forked from extern/shorewall_code
Don't NAT tunnel traffic
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1605 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
bc0a246113
commit
b86d3f03d9
@ -62,3 +62,5 @@ Changes since 2.0.3
|
|||||||
29) Correct parsing of PROTO column in setup_tc1().
|
29) Correct parsing of PROTO column in setup_tc1().
|
||||||
|
|
||||||
30) Verify Physdev match if BRIDGING=Yes
|
30) Verify Physdev match if BRIDGING=Yes
|
||||||
|
|
||||||
|
31) Don't NAT tunnel traffic.
|
||||||
|
@ -1967,7 +1967,7 @@ delete_proxy_arp() {
|
|||||||
# Setup Static Network Address Translation (NAT)
|
# Setup Static Network Address Translation (NAT)
|
||||||
#
|
#
|
||||||
setup_nat() {
|
setup_nat() {
|
||||||
local external= interface= internal= allints= localnat=
|
local external= interface= internal= allints= localnat= policyin= policyout=
|
||||||
|
|
||||||
validate_one() #1 = Variable Name, $2 = Column name, $3 = value
|
validate_one() #1 = Variable Name, $2 = Column name, $3 = value
|
||||||
{
|
{
|
||||||
@ -2005,15 +2005,15 @@ setup_nat() {
|
|||||||
validate_one localnat "LOCAL" $localnat
|
validate_one localnat "LOCAL" $localnat
|
||||||
|
|
||||||
if [ -n "$allints" ]; then
|
if [ -n "$allints" ]; then
|
||||||
addnatrule nat_in -d $external -j DNAT --to-destination $internal
|
addnatrule nat_in -d $external $policyin -j DNAT --to-destination $internal
|
||||||
addnatrule nat_out -s $internal -j SNAT --to-source $external
|
addnatrule nat_out -s $internal $policyout -j SNAT --to-source $external
|
||||||
else
|
else
|
||||||
addnatrule $(input_chain $iface) -d $external -j DNAT --to-destination $internal
|
addnatrule $(input_chain $iface) -d $external $policyin -j DNAT --to-destination $internal
|
||||||
addnatrule $(output_chain $iface) -s $internal -j SNAT --to-source $external
|
addnatrule $(output_chain $iface) -s $internal $policyout -j SNAT --to-source $external
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$localnat" ] && \
|
[ -n "$localnat" ] && \
|
||||||
run_iptables2 -t nat -A OUTPUT -d $external -j DNAT --to-destination $internal
|
run_iptables2 -t nat -A OUTPUT -d $external $policyout -j DNAT --to-destination $internal
|
||||||
|
|
||||||
if [ -n "$add_ip_aliases" ]; then
|
if [ -n "$add_ip_aliases" ]; then
|
||||||
list_search $external $aliases_to_add || \
|
list_search $external $aliases_to_add || \
|
||||||
@ -2025,6 +2025,11 @@ setup_nat() {
|
|||||||
#
|
#
|
||||||
> ${STATEDIR}/nat
|
> ${STATEDIR}/nat
|
||||||
|
|
||||||
|
if [ -n "$POLICY_MATCH" ]; then
|
||||||
|
policyin="-m policy --pol none --dir in"
|
||||||
|
policyout="-m policy --pol none --dir out"
|
||||||
|
fi
|
||||||
|
|
||||||
save_progress_message "Restoring one-to-one NAT..."
|
save_progress_message "Restoring one-to-one NAT..."
|
||||||
|
|
||||||
while read external interface internal allints localnat; do
|
while read external interface internal allints localnat; do
|
||||||
|
@ -42,6 +42,11 @@ Problems corrected since 2.1.7
|
|||||||
|
|
||||||
2) Fix parsing of PROTO column in /etc/shorewall/tcrules.
|
2) Fix parsing of PROTO column in /etc/shorewall/tcrules.
|
||||||
|
|
||||||
|
3) Packets that will be encrypted or that have been decrypted by IPSEC
|
||||||
|
are now exempted from the rules established by one-to-one NAT. This
|
||||||
|
allows tunnel mode IPSEC to work for local networks where some of
|
||||||
|
the systems use one-to-one NAT.
|
||||||
|
|
||||||
-----------------------------------------------------------------------
|
-----------------------------------------------------------------------
|
||||||
Issues when migrating from Shorewall 2.0 to Shorewall 2.1:
|
Issues when migrating from Shorewall 2.0 to Shorewall 2.1:
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user