From 124af9a04621e340b5f3948ca1bdad808055b6db Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Tue, 30 Aug 2005 15:54:29 +0000
Subject: [PATCH] 'shorewall check' now checks the masq file

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2592 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/changelog.txt    |  2 ++
 Shorewall/firewall         | 62 +++++++++++++++++++++++---------------
 Shorewall/help             |  2 +-
 Shorewall/releasenotes.txt |  3 ++
 4 files changed, 44 insertions(+), 25 deletions(-)

diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 500f10ef8..9e006d31e 100755
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -4,6 +4,8 @@ Changes in 2.5.4
 
 2) Fix some ghastly bugs in macros.
 
+3) "shorewall check" now checks the masq file.
+
 Changes in 2.5.3
 
 1) Allow exclusion lists in /etc/shorewall/tcrules.
diff --git a/Shorewall/firewall b/Shorewall/firewall
index b3c4b05a8..19cc5a230 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -3681,6 +3681,9 @@ check_config() {
     process_actions2
     process_actions3
 
+    masq=$(find_file masq)
+    [ -f $masq ] && setup_masq $masq
+
     rm -rf $TMP_DIR
     [ -n "$RESTOREBASE" ] && rm -f $RESTOREBASE
 
@@ -6672,15 +6675,20 @@ setup_masq()
 	case $destnets in
 	    !*)
 		destnets=${destnets#!}
-		build_exclusion_chain newchain nat "$nomasq" "$destnets"
+		
+		if [ $COMMAND != check ]; then
+		    build_exclusion_chain newchain nat "$nomasq" "$destnets"
 
-		if [ -n "$networks" ]; then
-		    for s in $networks; do
-			addnatrule $chain $(source_ip_range $s) $proto $ports $policy -j $newchain
-		    done
-		    networks=
+		    if [ -n "$networks" ]; then
+			for s in $networks; do
+			    addnatrule $chain $(source_ip_range $s) $proto $ports $policy -j $newchain
+			done
+			networks=
+		    else
+			addnatrule $chain -j $newchain
+		    fi
 		else
-		    addnatrule $chain -j $newchain
+		    networks=
 		fi
 
 		chain=$newchain
@@ -6693,18 +6701,20 @@ setup_masq()
 		;;
 	    *)
 		if [ -n "$nomasq" ]; then
-		    build_exclusion_chain newchain nat $nomasq
+		    if [ $COMMAND != check ]; then
+			build_exclusion_chain newchain nat $nomasq
 		    
-		    if [ -n "$networks" ]; then
-			for s in $networks; do
-			    for destnet in $(separate_list $destnets); do
-				addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports $policy -j $newchain
+			if [ -n "$networks" ]; then
+			    for s in $networks; do
+				for destnet in $(separate_list $destnets); do
+				    addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports $policy -j $newchain
+				done
 			    done
-			done
-		    else
-			for destnet in $(separate_list $destnets); do
-			    addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $newchain
-			done
+			else
+			    for destnet in $(separate_list $destnets); do
+				addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $newchain
+			    done
+			fi
 		    fi
 
 		    chain=$newchain
@@ -6755,9 +6765,11 @@ setup_masq()
 
 	if [ -n "$networks" ]; then
 	    for network in $networks; do
-		for destnet in $(separate_list $destnets); do
-		    addnatrule $chain $(both_ip_ranges $network $destnet) $proto $ports $policy -j $target $addrlist
-		done
+		if [ $COMMAND != check ]; then
+		    for destnet in $(separate_list $destnets); do
+			addnatrule $chain $(both_ip_ranges $network $destnet) $proto $ports $policy -j $target $addrlist
+		    done
+		fi
 
 		if [ -n "$addresses" ]; then
 		    progress_message "   To $destination $displayproto from $network through ${interface} using $addresses"
@@ -6766,9 +6778,11 @@ setup_masq()
 		fi
 	    done
 	else
-	    for destnet in $(separate_list $destnets); do
-		addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist
-	    done
+	    if [ $COMMAND != check ]; then
+		for destnet in $(separate_list $destnets); do
+		    addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist
+		done
+	    fi
 	
 	    if [ -n "$addresses" ]; then
 		progress_message "   To $destination $displayproto from $source through ${interface} using $addresses"
@@ -6783,7 +6797,7 @@ setup_masq()
 
     if [ -n "$NAT_ENABLED" ]; then
 	echo "Masqueraded Networks and Hosts:"
-	[ -n "$RETAIN_ALIASES" ] || save_progress_message "Restoring Masquerading/SNAT..."
+	[ -n "$RETAIN_ALIASES" -o $COMMAND = check ] || save_progress_message "Restoring Masquerading/SNAT..."
     fi
 
     while read fullinterface networks addresses proto ports ipsec; do
diff --git a/Shorewall/help b/Shorewall/help
index 65a31a7ea..b1465b89a 100755
--- a/Shorewall/help
+++ b/Shorewall/help
@@ -74,7 +74,7 @@ allow)
 check)
 	echo "check: check [ <configuration-directory> ]
    Performs a cursory validation of the zones, interfaces, hosts,
-   rules and policy files.  Use this if you are unsure of any edits
+   rules, policy and masq files.  Use this if you are unsure of any edits
    you have made to the shorewall configuration.  See the try command
    examples for a recommended way to make changes."
 	;;
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index bab5f9ab7..d24e05341 100755
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -29,6 +29,9 @@ New Features in Shorewall 2.5.4
 
     Now, $1 = these, $2 = are and $3 = parameters
 
+2)  The "shorewall check" command now checks the /etc/shorewall/masq
+    file.
+
 Problems Corrected in 2.5.3:
 
 1)  The Netfilter 'raw' table is now cleared during "shorewall stop",