SNAT Enhancements

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1471 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/changelog.txt

@@ -17,3 +17,8 @@ Changes since 2.0.3
 
        firewall
        shorewall.conf
+
+8) Enhancements to /etc/shorewall/masq
+
+       masq
+       firewall

Shorewall2/firewall

@@ -437,6 +437,14 @@ masq_chain() # $1 = interface
    echo $(chain_base $1)_masq
 }
 
+#
+# SNAT Chain for an interface
+#
+snat_chain() # $1 = interface
+{
+   echo $(chain_base $1)_snat
+}
+
 #
 # MAC Verification Chain for an interface
 #
@@ -4190,6 +4198,7 @@ get_routed_networks() # $1 = interface name
     ip route show dev $1 2> /dev/null |
 	while read address rest; do
 	    if [ "x$address" = xdefault ]; then
+//*-+9
 		error_message "Warning: default route ignored on interface $1"
 	    else
 		[ "$address" = "${address%/*}" ] && address="${address}/32"
@@ -4204,14 +4213,31 @@ get_routed_networks() # $1 = interface name
 setup_masq()
 {
     setup_one() {
-	local using
+	local add_snat_aliases=$ADD_SNAT_ALIASES, pre_nat=
 
 	case $fullinterface in
+	    +*)
+		pre_nat=Yes
+		fullinterface=${fullinterface#+}
+		;;
+	esac
+
+	case $fullinterface in
+	    *::*)
+		add_snat_aliases=
+		destnets="${fullinterface##*:}"
+		fullinterface="${fullinterface%:*}"
+		;;		
 	    *:*:*)
 		# Both alias name and networks
 		destnets="${fullinterface##*:}"
 		fullinterface="${fullinterface%:*}"
 		;;
+	    *:)
+		add_snat_aliases=
+	        funninterface=${fullinterface%:}
+		destnets="0.0.0.0/0"
+		;;
 	    *:*)
 		# Alias name OR networks
 		case ${fullinterface#*:} in
@@ -4259,7 +4285,7 @@ setup_masq()
 
 	[ "x$addresses" = x- ] && addresses=
 
-	if [ -n "$addresses" -a -n "$ADD_SNAT_ALIASES" ]; then
+	if [ -n "$addresses" -a -n "$add_snat_aliases" ]; then
 	    for address in $(separate_list $addresses); do
 		for addr in $(ip_range_explicit $address) ; do
 		    if ! list_search $addr $aliases_to_add; then
@@ -4321,7 +4347,7 @@ setup_masq()
 
 	destination=$destnets
 
-	chain=$(masq_chain $interface)
+	[ -z "$pre_nat" ] && chain=$(masq_chain $interface) || chain=$(snat_chain $interface)
 
 	case $destnets in
 	    !*)
@@ -5348,6 +5374,12 @@ activate_rules()
 	    rm -f $TMP_DIR/physdev        
 	fi
     }
+    #
+    # Add early SNAT jumps
+    #
+    for interface in $all_interfaces; do
+	addrulejump POSTROUTING $(snat_chain $interface) -o $interface 
+    done
 
     #
     # Add jumps for dynamic nat chains

Shorewall2/masq

@@ -20,6 +20,20 @@
 #		     This may be qualified by adding the character
 #                    ":" followed by a destination host or subnet.
 #
+#		     If you wish to inhibit the action of ADD_SNAT_ALIASES
+#		     for this entry then include the ":" but omit the digit:
+#
+#				eth0:
+#				eth2::192.0.2.32/27
+#
+#		     Normally Masq/SNAT rules are evaluated after those for
+#		     one-to-one NAT (/etc/shorewall/nat file). If you want
+#		     the rule to be applied before one-to-one NAT rules,
+#		     prefix the interface name with "+":
+#
+#			+eth0
+#			+eth0:192.0.2.32/27
+#			+eth0:2
 #
 #	SUBNET -- Subnet that you wish to masquerade. You can specify this as
 #		  a subnet or as an interface. If you give the name of an

Shorewall2/releasenotes.txt

@@ -37,3 +37,27 @@ New Features:
 1)  ICMP packets that are in the INVALID state are now dropped by the
     Reject and Drop default actions. They do so using the new 
     'dropInvalid' builtin action.
+
+2)  The /etc/shorewall/masq file INTERFACE column now allows additional
+    options.
+
+    Normally MASQUERADE/SNAT rules are evaluated after one-to-one NAT 
+    rules defined in the /etc/shorewall/nat file. If you preceed the
+    interface name with a plus sign ("+") then the rule will be
+    evaluated before one-to-one NAT.
+
+    Examples:
+
+	+eth0
+	+eth1:192.0.2.32/27
+
+    Also, the effect of ADD_SNAT_ALIASES=Yes can be negated for an
+    entry by following the interface name by ":" but no digit. 
+
+    Examples:
+
+	eth0:
+	eth1::192.0.2.32/27
+	+eth3:
+
+