From b30cae89e38e9f69a2119c7ef70c99a08f6fc85a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 23 Nov 2009 09:56:15 -0800 Subject: [PATCH] Allow :: in the rules file DEST column --- Shorewall/Perl/Shorewall/Rules.pm | 18 +++++++++++------- Shorewall/changelog.txt | 2 ++ Shorewall/releasenotes.txt | 14 +++++++++++++- 3 files changed, 26 insertions(+), 8 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 3b3990816..ad85061b1 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1237,10 +1237,10 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { $origdest = ALLIP; } } - } else { - fatal_error "A server must be specified in the DEST column in $action rules" if $server eq ''; - - if ( $server =~ /^(.+)-(.+)$/ ) { + } else { + if ( $server eq '' ) { + fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport; + } elsif ( $server =~ /^(.+)-(.+)$/ ) { validate_range( $1, $2 ); } else { my @servers = validate_address $server, 1; @@ -1249,9 +1249,13 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { if ( $action eq 'DNAT' ) { $target = '-j DNAT '; - $serverport = ":$serverport" if $serverport; - for my $serv ( split /,/, $server ) { - $target .= "--to-destination ${serv}${serverport} "; + if ( $server ) { + $serverport = ":$serverport" if $serverport; + for my $serv ( split /,/, $server ) { + $target .= "--to-destination ${serv}${serverport} "; + } + } else { + $target .= "--to-destination :$serverport "; } } diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 7203c62fd..9622e834f 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -6,6 +6,8 @@ Changes in Shorewall 4.4.5 3) Generate error for port number 0 +4) Allow zone::serverport in rules DEST column. + Changes in Shorewall 4.4.4 1) Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 4c418c735..4ce694568 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -201,7 +201,19 @@ None. N E W F E A T U R E S I N 4 . 4 . 5 ---------------------------------------------------------------------------- -None. +1) Shorewall now allows DNAT rules that change only the destination + port. + + Example: + + DNAT loc net::456 udp 234 + + That rule will modify the destination port in UDP packets received + from the 'loc' zone from 456 to 234. Note that if the destination + is the firewall itself, then the destination port will be rewritten + but that no ACCEPT rule from the loc zone to the $FW zone will have + been created to handle the request. So such rules should probably + exclude the firewall's IP addresses in the ORIGINAL DEST column. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 4 . 0