Back out DNAT ONLY change; fix new IPSEC

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1536 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2004-08-14 16:05:28 +00:00 · 2004-08-14 16:05:28 +00:00 · 7d85e8d36c
commit 7d85e8d36c
parent f12381f393
3 changed files with 8 additions and 15 deletions
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -1900,7 +1900,7 @@ delete_proxy_arp() {
 # Setup Static Network Address Translation (NAT)
 #
 setup_nat() {
-    local external= interface= internal= allints= localnat= dnatonly=
+    local external= interface= internal= allints= localnat=
    validate_one() #1 = Variable Name, $2 = Column name, $3 = value 
    {
@ -1936,14 +1936,13 @@ setup_nat() {
 	validate_one allints  "ALL INTERFACES" $allints
 	validate_one localnat "LOCAL"          $localnat
 	validate_one dnatonly "DNAT ONLY"      $dnatonly
 	if [ -n "$allints" ]; then
 	    addnatrule nat_in  -d $external -j DNAT --to-destination $internal
-	    [ -n "$dnatonly" ] || addnatrule nat_out -s $internal -j SNAT --to-source $external
+	    addnatrule nat_out -s $internal -j SNAT --to-source $external
 	else
 	    addnatrule $(input_chain $iface) -d $external -j DNAT --to-destination $internal
-	    [ -n "$dnatonly" ] || addnatrule $(output_chain $iface) -s $internal -j SNAT --to-source $external
+	    addnatrule $(output_chain $iface) -s $internal -j SNAT --to-source $external
 	fi
 	[ -n "$localnat" ] && \
@ -1961,8 +1960,8 @@ setup_nat() {
    save_progress_message "Restoring one-to-one NAT..."
-    while read external interface internal allints localnat dnatonly; do
+    while read external interface internal allints localnat; do
-	expandv external interface internal allints localnat dnatonly
+	expandv external interface internal allints localnat
 	do_one_nat
@ -5714,7 +5713,7 @@ activate_rules()
 	    addrulejump PREROUTING  $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host)
 	    addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host)
-	    run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) -j $chain2
+	    run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2
 	    [ -n "$complex" ] && \
 		run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
--- a/Shorewall2/nat
+++ b/Shorewall2/nat
@ -38,10 +38,8 @@
 #
 #       LOCAL           If Yes or yes, NAT will be effective from the firewall
 #                       system
 #
 #	DNAT ONLY	If Yes or yes, no SNAT will occur.	
 ##############################################################################
-#EXTERNAL	INTERFACE	INTERNAL	ALL		LOCAL	DNAT
+#EXTERNAL	INTERFACE	INTERNAL	ALL		LOCAL
-#						INTERFACES		ONLY
+#						INTERFACES
 #
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -256,7 +256,3 @@ New Features:
 	/etc/shorewall/hosts:
 	vpn	eth0:0.0.0.0/0	ipsec
 8)  A new DNAT ONLY column has been added to the /etc/shorewall/nat
    file. If that column contains "Yes" or "yes", then no SNAT rules
    will be generated by the entry.