Allow DETECT_DNAT_IPADDRS=Yes with -e

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3279 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/firewall

@@ -5569,13 +5569,29 @@ add_nat_rule() {
 	    addr=
 	    ;;
 	detect)
-	    addr=
-	    if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then
 	    eval interfaces=\$${source}_interfaces
+
+	    if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then
+
+		if [ $COMMAND = generate ]; then
+		    save_command ""
+		    if [ $(list_count1 $interfaces) -eq 1 ]; then
+			save_command "addr=\$(find_first_interface_address $interface)"
+		    else
+			savecomment "addr="
+			for interface in $interfaces; do
+			    cat >> $RESTOREBASE << __EOF__
+addr="\$addr \$(find_first_interface_address $interface)"
+__EOF__
+			done
+		    fi
+		else
+		    addr=
 		    for interface in $interfaces; do
 			addr=${addr:+$addr,}$(find_first_interface_address $interface)
 		    done
 		fi
+	    fi
 	    ;;
 	!*)
 	    if [ $(list_count $addr) -gt 1 ]; then
@@ -5641,9 +5657,19 @@ add_nat_rule() {
 	    if [ -n "${excludesource}${excludedests}${excludezones}" ]; then
 		build_exclusion_chain chain nat "$excludesource" $excludedests
 
+		if [ $addr = detect ]; then
+		    ensurenatchain $(dnat_chain $source)
+
+		    cat >> $RESTOREBASE << __EOF__
+
+for adr in \$addr; do
+    $IPTABLES -t nat -A $(fix_bang $(dnat_chain $source) $cli $proto $multiport $sports $dports) -d \$adr -j $chain
+__EOF__
+		else
 		    for adr in $(separate_list $addr); do
 			addnatrule $(dnat_chain $source) $cli $proto $multiport $sports $dports $(dest_ip_range $adr) -j $chain
 		    done
+		fi
 
 		for z in $(separate_list $excludezones); do
 		    eval hosts=\$${z}_hosts
@@ -5659,6 +5685,24 @@ add_nat_rule() {
 		addnatrule $chain $ratelimit $proto -j $target1 # Protocol is necessary for port redirection
 	    else
 		chain=$(dnat_chain $source)
+
+		if [ $addr = detect ]; then
+		    ensurenatchain $chain
+
+		    cat >> $RESTOREBASE << __EOF__
+
+for adr in \$addr; do
+__EOF__
+		    if [ -n "$loglevel" ]; then
+			cat >> $RESTOREBASE << __EOF__
+    log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -A -t nat $(fix_bang $proto $cli $sports $multiport $dports) -d \$adr
+__EOF__
+		    fi
+
+		    cat >> $RESTOREBASE << __EOF__
+    $IPTABLES -t nat -A $chain $(fix_bang $proto $ratelimit $cli $sports $multiport $dports) -d \$adr -j $target1
+__EOF__
+		else
 		    for adr in $(separate_list $addr); do
 			if [ -n "$loglevel" ]; then
 			    ensurenatchain $chain
@@ -5672,6 +5716,7 @@ add_nat_rule() {
 		fi
 	    fi
 	fi
+    fi
 
     # Replace destination port by the new destination port
 
@@ -5968,6 +6013,13 @@ process_rule() # $1 = target
 			for serv1 in $(separate_list $serv); do
 			    for srv in $(firewall_ip_range $serv1); do
 				if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
+				    if [ "$addr" = detect ]; then
+					cat >> $RESTOREBASE << __EOF__
+    $IPTABLES -A $chain $state $proto $ratelimit $multiport $cli $sports $(dest_ip_range $srv) $dports -m conntrack --ctorigdst \$adr $user -j $target
+done
+
+__EOF__
+				    else
 					for adr in $(separate_list $addr); do
 					    if [ -n "$loglevel" -a -z "$natrule" ]; then
 						log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \
@@ -5977,6 +6029,7 @@ process_rule() # $1 = target
 					    run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \
 						$(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $user -j $target
 					done
+				    fi
 				else
 				    if [ -n "$loglevel" -a -z "$natrule" ]; then
 					log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
@@ -7143,25 +7196,6 @@ rules_chain() # $1 = source zone, $2 = destination zone
     fi
 }
 
-#
-#  echo the list of networks routed out of a given interface
-#
-get_routed_networks() # $1 = interface name
-{
-    local address
-    local rest
-
-    ip route show dev $1 2> /dev/null |
-	while read address rest; do
-	    if [ "x$address" = xdefault ]; then
-		error_message "WARNING: default route ignored on interface $1"
-	    else
-		[ "$address" = "${address%/*}" ] && address="${address}/32"
-		echo $address
-	    fi
-        done
-}
-
 #
 # Set up Routing
 #
@@ -7537,7 +7571,7 @@ for network in \$networks; do
 __EOF__
 	    for destnet in $(separate_list $destnets); do
 		cat >> $RESTOREBASE << __EOF__
-    $IPTABLES -t nat -A $CHAIN -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist
+    $IPTABLES -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist
 __EOF__
 	    done
 
@@ -9892,8 +9926,6 @@ do_initialize() {
     ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER)
     LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS)
     DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS)
-    [ -n "$DETECT_DNAT_IPADDRS" -a -n "$EXPORT" ] && \
-	startup_error "DETECT_DNAT_IPADDRS=Yes not allowed with the -e run-line option"
     FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING)
     [ -n "$FORWARDPING" ] && \
 	startup_error "FORWARDPING=Yes is no longer supported"

Shorewall/functions

@@ -119,6 +119,9 @@ expandv() # $* = list of variable names
 fix_bang() {
     local i;
 
+    if [ $COMMAND = generate ]; then
+	echo $@ | sed 's/!/! /g'
+    else
 	for i in $@; do
 	    case $i in
 		!*)
@@ -129,6 +132,7 @@ fix_bang() {
 		    ;;
 	    esac
 	done
+    fi
 }
 
 #
@@ -907,6 +911,25 @@ find_interface_addresses() # $1 = interface
     ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
 }
 
+#
+#  echo the list of networks routed out of a given interface
+#
+get_routed_networks() # $1 = interface name
+{
+    local address
+    local rest
+
+    ip route show dev $1 2> /dev/null |
+	while read address rest; do
+	    if [ "x$address" = xdefault ]; then
+		error_message "WARNING: default route ignored on interface $1"
+	    else
+		[ "$address" = "${address%/*}" ] && address="${address}/32"
+		echo $address
+	    fi
+        done
+}
+
 #
 # Internal version of 'which'
 #

Shorewall/releasenotes.txt

@@ -79,7 +79,6 @@ New Features:
 
        1) The same version of Shorewall must be running on the remote system
        2) The 'detectnets' interface option is not allowed.
-       3) DETECT_DNAT_ADDRS=Yes is not allowed.
 
     b) If you have extension scripts, they may need modification. The scripts
        will be run at generation time, rather than when the generated script