forked from extern/shorewall_code
Eliminate rawpost table support
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
7b96d41065
commit
c4bbb46e3f
@ -1007,13 +1007,6 @@ show_raw() {
|
||||
$g_tool -t raw -L $g_ipt_options | $output_filter
|
||||
}
|
||||
|
||||
show_rawpost() {
|
||||
echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
$g_tool -t rawpost -L $g_ipt_options | $output_filter
|
||||
}
|
||||
|
||||
show_mangle() {
|
||||
echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
|
||||
echo
|
||||
@ -1264,7 +1257,7 @@ show_command() {
|
||||
[ $# -eq 1 ] && missing_option_value -t
|
||||
|
||||
case $2 in
|
||||
mangle|nat|filter|raw|rawpost)
|
||||
mangle|nat|filter|raw)
|
||||
table=$2
|
||||
table_given=Yes
|
||||
;;
|
||||
@ -1318,10 +1311,6 @@ show_command() {
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
eval show_raw $g_pager
|
||||
;;
|
||||
rawpost)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
eval show_rawpost $g_pager
|
||||
;;
|
||||
tos|mangle)
|
||||
[ $# -gt 1 ] && too_many_arguments $2
|
||||
eval show_mangle $g_pager
|
||||
@ -1710,11 +1699,6 @@ do_dump_command() {
|
||||
$g_tool -t raw -L $g_ipt_options
|
||||
fi
|
||||
|
||||
if qt $g_tool -t rawpost -L -n; then
|
||||
heading "Rawpost Table"
|
||||
$g_tool -t rawpost -L $g_ipt_options
|
||||
fi
|
||||
|
||||
local count
|
||||
local max
|
||||
|
||||
@ -2765,7 +2749,6 @@ determine_capabilities() {
|
||||
CONNMARK_MATCH=
|
||||
XCONNMARK_MATCH=
|
||||
RAW_TABLE=
|
||||
RAWPOST_TABLE=
|
||||
IPP2P_MATCH=
|
||||
OLD_IPP2P_MATCH=
|
||||
LENGTH_MATCH=
|
||||
@ -3017,7 +3000,6 @@ determine_capabilities() {
|
||||
fi
|
||||
|
||||
qt $g_tool -t raw -L -n && RAW_TABLE=Yes
|
||||
qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes
|
||||
|
||||
if [ -n "$RAW_TABLE" ]; then
|
||||
qt $g_tool -t raw -F $chain
|
||||
@ -3243,7 +3225,6 @@ report_capabilities_unsorted() {
|
||||
report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
|
||||
[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
|
||||
report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
|
||||
report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
|
||||
report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
|
||||
[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
|
||||
report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
|
||||
@ -3372,7 +3353,6 @@ report_capabilities_unsorted1() {
|
||||
report_capability1 CONNMARK_MATCH
|
||||
report_capability1 XCONNMARK_MATCH
|
||||
report_capability1 RAW_TABLE
|
||||
report_capability1 RAWPOST_TABLE
|
||||
report_capability1 IPP2P_MATCH
|
||||
report_capability1 OLD_IPP2P_MATCH
|
||||
report_capability1 CLASSIFY_TARGET
|
||||
@ -4323,7 +4303,7 @@ usage() # $1 = exit status
|
||||
|
||||
echo " [ show | list | ls ] ipsec"
|
||||
echo " [ show | list | ls ] [ -m ] log [<regex>]"
|
||||
echo " [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
|
||||
echo " [ show | list | ls ] [ -x ] mangle|nat|raw"
|
||||
ecko " [ show | list | ls ] macro <macro>"
|
||||
ecko " [ show | list | ls ] macros"
|
||||
echo " [ show | list | ls ] nfacct"
|
||||
|
||||
@ -665,7 +665,7 @@
|
||||
<arg><option>-l</option></arg>
|
||||
|
||||
<arg><option>-t</option>
|
||||
{<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>
|
||||
{<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>}</arg>
|
||||
|
||||
<arg><arg choice="plain"
|
||||
rep="repeat"><replaceable>chain</replaceable></arg></arg>
|
||||
@ -749,7 +749,7 @@
|
||||
|
||||
<arg><option>-x</option></arg>
|
||||
|
||||
<arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
|
||||
<arg choice="req"><option>mangle|nat|raw</option></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
@ -2395,7 +2395,7 @@
|
||||
<varlistentry>
|
||||
<term>[-<option>b</option>] [-<option>x</option>]
|
||||
[-<option>l</option>] [-<option>t</option>
|
||||
{<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}]
|
||||
{<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>}]
|
||||
[ <emphasis>chain</emphasis>... ]</term>
|
||||
|
||||
<listitem>
|
||||
|
||||
@ -120,7 +120,6 @@ our @EXPORT = ( qw(
|
||||
%chain_table
|
||||
%targets
|
||||
$raw_table
|
||||
$rawpost_table
|
||||
$nat_table
|
||||
$mangle_table
|
||||
$filter_table
|
||||
@ -197,7 +196,6 @@ our %EXPORT_TAGS = (
|
||||
ensure_mangle_chain
|
||||
ensure_nat_chain
|
||||
ensure_raw_chain
|
||||
ensure_rawpost_chain
|
||||
new_standard_chain
|
||||
new_action_chain
|
||||
new_builtin_chain
|
||||
@ -418,7 +416,6 @@ our $VERSION = 'MODULEVERSION';
|
||||
#
|
||||
our %chain_table;
|
||||
our $raw_table;
|
||||
our $rawpost_table;
|
||||
our $nat_table;
|
||||
our $mangle_table;
|
||||
our $filter_table;
|
||||
@ -759,13 +756,11 @@ sub initialize( $$$ ) {
|
||||
( $family, my $hard, $export ) = @_;
|
||||
|
||||
%chain_table = ( raw => {},
|
||||
rawpost => {},
|
||||
mangle => {},
|
||||
nat => {},
|
||||
filter => {} );
|
||||
|
||||
$raw_table = $chain_table{raw};
|
||||
$rawpost_table = $chain_table{rawpost};
|
||||
$nat_table = $chain_table{nat};
|
||||
$mangle_table = $chain_table{mangle};
|
||||
$filter_table = $chain_table{filter};
|
||||
@ -2764,14 +2759,6 @@ sub ensure_raw_chain($) {
|
||||
$chainref;
|
||||
}
|
||||
|
||||
sub ensure_rawpost_chain($) {
|
||||
my $chain = $_[0];
|
||||
|
||||
my $chainref = ensure_chain 'rawpost', $chain;
|
||||
$chainref->{referenced} = 1;
|
||||
$chainref;
|
||||
}
|
||||
|
||||
#
|
||||
# Add a builtin chain
|
||||
#
|
||||
@ -2970,8 +2957,6 @@ sub initialize_chain_table($) {
|
||||
new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
|
||||
}
|
||||
|
||||
new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
|
||||
|
||||
for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
|
||||
new_builtin_chain 'filter', $chain, 'DROP';
|
||||
}
|
||||
@ -3034,8 +3019,6 @@ sub initialize_chain_table($) {
|
||||
new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
|
||||
}
|
||||
|
||||
new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
|
||||
|
||||
for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
|
||||
new_builtin_chain 'filter', $chain, 'DROP';
|
||||
}
|
||||
@ -3339,7 +3322,7 @@ sub check_optimization( $ ) {
|
||||
# When an unreferenced chain is found, it is deleted unless its 'dont_delete' flag is set.
|
||||
#
|
||||
sub optimize_level0() {
|
||||
for my $table ( qw/raw rawpost mangle nat filter/ ) {
|
||||
for my $table ( qw/raw mangle nat filter/ ) {
|
||||
my $tableref = $chain_table{$table};
|
||||
next unless $tableref;
|
||||
|
||||
@ -4258,7 +4241,6 @@ sub valid_tables() {
|
||||
my @table_list;
|
||||
|
||||
push @table_list, 'raw' if have_capability( 'RAW_TABLE' );
|
||||
push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
|
||||
push @table_list, 'nat' if have_capability( 'NAT_ENABLED' );
|
||||
push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
|
||||
push @table_list, 'filter'; #MUST BE LAST!!!
|
||||
@ -8939,7 +8921,7 @@ sub create_chainlist_reload($) {
|
||||
for my $chain ( @chains ) {
|
||||
( $table , $chain ) = split ':', $chain if $chain =~ /:/;
|
||||
|
||||
fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw|rawpost)$/;
|
||||
fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
|
||||
|
||||
$chains{$table} = {} unless $chains{$table};
|
||||
|
||||
@ -8968,7 +8950,7 @@ sub create_chainlist_reload($) {
|
||||
|
||||
enter_cat_mode;
|
||||
|
||||
for $table ( qw(raw rawpost nat mangle filter) ) {
|
||||
for $table ( qw(raw nat mangle filter) ) {
|
||||
my $tableref=$chains{$table};
|
||||
|
||||
next unless $tableref;
|
||||
|
||||
@ -389,7 +389,6 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
||||
HEADER_MATCH => 'Header Match',
|
||||
ACCOUNT_TARGET => 'ACCOUNT Target',
|
||||
AUDIT_TARGET => 'AUDIT Target',
|
||||
RAWPOST_TABLE => 'Rawpost Table',
|
||||
CONDITION_MATCH => 'Condition Match',
|
||||
IPTABLES_S => 'iptables -S',
|
||||
BASIC_FILTER => 'Basic Filter',
|
||||
@ -980,7 +979,6 @@ sub initialize( $;$$) {
|
||||
CONNMARK_MATCH => undef,
|
||||
XCONNMARK_MATCH => undef,
|
||||
RAW_TABLE => undef,
|
||||
RAWPOST_TABLE => undef,
|
||||
IPP2P_MATCH => undef,
|
||||
OLD_IPP2P_MATCH => undef,
|
||||
CLASSIFY_TARGET => undef,
|
||||
@ -4516,10 +4514,6 @@ sub Raw_Table() {
|
||||
qt1( "$iptables $iptablesw -t raw -L -n" );
|
||||
}
|
||||
|
||||
sub Rawpost_Table() {
|
||||
qt1( "$iptables $iptablesw -t rawpost -L -n" );
|
||||
}
|
||||
|
||||
sub Old_IPSet_Match() {
|
||||
my $ipset = $config{IPSET} || 'ipset';
|
||||
my $result = 0;
|
||||
@ -4926,7 +4920,6 @@ our %detect_capability =
|
||||
POLICY_MATCH => \&Policy_Match,
|
||||
PPTP_HELPER => \&PPTP_Helper,
|
||||
RAW_TABLE => \&Raw_Table,
|
||||
RAWPOST_TABLE => \&Rawpost_Table,
|
||||
REALM_MATCH => \&Realm_Match,
|
||||
REAP_OPTION => \&Reap_Option,
|
||||
RECENT_MATCH => \&Recent_Match,
|
||||
@ -5054,7 +5047,6 @@ sub determine_capabilities() {
|
||||
$capabilities{TPROXY_TARGET} = detect_capability( 'TPROXY_TARGET' );
|
||||
$capabilities{MANGLE_FORWARD} = detect_capability( 'MANGLE_FORWARD' );
|
||||
$capabilities{RAW_TABLE} = detect_capability( 'RAW_TABLE' );
|
||||
$capabilities{RAWPOST_TABLE} = detect_capability( 'RAWPOST_TABLE' );
|
||||
$capabilities{IPSET_MATCH} = detect_capability( 'IPSET_MATCH' );
|
||||
$capabilities{USEPKTTYPE} = detect_capability( 'USEPKTTYPE' );
|
||||
$capabilities{ADDRTYPE} = detect_capability( 'ADDRTYPE' );
|
||||
|
||||
@ -1679,12 +1679,6 @@ sub add_interface_jumps {
|
||||
addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
|
||||
addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );
|
||||
|
||||
if ( have_capability 'RAWPOST_TABLE' ) {
|
||||
insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $rawpost_table->{postrouting_chain $interface};
|
||||
insert_ijump ( $raw_table->{PREROUTING}, j => prerouting_chain( $interface ), 0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
|
||||
insert_ijump ( $raw_table->{OUTPUT}, j => output_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $raw_table->{output_chain $interface};
|
||||
}
|
||||
|
||||
add_ijump( $mangle_table->{PREROUTING}, j => 'rpfilter' , imatch_source_dev( $interface ) ) if interface_has_option( $interface, 'rpfilter', $dummy );
|
||||
}
|
||||
#
|
||||
|
||||
@ -790,88 +790,39 @@ sub setup_netmap() {
|
||||
|
||||
my @rule = do_iproto( $proto, $dport, $sport );
|
||||
|
||||
unless ( $type =~ /:/ ) {
|
||||
my @rulein;
|
||||
my @ruleout;
|
||||
my @rulein;
|
||||
my @ruleout;
|
||||
|
||||
$net1 = validate_net $net1, 0;
|
||||
$net2 = validate_net $net2, 0;
|
||||
$net1 = validate_net $net1, 0;
|
||||
$net2 = validate_net $net2, 0;
|
||||
|
||||
if ( $interfaceref->{root} ) {
|
||||
$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
|
||||
} else {
|
||||
@rulein = imatch_source_dev( $interface );
|
||||
@ruleout = imatch_dest_dev( $interface );
|
||||
$interface = $interfaceref->{name};
|
||||
}
|
||||
if ( $interfaceref->{root} ) {
|
||||
$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
|
||||
} else {
|
||||
@rulein = imatch_source_dev( $interface );
|
||||
@ruleout = imatch_dest_dev( $interface );
|
||||
$interface = $interfaceref->{name};
|
||||
}
|
||||
|
||||
require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
|
||||
require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
|
||||
|
||||
if ( $type eq 'DNAT' ) {
|
||||
dest_iexclusion( ensure_chain( 'nat' , input_chain $interface ) ,
|
||||
j => 'NETMAP' ,
|
||||
"--to $net2",
|
||||
$net1 ,
|
||||
@rulein ,
|
||||
imatch_source_net( $net3 ) );
|
||||
} elsif ( $type eq 'SNAT' ) {
|
||||
source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
|
||||
j => 'NETMAP' ,
|
||||
"--to $net2" ,
|
||||
$net1 ,
|
||||
@ruleout ,
|
||||
imatch_dest_net( $net3 ) );
|
||||
} else {
|
||||
fatal_error "Invalid type ($type)";
|
||||
}
|
||||
} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
|
||||
my ( $target , $chain ) = ( $1, $2 );
|
||||
my $table = 'raw';
|
||||
my @match;
|
||||
|
||||
require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
|
||||
|
||||
$net2 = validate_net $net2, 0;
|
||||
|
||||
unless ( $interfaceref->{root} ) {
|
||||
@match = imatch_dest_dev( $interface );
|
||||
$interface = $interfaceref->{name};
|
||||
}
|
||||
|
||||
if ( $chain eq 'P' ) {
|
||||
$chain = prerouting_chain $interface;
|
||||
@match = imatch_source_dev( $iface ) unless $iface eq $interface;
|
||||
} elsif ( $chain eq 'O' ) {
|
||||
$chain = output_chain $interface;
|
||||
} else {
|
||||
$chain = postrouting_chain $interface;
|
||||
$table = 'rawpost';
|
||||
}
|
||||
|
||||
my $chainref = ensure_chain( $table, $chain );
|
||||
|
||||
|
||||
if ( $target eq 'DNAT' ) {
|
||||
dest_iexclusion( $chainref ,
|
||||
j => 'RAWDNAT' ,
|
||||
"--to-dest $net2" ,
|
||||
$net1 ,
|
||||
imatch_source_net( $net3 ) ,
|
||||
@rule ,
|
||||
@match
|
||||
);
|
||||
} else {
|
||||
source_iexclusion( $chainref ,
|
||||
j => 'RAWSNAT' ,
|
||||
"--to-source $net2" ,
|
||||
$net1 ,
|
||||
imatch_dest_net( $net3 ) ,
|
||||
@rule ,
|
||||
@match );
|
||||
}
|
||||
if ( $type eq 'DNAT' ) {
|
||||
dest_iexclusion( ensure_chain( 'nat' , input_chain $interface ) ,
|
||||
j => 'NETMAP' ,
|
||||
"--to $net2",
|
||||
$net1 ,
|
||||
@rulein ,
|
||||
imatch_source_net( $net3 ) );
|
||||
} elsif ( $type eq 'SNAT' ) {
|
||||
source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
|
||||
j => 'NETMAP' ,
|
||||
"--to $net2" ,
|
||||
$net1 ,
|
||||
@ruleout ,
|
||||
imatch_dest_net( $net3 ) );
|
||||
} else {
|
||||
fatal_error 'TYPE must be specified' if $type eq '-';
|
||||
fatal_error "Invalid TYPE ($type)";
|
||||
fatal_error "Invalid type ($type)";
|
||||
}
|
||||
|
||||
progress_message " Network $net1 on $iface mapped to $net2 ($type)";
|
||||
|
||||
@ -526,13 +526,6 @@ debug_restore_input() {
|
||||
qt1 $g_tool -t raw -P $chain ACCEPT
|
||||
done
|
||||
|
||||
qt1 $g_tool -t rawpost -F
|
||||
qt1 $g_tool -t rawpost -X
|
||||
|
||||
for chain in POSTROUTING; do
|
||||
qt1 $g_tool -t rawpost -P $chain ACCEPT
|
||||
done
|
||||
|
||||
qt1 $g_tool -t nat -F
|
||||
qt1 $g_tool -t nat -X
|
||||
|
||||
@ -582,9 +575,6 @@ debug_restore_input() {
|
||||
'*'raw)
|
||||
table=raw
|
||||
;;
|
||||
'*'rawpost)
|
||||
table=rawpost
|
||||
;;
|
||||
'*'mangle)
|
||||
table=mangle
|
||||
;;
|
||||
|
||||
@ -41,38 +41,18 @@
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">TYPE</emphasis> - <emphasis
|
||||
role="bold">{DNAT</emphasis>|<emphasis
|
||||
role="bold">SNAT}[:{P|O|T}</emphasis>]</term>
|
||||
role="bold">SNAT}</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Must be DNAT or SNAT; beginning with Shorewall 4.4.23, may be
|
||||
optionally followed by :P, :O or :T to perform <firstterm>stateless
|
||||
NAT</firstterm>. Stateless NAT requires <firstterm>Rawpost Table
|
||||
support</firstterm> in your kernel and iptables (see the output of
|
||||
<command>shorewall show capabilities</command>).</para>
|
||||
<para>Must be DNAT or SNAT</para>
|
||||
|
||||
<para>If DNAT or DNAT:P, traffic entering INTERFACE and addressed to
|
||||
NET1 has its destination address rewritten to the corresponding
|
||||
address in NET2.</para>
|
||||
<para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
|
||||
its destination address rewritten to the corresponding address in
|
||||
NET2.</para>
|
||||
|
||||
<para>If SNAT or SNAT:T, traffic leaving INTERFACE with a source
|
||||
address in NET1 has it's source address rewritten to the
|
||||
corresponding address in NET2.</para>
|
||||
|
||||
<para>If DNAT:O, traffic originating on the firewall and leaving via
|
||||
INTERFACE and addressed to NET1 has its destination address
|
||||
rewritten to the corresponding address in NET2.</para>
|
||||
|
||||
<para>If DNAT:P, traffic entering via INTERFACE and addressed to
|
||||
NET1 has its destination address rewritten to the corresponding
|
||||
address in NET2.</para>
|
||||
|
||||
<para>If SNAT:P, traffic entering via INTERFACE with a destination
|
||||
address in NET1 has it's source address rewritten to the
|
||||
corresponding address in NET2.</para>
|
||||
|
||||
<para>If SNAT:O, traffic originating on the firewall and leaving via
|
||||
INTERFACE with a source address in NET1 has it's source address
|
||||
rewritten to the corresponding address in NET2.</para>
|
||||
<para>If SNAT, traffic leaving INTERFACE with a source address in
|
||||
NET1 has it's source address rewritten to the corresponding address
|
||||
in NET2.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@ -29,8 +29,8 @@
|
||||
addresses in a second network. It was added in Shorewall6 4.4.23.3.</para>
|
||||
|
||||
<warning>
|
||||
<para>To use this file, your kernel and ip6tables must have RAWPOST
|
||||
table support included.</para>
|
||||
<para>To use this file, your kernel and ip6tables must have NETMAP
|
||||
support included.</para>
|
||||
</warning>
|
||||
|
||||
<para>The columns in the file are as follows (where the column name is
|
||||
@ -41,7 +41,7 @@
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">TYPE</emphasis> - <emphasis
|
||||
role="bold">{DNAT</emphasis>|<emphasis
|
||||
role="bold">SNAT}:{P|O|T}</emphasis></term>
|
||||
role="bold">SNAT}</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Must be DNAT or SNAT followed by :P, :O or :T to perform
|
||||
@ -50,29 +50,13 @@
|
||||
iptables (see the output of <command>shorewall6 show
|
||||
capabilities</command>).</para>
|
||||
|
||||
<para>If DNAT:P, traffic entering INTERFACE and addressed to NET1
|
||||
has its destination address rewritten to the corresponding address
|
||||
in NET2.</para>
|
||||
<para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
|
||||
its destination address rewritten to the corresponding address in
|
||||
NET2.</para>
|
||||
|
||||
<para>If SNAT:T, traffic leaving INTERFACE with a source address in
|
||||
<para>If SNAT, traffic leaving INTERFACE with a source address in
|
||||
NET1 has it's source address rewritten to the corresponding address
|
||||
in NET2.</para>
|
||||
|
||||
<para>If DNAT:O, traffic originating on the firewall and leaving via
|
||||
INTERFACE and addressed to NET1 has its destination address
|
||||
rewritten to the corresponding address in NET2.</para>
|
||||
|
||||
<para>If DNAT:P, traffic entering via INTERFACE and addressed to
|
||||
NET1 has its destination address rewritten to the corresponding
|
||||
address in NET2.</para>
|
||||
|
||||
<para>If SNAT:P, traffic entering via INTERFACE with a destination
|
||||
address in NET1 has it's source address rewritten to the
|
||||
corresponding address in NET2.</para>
|
||||
|
||||
<para>If SNAT:O, traffic originating on the firewall and leaving via
|
||||
INTERFACE with a source address in NET1 has it's source address
|
||||
rewritten to the corresponding address in NET2.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user