local IP
-          address is assigned to each connection from a local address to a
-          given remote address.</para>
-
-          <para>If the <option>nodst:</option> option is included, then the
-          same source address is used for a given internal system regardless
-          of which remote system is involved.<warning>
-              <para>Support for the SAME target is scheduled for removal from
-              the Linux kernel in 2008.</para>
-            </warning></para>
-
           <para>If you simply place <emphasis role="bold">NONAT</emphasis> in
           this column, no rewriting of the source IP address or port number
           will be performed. This is useful if you want particular traffic to
diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml
index af80d29c9..55097358e 100644
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@@ -138,8 +138,6 @@
         role="bold">REJECT</emphasis>[<option>!</option>]|<emphasis
         role="bold">DNAT</emphasis>[<emphasis
         role="bold">-</emphasis>]|<emphasis
-        role="bold">SAME</emphasis>[<emphasis
-        role="bold">-</emphasis>]|<emphasis
         role="bold">REDIRECT</emphasis>[<emphasis
         role="bold">-</emphasis>]|<emphasis
         role="bold">CONTINUE</emphasis>[<option>!</option>]|<emphasis
@@ -262,32 +260,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis role="bold">SAME</emphasis></term>
-
-              <listitem>
-                <para>Similar to <emphasis role="bold">DNAT</emphasis> except
-                that the port may not be remapped and when multiple server
-                addresses are listed, all requests from a given remote system
-                go to the same server.<warning>
-                    <para>Support for SAME is scheduled for removal from the
-                    Linux kernel in 2008.</para>
-                  </warning></para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">SAME-</emphasis></term>
-
-              <listitem>
-                <para>Advanced users only.</para>
-
-                <para>Like SAME but only generates the nat iptables rule and
-                not the companion <emphasis role="bold">ACCEPT</emphasis>
-                rule.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">REDIRECT</emphasis></term>
 
@@ -449,9 +421,9 @@
                 REJECT:info or DNAT:debug). This causes the packet to be
                 logged at the specified level. Note that if the <emphasis
                 role="bold">ACTION</emphasis> involves destination network
-                address translation (DNAT, REDIRECT, SAME, etc.) then the
-                packet is logged <emphasis role="bold">before</emphasis> the
-                destination address is rewritten.</para>
+                address translation (DNAT, REDIRECT, etc.) then the packet is
+                logged <emphasis role="bold">before</emphasis> the destination
+                address is rewritten.</para>
 
                 <para>If the <emphasis role="bold">ACTION</emphasis> names an
                 <emphasis>action</emphasis> declared in <ulink