Add INLINE support to the masq file.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Nat.pm

@@ -66,12 +66,20 @@ sub process_one_masq1( $$$$$$$$$$ )
     my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
     my $destnets = '';
     my $baserule = '';
+    my $inlinematches = '';
 
     #
     # Leading '+'
     #
     $pre_nat = 1 if $interfacelist =~ s/^\+//;
     #
+    # Check for INLINE
+    #
+    if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) {
+	$interfacelist = $1;
+	$inlinematches = get_inline_matches;
+    }
+    #
     # Parse the remaining part of the INTERFACE column
     #
     if ( $family == F_IPV4 ) {
@@ -325,7 +333,7 @@ sub process_one_masq1( $$$$$$$$$$ )
 	expand_rule( $chainref ,
 		     POSTROUTE_RESTRICT ,
 		     '' ,
-		     $baserule . $rule ,
+		     $baserule . $inlinematches . $rule ,
 		     $networks ,
 		     $destnets ,
 		     $origdest ,

Shorewall/manpages/shorewall-masq.xml

@@ -80,8 +80,8 @@
 
           <programlisting>        eth0(Avvanta)</programlisting>
 
-          <para>In that case, you will want to specify the interface's
-          address for that provider in the ADDRESS column.</para>
+          <para>In that case, you will want to specify the interface's address
+          for that provider in the ADDRESS column.</para>
 
           <para>The interface may be qualified by adding the character ":"
           followed by a comma-separated list of destination host or subnet
@@ -123,12 +123,26 @@
             <para>Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for
             COMMENT and is preferred.</para>
           </note>
+
+          <para>Beginning with Shorewall 4.6.0, a new syntax is also accepted.
+          With the exception of the leading '+', the interfacelist and
+          qualifiers may appear within the parentheses of <emphasis
+          role="bold">INLINE</emphasis>(...).</para>
+
+          <para>Example:</para>
+
+          <programlisting>        +INLINE(eth0)</programlisting>
+
+          <para>When this is done, you may augment the rule generated by
+          Shorewall with iptables matches of your own. These matches appear
+          after a semicolon (';') at the end of the line.</para>
+
+          <para>See example 8 below.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET)
-        -
+        <term> (Formerly called SUBNET) -
         {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
 
@@ -647,6 +661,24 @@
        eth0       192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>Example 8:</term>
+
+        <listitem>
+          <para>Your eth1 has two public IP addresses: 70.90.191.121 and
+          70.90.191.123. You want to use the iptables statistics match to
+          masquerade outgoing connections evenly between these two
+          addresses.</para>
+
+          <programlisting>/etc/shorewall/masq:
+
+       #INTERFACE    SOURCE         ADDRESS 
+       INLINE(eth1)  0.0.0.0/0      70.90.191.121 ;  -m statistic --mode random --probability 0.50
+       eth1          0.0.0.0/0      70.90.191.123 
+</programlisting>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 

Shorewall6/manpages/shorewall6-masq.xml

@@ -73,8 +73,8 @@
 
           <programlisting>        eth0(Avvanta)</programlisting>
 
-          <para>In that case, you will want to specify the interface's
-          address for that provider in the ADDRESS column.</para>
+          <para>In that case, you will want to specify the interface's address
+          for that provider in the ADDRESS column.</para>
 
           <para>The interface may be qualified by adding the character ":"
           followed by a comma-separated list of destination host or subnet
@@ -96,6 +96,21 @@
             <para>Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for
             COMMENT and is preferred.</para>
           </note>
+
+          <para>Beginning with Shorewall 4.6.0, a new syntax is also accepted.
+          With the exception of the leading '+', the interfacelist and
+          qualifiers may appear within the parentheses of <emphasis
+          role="bold">INLINE</emphasis>(...).</para>
+
+          <para>Example:</para>
+
+          <programlisting>        +INLINE(eth0)</programlisting>
+
+          <para>When this is done, you may augment the rule generated by
+          Shorewall with iptables matches of your own. These matches appear
+          after a semicolon (';') at the end of the line.</para>
+
+          <para>See example 2 below.</para>
         </listitem>
       </varlistentry>
 
@@ -502,6 +517,24 @@
         eth0         2001:470:b:787::0/64    -</programlisting>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>Example 8:</term>
+
+        <listitem>
+          <para>Your sit1 interface has two public IP addresses:
+          2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
+          iptables statistics match to masquerade outgoing connections evenly
+          between these two addresses.</para>
+
+          <programlisting>/etc/shorewall/masq:
+
+       #INTERFACE    SOURCE         ADDRESS 
+       INLINE(sit1)  0.0.0.0/0      2001:470:a:227::1 ;  -m statistic --mode random --probability 0.50
+       sit1          0.0.0.0/0      2001:470:a:227::2 
+</programlisting>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>