More work on 'detect' in ADDRESS

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4168 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-06-26 19:32:47 +00:00
parent 886efa758b
commit 0c8f630b85
4 changed files with 57 additions and 11 deletions

View File

@ -1,6 +1,8 @@
Changes in 3.2.0 RC 5 Changes in 3.2.0 RC 5
1) Correct generation of the balanced default route. 1) Correct generation of the balanced default route.
2) Allow 'detect' in the ADDRESS column of the masq file.
------------------------------------------------------------------------------- -------------------------------------------------------------------------------
Changes in 3.2.0 RC 5 Changes in 3.2.0 RC 5

View File

@ -1114,7 +1114,7 @@ ip route show table $duplicate | while read net route; do
default|nexthop) default|nexthop)
;; ;;
*) *)
run_ip route add table $number \$net \$route" run_ip route add table $number \$net \$route
;; ;;
esac esac
done done
@ -6391,16 +6391,28 @@ __EOF__
SAME:nodst:*) SAME:nodst:*)
target="SAME --nodst" target="SAME --nodst"
addresses=${addresses#SAME:nodst:} addresses=${addresses#SAME:nodst:}
for address in $(separate_list $addresses); do if [ "$addresses" = detect ]; then
addrlist="$addrlist --to $address"; addrlist='$addrlist'
done else
for address in $(separate_list $addresses); do
addrlist="$addrlist --to $address";
done
fi
;; ;;
SAME:*) SAME:*)
target="SAME" target="SAME"
addresses=${addresses#SAME:} addresses=${addresses#SAME:}
for address in $(separate_list $addresses); do if [ "$addresses" = detect ]; then
addrlist="$addrlist --to $address"; addrlist='$addrlist'
done else
for address in $(separate_list $addresses); do
addrlist="$addrlist --to $address";
done
fi
;;
detect)
target=SNAT
addrlist='$addrlist'
;; ;;
*) *)
for address in $(separate_list $addresses); do for address in $(separate_list $addresses); do
@ -6417,7 +6429,22 @@ __EOF__
;; ;;
esac esac
if [ -n "$add_snat_aliases" ]; then if [ "$addrlist" = '$addrlist' ]; then
indent >&3 << __EOF__
addrlist=
addressses=\$(find_interface_addresses $interface)
if [ -n "\$addresses" ]; then
for address in \$addresses; do
addrlist="$addrlist --to-source $address"
done
else
fatal_error "Unable to determine the IP address(es) of $interface"
fi
__EOF__
elif [ -n "$add_snat_aliases" ]; then
for address in $(separate_list $addresses); do for address in $(separate_list $addresses); do
address=${address%:)} address=${address%:)}
if [ -n "$address" ]; then if [ -n "$address" ]; then
@ -6464,7 +6491,7 @@ __EOF__
__EOF__ __EOF__
done done
if [ -n "$addresses" ]; then if [ -n "$addresses" -a "$addresses" != detect ]; then
message=" To $destination $displayproto from \$network through ${interface} using $addresses" message=" To $destination $displayproto from \$network through ${interface} using $addresses"
else else
message=" To $destination $displayproto from \$network through ${interface}" message=" To $destination $displayproto from \$network through ${interface}"

View File

@ -78,6 +78,12 @@
# #
# Example: 206.124.146.177-206.124.146.180 # Example: 206.124.146.177-206.124.146.180
# #
# You may also use the special value "detect"
# which causes Shorewall to determine the
# IP addresses configured on the interface named
# in the INTERFACES column and substitute them
# in this column.
#
# Finally, you may also specify a comma-separated # Finally, you may also specify a comma-separated
# list of ranges and/or addresses in this column. # list of ranges and/or addresses in this column.
# #
@ -101,7 +107,8 @@
# #
# SAME:[nodst:]<address-range>[,<address-range>...] # SAME:[nodst:]<address-range>[,<address-range>...]
# #
# The <address-ranges> may be single addresses. # The <address-ranges> may be single addresses
# or "detect" as described above.
# #
# SAME works like SNAT with the exception that # SAME works like SNAT with the exception that
# the same local IP address is assigned to each # the same local IP address is assigned to each

View File

@ -38,7 +38,17 @@ Problems Corrected in 3.2.0 RC 6
Other changes in 3.2.0 RC 6 Other changes in 3.2.0 RC 6
None. 1) This change will be in 3.0.9 so I'm slipping it into this RC for
compatibility.
It is now possible to use the special value 'detect' in the ADDRESS
column of /etc/shorewall/masq. This allows you to specify SNAT (as
opposed to MASQUERADE) without having to know the ip address of the
external interface. Shorewall must be restarted each time that the
external address (the address of the interface named in the
INTERFACE column) changes. Note that if you have done a 'shorewall
save' then it is sufficient to "shorewall restore" since the
restore script will re-detect the interface's IP address(es).
Migration Considerations: Migration Considerations: