diff --git a/Samples/three-interfaces/masq b/Samples/three-interfaces/masq
index 006c658c0..e800fc134 100644
--- a/Samples/three-interfaces/masq
+++ b/Samples/three-interfaces/masq
@@ -15,6 +15,8 @@
#
##############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
-eth0 eth1
-eth0 eth2
+eth0 10.0.0.0/8,\
+ 169.254.0.0/16,\
+ 172.16.0.0/12,\
+ 192.168.0.0/16
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
diff --git a/Samples/two-interfaces/masq b/Samples/two-interfaces/masq
index 95ed88e1b..9b645327b 100644
--- a/Samples/two-interfaces/masq
+++ b/Samples/two-interfaces/masq
@@ -15,5 +15,8 @@
#
###############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
-eth0 eth1
+eth0 10.0.0.0/8,\
+ 169.254.0.0/16,\
+ 172.16.0.0/12,\
+ 192.168.0.0/16
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 93e580673..95e472538 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -246,6 +246,7 @@ use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i and
our $exclseq;
our $iprangematch;
our $chainseq;
+our $idiotcount;
our $global_variables;
@@ -352,6 +353,7 @@ sub initialize( $ ) {
%interfacegateways = ();
$global_variables = 0;
+ $idiotcount = 0;
}
@@ -2457,6 +2459,7 @@ sub expand_rule( $$$$$$$$$$ )
# An interface in the SOURCE column of a masq file
#
fatal_error "Bridge ports may not appear in the SOURCE column of this file" if port_to_bridge( $iiface );
+ warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount++;
push_command $chainref, join( '', 'for source in ', get_interface_nets( $iiface) , '; do' ), 'done';
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 78cebee1a..e7020f4ba 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -8,6 +8,8 @@ Changes in Shorewall 4.3.10
4) Fix handling of class IDs.
+5) Deprecate use of an interface in the SOURCE column of /etc/shorewall/masq.
+
Changes in Shorewall 4.3.9
1) Logging rules now create separate chain.
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index ff0b61e1f..d0a589fca 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -53,7 +53,11 @@ released late in 2009.
3) Support for the SAME target in /etc/shorewall/masq and
/etc/shorewall/rules has been removed, following the removal of the
- underlying support in the Linux kernel.
+ underlying support in the Linux kernel.
+
+4) Supplying an interface name in the SOURCE column of
+ /etc/shorewall/masq is now deprecated. Entering the name of an
+ interface there will result in a compile-time warning.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 3 . 10
@@ -84,7 +88,7 @@ None.
N E W F E A T U R E S I N 4 . 3 . 10
----------------------------------------------------------------------------
-1. The change that implemented IPMARK support in 4.3.9 resulted in a
+1) The change that implemented IPMARK support in 4.3.9 resulted in a
lack of upward compatibility which could break some
configurations. The incompatibility stems from the way in which
Shorewall generates a TC class Id from a mark value.
@@ -112,7 +116,7 @@ None.
column) must be >= 65536 (0x10000) and must be a multiple of 65536
(0x1000, 0x20000, 0x30000, ...).
-2. In the 'shorewall compile' command, the filename '-' is now causes
+2) In the 'shorewall compile' command, the filename '-' is now causes
the compiled script to be written to Standard Out. As a side
effect, the effective VERBOSITY is set to -1 (silent).
@@ -125,6 +129,10 @@ None.
# current working directory
# and send the output to STDOUT
+3) Supplying an interface name in the SOURCE column of
+ /etc/shorewall/masq is now deprecated. Entering the name of an
+ interface there will result in a compile-time warning.
+
----------------------------------------------------------------------------
N E W F E A T U R E S IN 4 . 3
----------------------------------------------------------------------------
diff --git a/docs/three-interface.xml b/docs/three-interface.xml
index 6897d832d..64b307073 100644
--- a/docs/three-interface.xml
+++ b/docs/three-interface.xml
@@ -671,16 +671,15 @@ root@lists:~#
If your external firewall interface is eth0, your local interface eth1 and your DMZ interface is eth2 then you do not need to modify the file
+ class="devicefile">eth0 then you do not need to modify the file
provided with the sample. Otherwise, edit /etc/shorewall/masq and
change it to match your configuration.If, in spite of all advice to the contrary, you are using this guide
- and want to use one-to-one NAT or Proxy ARP for your DMZ, remove the entry
- for eth2 from /etc/shorewall/masq.
+ and want to use one-to-one NAT or Proxy ARP for your DMZ, you will need to
+ modify the SOURCE column to list just your local interface (10.10.10.0/24
+ in the above example).
diff --git a/docs/two-interface.xml b/docs/two-interface.xml
index 28f7b844a..eb41dbc94 100644
--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@@ -632,8 +632,7 @@ root@lists:~#
provided with the sample. Otherwise, edit
/etc/shorewall/masq and
- change the first column to the name of your external interface and the
- second column to the name of your internal interface.
+ change the first column to the name of your external interface.