Fix several bugs in NAT rule processing

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5739 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2007-03-29 03:07:48 +00:00 · 2007-03-29 03:07:48 +00:00 · 18170d7fd5
commit 18170d7fd5
parent 70682ad40d
3 changed files with 10 additions and 5 deletions
--- a/New/Shorewall/Chains.pm
+++ b/New/Shorewall/Chains.pm
@ -1243,6 +1243,7 @@ sub expand_rule( $$$$$$$$$$ )
 		$oexcl = $2;
 	    } else {
 		$oexcl = '';
+		$onets = $origdest;
 	    }

 	    unless ( $onets ) {
--- a/New/Shorewall/Providers.pm
+++ b/New/Shorewall/Providers.pm
@ -56,12 +56,15 @@ my %providers  = ( 'local' => { number => LOCAL_NUMBER   , mark => 0 } ,
 my @providers;

 #
-# Set up marking for 'tracked' interfaces. Unline in Shorewall 3.x, we add these rules inconditionally, even if the associated interface isn't up.
+# Set up marking for 'tracked' interfaces. Unline in Shorewall 3.x, we add these rules unconditionally, even if the associated interface isn't up.
 #
 sub setup_route_marking() {
    my $mask    = $config{HIGH_ROUTE_MARKS} ? '0xFFFF' : '0xFF';
    my $mark_op = $config{HIGH_ROUTE_MARKS} ? '--or-mark' : '--set-mark';

+    require_capability( 'CONNMARK_MATCH' , 'the provider \'track\' option' );
+    require_capability( 'CONNMARK' ,       'the provider \'track\' option' );
+
    add_rule $mangle_table->{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
    add_rule $mangle_table->{OUTPUT} , " -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";

@ -145,8 +148,6 @@ sub setup_providers() {

 	my ($table, $number, $mark, $duplicate, $interface, $gateway,  $options, $copy) = @_;

-	fatal_error 'Providers require mangle support in your kernel and iptables' unless $capabilities{MANGLE_ENABLED};
-
 	fatal_error "Duplicate provider ( $table )" if $providers{$table};

 	for my $provider ( keys %providers  ) {
--- a/New/Shorewall/Rules.pm
+++ b/New/Shorewall/Rules.pm
@ -980,10 +980,11 @@ sub process_rule1 ( $$$$$$$$$ ) {
 		}

 		$serverport = $ports;
-	    } elsif ( $action eq ' -j DNAT' ) {
+	    } elsif ( $action eq 'DNAT' ) {
+		$target = '-j DNAT ';
 		$serverport = ":$serverport" if $serverport;
 		for my $serv ( split /,/, $server ) {
-		    $target .= "--to ${serv}${serverport} ";
+		    $target .= "--to-destination ${serv}${serverport} ";
 		}
 	    }

@ -1019,6 +1020,8 @@ sub process_rule1 ( $$$$$$$$$ ) {
 	unless ( $actiontype & NATONLY ) {
 	    $rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit ), do_user $user );
 	    $loglevel = '';
+	    $dest     = $server;
+	    $action   = 'ACCEPT';
 	}
    } else {
 	if ( $actiontype & NONAT ) {