diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index fed938359..70838d004 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,6 +1,8 @@ Changes in 3.2.0 RC 5 1) Correct generation of the balanced default route. + +2) Allow 'detect' in the ADDRESS column of the masq file. ------------------------------------------------------------------------------- Changes in 3.2.0 RC 5 diff --git a/Shorewall/compiler b/Shorewall/compiler index 3e485036a..da5908aac 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -1114,7 +1114,7 @@ ip route show table $duplicate | while read net route; do default|nexthop) ;; *) - run_ip route add table $number \$net \$route" + run_ip route add table $number \$net \$route ;; esac done @@ -6391,16 +6391,28 @@ __EOF__ SAME:nodst:*) target="SAME --nodst" addresses=${addresses#SAME:nodst:} - for address in $(separate_list $addresses); do - addrlist="$addrlist --to $address"; - done + if [ "$addresses" = detect ]; then + addrlist='$addrlist' + else + for address in $(separate_list $addresses); do + addrlist="$addrlist --to $address"; + done + fi ;; SAME:*) target="SAME" addresses=${addresses#SAME:} - for address in $(separate_list $addresses); do - addrlist="$addrlist --to $address"; - done + if [ "$addresses" = detect ]; then + addrlist='$addrlist' + else + for address in $(separate_list $addresses); do + addrlist="$addrlist --to $address"; + done + fi + ;; + detect) + target=SNAT + addrlist='$addrlist' ;; *) for address in $(separate_list $addresses); do @@ -6417,7 +6429,22 @@ __EOF__ ;; esac - if [ -n "$add_snat_aliases" ]; then + if [ "$addrlist" = '$addrlist' ]; then + indent >&3 << __EOF__ + +addrlist= +addressses=\$(find_interface_addresses $interface) + +if [ -n "\$addresses" ]; then + for address in \$addresses; do + addrlist="$addrlist --to-source $address" + done +else + fatal_error "Unable to determine the IP address(es) of $interface" +fi + +__EOF__ + elif [ -n "$add_snat_aliases" ]; then for address in $(separate_list $addresses); do address=${address%:)} if [ -n "$address" ]; then @@ -6464,7 +6491,7 @@ __EOF__ __EOF__ done - if [ -n "$addresses" ]; then + if [ -n "$addresses" -a "$addresses" != detect ]; then message=" To $destination $displayproto from \$network through ${interface} using $addresses" else message=" To $destination $displayproto from \$network through ${interface}" diff --git a/Shorewall/masq b/Shorewall/masq index 476a5fc7d..563914e96 100644 --- a/Shorewall/masq +++ b/Shorewall/masq @@ -78,6 +78,12 @@ # # Example: 206.124.146.177-206.124.146.180 # +# You may also use the special value "detect" +# which causes Shorewall to determine the +# IP addresses configured on the interface named +# in the INTERFACES column and substitute them +# in this column. +# # Finally, you may also specify a comma-separated # list of ranges and/or addresses in this column. # @@ -101,7 +107,8 @@ # # SAME:[nodst:][,...] # -# The may be single addresses. +# The may be single addresses +# or "detect" as described above. # # SAME works like SNAT with the exception that # the same local IP address is assigned to each diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 57887087e..2c82afb6b 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -38,7 +38,17 @@ Problems Corrected in 3.2.0 RC 6 Other changes in 3.2.0 RC 6 -None. +1) This change will be in 3.0.9 so I'm slipping it into this RC for + compatibility. + + It is now possible to use the special value 'detect' in the ADDRESS + column of /etc/shorewall/masq. This allows you to specify SNAT (as + opposed to MASQUERADE) without having to know the ip address of the + external interface. Shorewall must be restarted each time that the + external address (the address of the interface named in the + INTERFACE column) changes. Note that if you have done a 'shorewall + save' then it is sufficient to "shorewall restore" since the + restore script will re-detect the interface's IP address(es). Migration Considerations: