diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 2e40ab50f..b5c59eafe 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -145,6 +145,7 @@ our %EXPORT_TAGS = ( do_helper do_headers have_ipset_rules + record_runtime_address match_source_dev match_dest_dev iprange_match diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index 80ae33439..6bacfc0aa 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -186,7 +186,10 @@ sub process_one_masq( ) } else { my $addrlist = ''; for my $addr ( split_list $addresses , 'address' ) { - if ( $addr =~ /^.*\..*\..*\./ ) { + if ( $addr =~ /^&(.+)$/ ) { + $target = 'SNAT '; + $addrlist .= '--to-source ' . record_runtime_address $1; + } elsif ( $addr =~ /^.*\..*\..*\./ ) { $target = 'SNAT '; my ($ipaddr, $rest) = split ':', $addr; if ( $ipaddr =~ /^(.+)-(.+)$/ ) { @@ -197,8 +200,11 @@ sub process_one_masq( ) $addrlist .= "--to-source $addr "; $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/; } else { - $addr =~ s/^://; - $addrlist .= "--to-ports $addr "; + my $ports = $addr; + $ports =~ s/^://; + $ports =~ s/:/-/; + validate_portpair( $proto, $ports ); + $addrlist .= "--to-ports $ports "; $exceptionrule = do_proto( $proto, '', '' ); } } diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 2b5f7bfdd..8acf3816d 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -10,7 +10,7 @@ Changes in Shorewall 4.4.17 Beta 1 5) Add 'USE_LOCAL_MODULES' option. -6) Implement runtime address variables (&interface) +6) Implement run-time address variables (&interface) Changes in Shorewall 4.4.17 Beta 1 diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 3d580ae1e..26584dea6 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -21,7 +21,7 @@ Beta 2 diagnostic. 2) Previously, the uninstall.sh scripts used insserv (if installed) on - Debian-based systems. These scripts now used the preferred tool + Debian-based systems. These scripts now use the preferred tool (updaterc.d). 3) Beginning with 4.4.16, compilation would fail if an empty shell @@ -33,9 +33,9 @@ Beta 2 (unoptimized). Similarly, if OPTIMIZE=9 then the ruleset displayed was the same as when OPTIMIZE=1. -5) Startup could previously fail on a system where module autoloading - was not available and where TC_ENABLED=Simple was specified in - shorewall.conf. +5) Startup could previously fail on a system where kernel module + autoloading was not available and where TC_ENABLED=Simple was + specified in shorewall.conf. Beta 1 @@ -58,8 +58,9 @@ Beta 2 1) Traditionally, the -lite products have used the modules (or helpers) file on the firewall system unless there is a modules (or - helpers) file in the configuration directory. This release - introduces the USE_LOCAL_MODULES option in shorewall[6].conf. + helpers) file in the configuration directory on the administrative + system. This release introduces the USE_LOCAL_MODULES option in + shorewall[6].conf. When USE_LOCAL_MODULES=Yes, the modules (helpers) file on the administrative system will be used to determine the set of modules @@ -96,6 +97,9 @@ Beta 2 macro files rules + They may also be used in the SOURCE and ADDRESS columns of the masq + file. + For optional interfaces, if the interface is not usable at the time that the firewall starts the all-zero address will be used (0.0.0.0 in IPv4 and :: in IPv6), resulting in no packets matching the rule.