diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index 31987ad6b..bc24410b6 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -152,9 +152,12 @@ sub process_one_masq1( $$$$$$$$$$$$ ) $baserule .= do_user( $user ) if $user ne '-'; $baserule .= do_probability( $probability ) if $probability ne '-'; + my $target; + for my $fullinterface (split_list $interfacelist, 'interface' ) { my $rule = ''; - my $target = 'MASQUERADE '; + + $target = 'MASQUERADE '; # # Isolate and verify the interface part # @@ -352,24 +355,7 @@ sub process_one_masq1( $$$$$$$$$$$$ ) # # And Generate the Rule(s) # - if ( $snat ) { - $target =~ s/ .*//; - $target = 'CONTINUE' if $target eq 'RETURN'; - $target .= '+' if $pre_nat; - $target .= '(' . $addresses . ')' if $addresses ne '-'; - - my $line = "$target\t$networks\t$savelist\t$proto\t$ports\t$ipsec\t$mark\t$user\t$condition\t$origdest\t$probability"; - # - # Supress superfluous trailing dashes - # - $line =~ s/(?:\t-)+$//; - - my $raw_matches = fetch_inline_matches; - - $line .= join( '', ' ;;', $raw_matches ) if $raw_matches ne ' '; - - print $snat "$line\n"; - } else { + unless ( $snat ) { expand_rule( $chainref , POSTROUTE_RESTRICT , $prerule , @@ -385,23 +371,23 @@ sub process_one_masq1( $$$$$$$$$$$$ ) unless unreachable_warning( 0, $chainref ); conditional_rule_end( $chainref ) if $detectaddress || $conditional; - } - if ( $add_snat_aliases ) { - my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 ); - fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder; - for my $address ( split_list $addresses, 'address' ) { - my ( $addrs, $port ) = split /:/, $address; - next unless $addrs; - next if $addrs eq 'detect'; - for my $addr ( ip_range_explicit $addrs ) { - unless ( $addresses_to_add{$addr} ) { - $addresses_to_add{$addr} = 1; - if ( defined $alias ) { - push @addresses_to_add, $addr, "$interface:$alias"; - $alias++; - } else { - push @addresses_to_add, $addr, $interface; + if ( $add_snat_aliases ) { + my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 ); + fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder; + for my $address ( split_list $addresses, 'address' ) { + my ( $addrs, $port ) = split /:/, $address; + next unless $addrs; + next if $addrs eq 'detect'; + for my $addr ( ip_range_explicit $addrs ) { + unless ( $addresses_to_add{$addr} ) { + $addresses_to_add{$addr} = 1; + if ( defined $alias ) { + push @addresses_to_add, $addr, "$interface:$alias"; + $alias++; + } else { + push @addresses_to_add, $addr, $interface; + } } } } @@ -409,6 +395,25 @@ sub process_one_masq1( $$$$$$$$$$$$ ) } } + if ( $snat ) { + $target =~ s/ .*//; + $target = 'CONTINUE' if $target eq 'RETURN'; + $target .= '+' if $pre_nat; + $target .= '(' . $addresses . ')' if $addresses ne '-'; + + my $line = "$target\t$networks\t$savelist\t$proto\t$ports\t$ipsec\t$mark\t$user\t$condition\t$origdest\t$probability"; + # + # Supress superfluous trailing dashes + # + $line =~ s/(?:\t-)+$//; + + my $raw_matches = fetch_inline_matches; + + $line .= join( '', ' ;;', $raw_matches ) if $raw_matches ne ' '; + + print $snat "$line\n"; + } + progress_message " Masq record \"$currentline\" $done"; } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 394c8c789..76f1361e3 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -5347,7 +5347,6 @@ sub process_snat1( $$$$$$$$$$$$ ) { my $params; my $actiontype; my $interfaces; - my $interface; my $normalized_action; if ( $action =~ /^MASQUERADE(\+)?\((.+)\)$/ ) { @@ -5403,6 +5402,8 @@ sub process_snat1( $$$$$$$$$$$$ ) { if ( $2 =~ /\./ || $2 =~ /^%/ ) { $interfaces = $one; $destnets = $two; + } else { + $interfaces = $dest; } } else { $interfaces = $dest; @@ -5440,10 +5441,13 @@ sub process_snat1( $$$$$$$$$$$$ ) { $baserule .= do_user( $user ) if $user ne '-'; $baserule .= do_probability( $probability ) if $probability ne '-'; - for $interface ( split_list( $interfaces, 'interface' ) ) { + for my $fullinterface ( split_list( $interfaces, 'interface' ) ) { my $rule = ''; my $saveaddresses = $addresses; + my $interface = $fullinterface; + + $interface =~ s/:.*//; #interface name may include 'alias' unless ( $inaction ) { if ( $interface =~ /(.*)[(](\w*)[)]$/ ) { @@ -5514,7 +5518,7 @@ sub process_snat1( $$$$$$$$$$$$ ) { # User-defined address variable # $conditional = conditional_rule( $chainref, $addr ); - $addrlist .= ' --to-source' . "\$${1}${ports} "; + $addrlist .= ' --to-source ' . "\$${1}${ports} "; } else { if ( $conditional = conditional_rule( $chainref, $addr ) ) { # @@ -5533,7 +5537,7 @@ sub process_snat1( $$$$$$$$$$$$ ) { $addr = $family == F_IPV4 ? "${addr}${ports} " : "[$addr]$ports "; } - $addrlist .= ' --to-source' . $addr; + $addrlist .= ' --to-source ' . $addr; } } elsif ( $family == F_IPV4 ) { if ( $addr =~ /^.*\..*\..*\./ ) { @@ -5684,6 +5688,27 @@ sub process_snat1( $$$$$$$$$$$$ ) { unless unreachable_warning( 0, $chainref ); conditional_rule_end( $chainref ) if $detectaddress || $conditional; + + if ( $add_snat_aliases ) { + my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 ); + fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder; + for my $address ( split_list $addresses, 'address' ) { + my ( $addrs, $port ) = split /:/, $address; + next unless $addrs; + next if $addrs eq 'detect'; + for my $addr ( ip_range_explicit $addrs ) { + unless ( $addresses_to_add{$addr} ) { + $addresses_to_add{$addr} = 1; + if ( defined $alias ) { + push @addresses_to_add, $addr, "$interface:$alias"; + $alias++; + } else { + push @addresses_to_add, $addr, $interface; + } + } + } + } + } } $addresses = $saveaddresses;