More work on 'detect' in ADDRESS

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4168 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -1,6 +1,8 @@
 Changes in 3.2.0 RC 5
 
 1)  Correct generation of the balanced default route.
+
+2)  Allow 'detect' in the ADDRESS column of the masq file.
 -------------------------------------------------------------------------------
 Changes in 3.2.0 RC 5
 

Shorewall/compiler

@@ -1114,7 +1114,7 @@ ip route show table $duplicate | while read net route; do
         default|nexthop)
             ;;
         *)
-            run_ip route add table $number \$net \$route"
+            run_ip route add table $number \$net \$route
             ;;
     esac
 done
@@ -6391,16 +6391,28 @@ __EOF__
 		SAME:nodst:*)
 		    target="SAME --nodst"
 		    addresses=${addresses#SAME:nodst:}
+		    if [ "$addresses" = detect ]; then
+			addrlist='$addrlist'
+		    else
 			for address in $(separate_list $addresses); do
 			    addrlist="$addrlist --to $address";
 			done
+		    fi
 		    ;;
 		SAME:*)
 		    target="SAME"
 		    addresses=${addresses#SAME:}
+		    if [ "$addresses" = detect ]; then
+			addrlist='$addrlist'
+		    else
 			for address in $(separate_list $addresses); do
 			    addrlist="$addrlist --to $address";
 			done
+		    fi
+		    ;;
+		detect)
+		    target=SNAT
+		    addrlist='$addrlist'
 		    ;;
 		*)
 		    for address in $(separate_list $addresses); do
@@ -6417,7 +6429,22 @@ __EOF__
 		    ;;
 	    esac
 
-	    if [ -n "$add_snat_aliases" ]; then
+	    if [ "$addrlist" = '$addrlist' ]; then
+		indent >&3 << __EOF__
+
+addrlist=
+addressses=\$(find_interface_addresses $interface)
+
+if [ -n "\$addresses" ]; then
+    for address in \$addresses; do
+        addrlist="$addrlist --to-source $address"
+    done
+else
+    fatal_error "Unable to determine the IP address(es) of $interface"
+fi
+
+__EOF__
+	    elif [ -n "$add_snat_aliases" ]; then
 		for address in $(separate_list $addresses); do
 		    address=${address%:)}
 		    if [ -n "$address" ]; then
@@ -6464,7 +6491,7 @@ __EOF__
 __EOF__
 	    done
 
-	    if [ -n "$addresses" ]; then
+	    if [ -n "$addresses" -a "$addresses" != detect ]; then
 		message="   To $destination $displayproto from \$network through ${interface} using $addresses"
 	    else
 		message="   To $destination $displayproto from \$network through ${interface}"

Shorewall/masq

@@ -78,6 +78,12 @@
 #
 #				Example: 206.124.146.177-206.124.146.180
 #
+#				You may also use the special value "detect"
+#				which causes Shorewall to determine the 
+#				IP addresses configured on the interface named
+#				in the INTERFACES column and substitute them
+#				in this column.
+#
 #				Finally, you may also specify a comma-separated
 #				list of ranges and/or addresses in this column.
 #
@@ -101,7 +107,8 @@
 #
 #			SAME:[nodst:]<address-range>[,<address-range>...]
 #
-#				The <address-ranges> may be single addresses.
+#				The <address-ranges> may be single addresses
+#				or "detect" as described above.
 #
 #				SAME works like SNAT with the exception that
 #				the same local IP address is assigned to each

Shorewall/releasenotes.txt

@@ -38,7 +38,17 @@ Problems Corrected in 3.2.0 RC 6
 
 Other changes in 3.2.0 RC 6
 
-None.
+1)  This change will be in 3.0.9 so I'm slipping it into this RC for 
+    compatibility. 
+
+    It is now possible to use the special value 'detect' in the ADDRESS
+    column of /etc/shorewall/masq. This allows you to specify SNAT (as 
+    opposed to MASQUERADE) without having to know the ip address of the
+    external interface. Shorewall must be restarted each time that the
+    external address (the address of the interface named in the 
+    INTERFACE column) changes. Note that if you have done a 'shorewall
+    save' then it is sufficient to "shorewall restore" since the
+    restore script will re-detect the interface's IP address(es).    
 
 Migration Considerations: