From a193b7bbba0ccd39338038136ebbb064779e90b8 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 11 Aug 2004 00:17:54 +0000 Subject: [PATCH] Remove SNAT in DNAT rules git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1532 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/changelog.txt | 2 ++ Shorewall2/firewall | 24 +----------------------- Shorewall2/releasenotes.txt | 33 +++++++++++++++++++++++++++++++++ Shorewall2/rules | 8 -------- 4 files changed, 36 insertions(+), 31 deletions(-) diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index cb5fa5c23..493f89e90 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -34,3 +34,5 @@ Changes since 2.0.3 15) Implement STARTUP_ENABLED. 16) Added DNAT ONLY column to /etc/shorewall/nat. + +17) Removed SNAT from ORIGINAL DESTINATION column. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 06338ac0a..928f1ebca 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -3287,10 +3287,7 @@ add_nat_rule() { # Parse SNAT address if any if [ "$addr" != "${addr%:*}" ]; then - snat="${addr#*:}" - addr="${addr%:*}" - else - snat="" + fatal_error "SNAT may no longer be specified in a DNAT rule; use /etc/shorewall/masq instead" fi # Set original destination address @@ -3420,24 +3417,6 @@ add_nat_rule() { fi fi - # Handle SNAT - - if [ -n "$snat" ]; then - if [ -n "$cli" ]; then - [ $COMMAND = check ] || addnatrule $(snat_chain $dest) $proto $cli $multiport \ - $sports -d $serv $dports -j SNAT --to-source $snat - else - for source_host in $source_hosts; do - [ "x${source_host#*:}" = "x0.0.0.0/0" ] && \ - error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\"" - - [ $COMMAND = check ] || addnatrule $(snat_chain $dest) \ - $(match_source_hosts ${source_host#*:}) $proto $sports $multiport \ - -d $serv $dports -j SNAT --to-source $snat - done - fi - fi - [ "x$addr" = "x0.0.0.0/0" ] && addr= ratelimit= } @@ -4472,7 +4451,6 @@ get_routed_networks() # $1 = interface name ip route show dev $1 2> /dev/null | while read address rest; do if [ "x$address" = xdefault ]; then -//*-+9 error_message "Warning: default route ignored on interface $1" else [ "$address" = "${address%/*}" ] && address="${address}/32" diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index ef37ddf3e..0bd13eae9 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -60,6 +60,39 @@ Issues when migrating from Shorewall 2.0 to Shorewall 2.1: Simply rename that file to 'shorwall.lrp' when installing it on your LEAF/Bering system. +5) The ORIGINAL DEST column of the /etc/shorewall/rules file may no + longer contain a second (SNAT) address. You must use an entry in + /etc/shorewall/masq instead. + + Example from Shorewall FAQ #1: + + Prior to Shorewall 2.1: + + /etc/shorewall/interfaces + + loc eth1 detect routeback,... + + /etc/shorewall/rules + + DNAT loc loc:192.168.1.12 tcp 80 \ + - 130.252.100.69:192.168.1.254 + + Shorewall 2.1 and Later: + + /etc/shorewall/interfaces + + loc eth1 detect routeback,... + + /etc/shorewall/masq: + + eth1 eth1 192.168.1.254 tcp 80 + + + /etc/shorewall/rules: + + DNAT loc loc:192.168.1.12 tcp 80 \ + - 130.252.100.69 + ----------------------------------------------------------------------- New Features: diff --git a/Shorewall2/rules b/Shorewall2/rules index e65fba67f..e632cbeef 100755 --- a/Shorewall2/rules +++ b/Shorewall2/rules @@ -237,14 +237,6 @@ # destination address in the connection request does not # match any of the addresses listed. # -# The address (list) may optionally be followed by -# a colon (":") and a second IP address. This causes -# Shorewall to use the second IP address as the source -# address in forwarded packets. See the Shorewall -# documentation for restrictions concerning this feature. -# If no source IP address is given, the original source -# address is not altered. -# # RATE LIMIT You may rate-limit the rule by placing a value in # this colume: #