forked from extern/shorewall_code
Don't NAT tunnel traffic
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1605 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
bc0a246113
commit
b86d3f03d9
@ -62,3 +62,5 @@ Changes since 2.0.3
|
||||
29) Correct parsing of PROTO column in setup_tc1().
|
||||
|
||||
30) Verify Physdev match if BRIDGING=Yes
|
||||
|
||||
31) Don't NAT tunnel traffic.
|
||||
|
@ -1967,7 +1967,7 @@ delete_proxy_arp() {
|
||||
# Setup Static Network Address Translation (NAT)
|
||||
#
|
||||
setup_nat() {
|
||||
local external= interface= internal= allints= localnat=
|
||||
local external= interface= internal= allints= localnat= policyin= policyout=
|
||||
|
||||
validate_one() #1 = Variable Name, $2 = Column name, $3 = value
|
||||
{
|
||||
@ -2005,15 +2005,15 @@ setup_nat() {
|
||||
validate_one localnat "LOCAL" $localnat
|
||||
|
||||
if [ -n "$allints" ]; then
|
||||
addnatrule nat_in -d $external -j DNAT --to-destination $internal
|
||||
addnatrule nat_out -s $internal -j SNAT --to-source $external
|
||||
addnatrule nat_in -d $external $policyin -j DNAT --to-destination $internal
|
||||
addnatrule nat_out -s $internal $policyout -j SNAT --to-source $external
|
||||
else
|
||||
addnatrule $(input_chain $iface) -d $external -j DNAT --to-destination $internal
|
||||
addnatrule $(output_chain $iface) -s $internal -j SNAT --to-source $external
|
||||
addnatrule $(input_chain $iface) -d $external $policyin -j DNAT --to-destination $internal
|
||||
addnatrule $(output_chain $iface) -s $internal $policyout -j SNAT --to-source $external
|
||||
fi
|
||||
|
||||
[ -n "$localnat" ] && \
|
||||
run_iptables2 -t nat -A OUTPUT -d $external -j DNAT --to-destination $internal
|
||||
run_iptables2 -t nat -A OUTPUT -d $external $policyout -j DNAT --to-destination $internal
|
||||
|
||||
if [ -n "$add_ip_aliases" ]; then
|
||||
list_search $external $aliases_to_add || \
|
||||
@ -2025,6 +2025,11 @@ setup_nat() {
|
||||
#
|
||||
> ${STATEDIR}/nat
|
||||
|
||||
if [ -n "$POLICY_MATCH" ]; then
|
||||
policyin="-m policy --pol none --dir in"
|
||||
policyout="-m policy --pol none --dir out"
|
||||
fi
|
||||
|
||||
save_progress_message "Restoring one-to-one NAT..."
|
||||
|
||||
while read external interface internal allints localnat; do
|
||||
|
@ -42,6 +42,11 @@ Problems corrected since 2.1.7
|
||||
|
||||
2) Fix parsing of PROTO column in /etc/shorewall/tcrules.
|
||||
|
||||
3) Packets that will be encrypted or that have been decrypted by IPSEC
|
||||
are now exempted from the rules established by one-to-one NAT. This
|
||||
allows tunnel mode IPSEC to work for local networks where some of
|
||||
the systems use one-to-one NAT.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
Issues when migrating from Shorewall 2.0 to Shorewall 2.1:
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user