From d7235590dabfb2da2311c7a77b1cceaec695d424 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 12 Apr 2006 20:29:13 +0000 Subject: [PATCH] Fix DETECT_DNAT_IPADDRS=No bug; more config file comment improvements git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3786 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 2 ++ Shorewall/compiler | 4 +++- Shorewall/interfaces | 11 +++++------ Shorewall/providers | 16 +++++++++------- Shorewall/releasenotes.txt | 2 ++ 5 files changed, 21 insertions(+), 14 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 696ca5ad7..3de1da0cb 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -5,6 +5,8 @@ Changes in 3.2.0 Beta 5 2) Remove traffic shaping code from the 'firewall' script to avoid unmaintainable code duplication. +3) Fix DETECT_DNAT_IPADDRS=No bug. + Changes in 3.2.0 Beta 4 1) Fix 'routeback' with bridge ports. diff --git a/Shorewall/compiler b/Shorewall/compiler index 29e4869e7..e4ddd4163 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -5035,13 +5035,15 @@ add_nat_rule() { if [ $(list_count1 $interfaces) -eq 1 ]; then save_command "addr=\$(find_first_interface_address $interface)" else - savecomment "addr=" + save_command "addr=" for interface in $interfaces; do ident >&3 << __EOF__ addr="\$addr \$(find_first_interface_address $interface)" __EOF__ done fi + else + addr= fi ;; !*) diff --git a/Shorewall/interfaces b/Shorewall/interfaces index d2af7a43f..3a5fc9e13 100644 --- a/Shorewall/interfaces +++ b/Shorewall/interfaces @@ -21,7 +21,7 @@ # # Example: # -# loc eth1 - +# loc eth1 - # loc eth2 - # # INTERFACE Name of interface. Each interface may be listed only @@ -42,11 +42,10 @@ # addresses on multiple subnets then list the broadcast # addresses as a comma-separated list. # -# If you use the special value "detect", the firewall -# will detect the broadcast address for you. If you +# If you use the special value "detect", Shorewall +# will detect the broadcast address(es) for you. If you # select this option, the interface must be up before -# the firewall is started, you must have iproute -# installed. +# the firewall is started. # # If you don't want to give a value for this column but # you want to enter a value in the OPTIONS column, enter @@ -72,7 +71,7 @@ # any packets whose source is in one # of the ranges reserved by RFC 1918 # (i.e., private or "non-routable" -# addresses. If packet mangling or +# addresses). If packet mangling or # connection-tracking match is enabled in # your kernel, packets whose destination # addresses are reserved by RFC 1918 are diff --git a/Shorewall/providers b/Shorewall/providers index d5d340e4a..72e2594f4 100644 --- a/Shorewall/providers +++ b/Shorewall/providers @@ -41,11 +41,11 @@ # # OPTIONS A comma-separated list selected from the following: # -# track If specified, connections FROM this interface are -# to be tracked so that responses may be routed back +# track If specified, inbound connections on this interface +# are to be tracked so that responses may be routed back # out this same interface. # -# You want specify 'track' if internet hosts will be +# You want to specify 'track' if internet hosts will be # connecting to local servers through this provider. # # balance The providers that have 'balance' specified will @@ -56,10 +56,12 @@ # where is the weight of the route out of # this interface. # -# loose Normally, Shorewall adds routing rules to prohibit -# firewall marks from working with traffic generated -# on the firewall itself. By setting the 'loose' -# option, generation of these rules is avoided. +# loose Shorewall normally adds a routing rule for each +# IP address on an interface which forces traffic +# whose source is that IP address to be sent using +# the routing table for that interface. Setting +# 'loose' prevents creation of such rules on this +# interface. # # COPY A comma-separated lists of other interfaces on your # firewall. Only makes sense when DUPLICATE is 'main'. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 5fa5b0e00..b660c649a 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -38,6 +38,8 @@ Problems Corrected in 3.2.0 Beta 5 after a shell error message indicating that the stripped interfaces file in /tmp/shorewall-NNNN/ couldn't be opened. +2) With DETECT_DNAT_IPADDRS=No in shorewall.conf, DNAT rules didn't work. + Other changes in 3.2.0 Beta 5 1) The "shorewall refresh" command no longer refreshes traffic shaping.