diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm
index c88c2efbe..d328ab393 100644
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -66,12 +66,20 @@ sub process_one_masq1( $$$$$$$$$$ )
my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
my $destnets = '';
my $baserule = '';
+ my $inlinematches = '';
#
# Leading '+'
#
$pre_nat = 1 if $interfacelist =~ s/^\+//;
#
+ # Check for INLINE
+ #
+ if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) {
+ $interfacelist = $1;
+ $inlinematches = get_inline_matches;
+ }
+ #
# Parse the remaining part of the INTERFACE column
#
if ( $family == F_IPV4 ) {
@@ -325,7 +333,7 @@ sub process_one_masq1( $$$$$$$$$$ )
expand_rule( $chainref ,
POSTROUTE_RESTRICT ,
'' ,
- $baserule . $rule ,
+ $baserule . $inlinematches . $rule ,
$networks ,
$destnets ,
$origdest ,
diff --git a/Shorewall/manpages/shorewall-masq.xml b/Shorewall/manpages/shorewall-masq.xml
index f6168775e..528b27f7d 100644
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -80,8 +80,8 @@
eth0(Avvanta)
- In that case, you will want to specify the interface's
- address for that provider in the ADDRESS column.
+ In that case, you will want to specify the interface's address
+ for that provider in the ADDRESS column.
The interface may be qualified by adding the character ":"
followed by a comma-separated list of destination host or subnet
@@ -123,12 +123,26 @@
Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for
COMMENT and is preferred.
+
+ Beginning with Shorewall 4.6.0, a new syntax is also accepted.
+ With the exception of the leading '+', the interfacelist and
+ qualifiers may appear within the parentheses of INLINE(...).
+
+ Example:
+
+ +INLINE(eth0)
+
+ When this is done, you may augment the rule generated by
+ Shorewall with iptables matches of your own. These matches appear
+ after a semicolon (';') at the end of the line.
+
+ See example 8 below.
- SOURCE (Formerly called SUBNET)
- -
+ (Formerly called SUBNET) -
{interface|address[,address][exclusion]}
@@ -647,6 +661,24 @@
eth0 192.168.1.0/24 1.1.1.4 ; mark=3:C
+
+
+ Example 8:
+
+
+ Your eth1 has two public IP addresses: 70.90.191.121 and
+ 70.90.191.123. You want to use the iptables statistics match to
+ masquerade outgoing connections evenly between these two
+ addresses.
+
+ /etc/shorewall/masq:
+
+ #INTERFACE SOURCE ADDRESS
+ INLINE(eth1) 0.0.0.0/0 70.90.191.121 ; -m statistic --mode random --probability 0.50
+ eth1 0.0.0.0/0 70.90.191.123
+
+
+
diff --git a/Shorewall6/manpages/shorewall6-masq.xml b/Shorewall6/manpages/shorewall6-masq.xml
index fb22d4c6f..31798a445 100644
--- a/Shorewall6/manpages/shorewall6-masq.xml
+++ b/Shorewall6/manpages/shorewall6-masq.xml
@@ -73,8 +73,8 @@
eth0(Avvanta)
- In that case, you will want to specify the interface's
- address for that provider in the ADDRESS column.
+ In that case, you will want to specify the interface's address
+ for that provider in the ADDRESS column.
The interface may be qualified by adding the character ":"
followed by a comma-separated list of destination host or subnet
@@ -96,6 +96,21 @@
Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for
COMMENT and is preferred.
+
+ Beginning with Shorewall 4.6.0, a new syntax is also accepted.
+ With the exception of the leading '+', the interfacelist and
+ qualifiers may appear within the parentheses of INLINE(...).
+
+ Example:
+
+ +INLINE(eth0)
+
+ When this is done, you may augment the rule generated by
+ Shorewall with iptables matches of your own. These matches appear
+ after a semicolon (';') at the end of the line.
+
+ See example 2 below.
@@ -502,6 +517,24 @@
eth0 2001:470:b:787::0/64 -
+
+
+ Example 8:
+
+
+ Your sit1 interface has two public IP addresses:
+ 2001:470:a:227::1 and 2001:470:b:227::1. You want to use the
+ iptables statistics match to masquerade outgoing connections evenly
+ between these two addresses.
+
+ /etc/shorewall/masq:
+
+ #INTERFACE SOURCE ADDRESS
+ INLINE(sit1) 0.0.0.0/0 2001:470:a:227::1 ; -m statistic --mode random --probability 0.50
+ sit1 0.0.0.0/0 2001:470:a:227::2
+
+
+