diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 0edc5ce2d..734b5438a 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -62,3 +62,5 @@ Changes since 2.0.3 29) Correct parsing of PROTO column in setup_tc1(). 30) Verify Physdev match if BRIDGING=Yes + +31) Don't NAT tunnel traffic. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 03f8bb263..49ee302bb 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -1967,7 +1967,7 @@ delete_proxy_arp() { # Setup Static Network Address Translation (NAT) # setup_nat() { - local external= interface= internal= allints= localnat= + local external= interface= internal= allints= localnat= policyin= policyout= validate_one() #1 = Variable Name, $2 = Column name, $3 = value { @@ -2005,15 +2005,15 @@ setup_nat() { validate_one localnat "LOCAL" $localnat if [ -n "$allints" ]; then - addnatrule nat_in -d $external -j DNAT --to-destination $internal - addnatrule nat_out -s $internal -j SNAT --to-source $external + addnatrule nat_in -d $external $policyin -j DNAT --to-destination $internal + addnatrule nat_out -s $internal $policyout -j SNAT --to-source $external else - addnatrule $(input_chain $iface) -d $external -j DNAT --to-destination $internal - addnatrule $(output_chain $iface) -s $internal -j SNAT --to-source $external + addnatrule $(input_chain $iface) -d $external $policyin -j DNAT --to-destination $internal + addnatrule $(output_chain $iface) -s $internal $policyout -j SNAT --to-source $external fi [ -n "$localnat" ] && \ - run_iptables2 -t nat -A OUTPUT -d $external -j DNAT --to-destination $internal + run_iptables2 -t nat -A OUTPUT -d $external $policyout -j DNAT --to-destination $internal if [ -n "$add_ip_aliases" ]; then list_search $external $aliases_to_add || \ @@ -2025,6 +2025,11 @@ setup_nat() { # > ${STATEDIR}/nat + if [ -n "$POLICY_MATCH" ]; then + policyin="-m policy --pol none --dir in" + policyout="-m policy --pol none --dir out" + fi + save_progress_message "Restoring one-to-one NAT..." while read external interface internal allints localnat; do diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index bb730e472..fec49a9b9 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -42,6 +42,11 @@ Problems corrected since 2.1.7 2) Fix parsing of PROTO column in /etc/shorewall/tcrules. +3) Packets that will be encrypted or that have been decrypted by IPSEC + are now exempted from the rules established by one-to-one NAT. This + allows tunnel mode IPSEC to work for local networks where some of + the systems use one-to-one NAT. + ----------------------------------------------------------------------- Issues when migrating from Shorewall 2.0 to Shorewall 2.1: