diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 12764636b..38b8f4dd9 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -284,7 +284,6 @@ our %builtin_target = ( ACCEPT => 1,
RETURN => 1,
COUNT => 1,
DNAT => 1,
- SAME => 1,
LOG => 1,
NFLOG => 1,
QUEUE => 1,
@@ -1084,8 +1083,6 @@ sub initialize_chain_table()
'QUEUE!' => STANDARD,
'NFQUEUE' => STANDARD + NFQ,
'NFQUEUE!' => STANDARD + NFQ,
- 'SAME' => NATRULE,
- 'SAME-' => NATRULE + NATONLY,
'dropBcast' => BUILTIN + ACTION,
'allowBcast' => BUILTIN + ACTION,
'dropNotSyn' => BUILTIN + ACTION,
diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm
index c36808926..8e2fd1ce4 100644
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -219,21 +219,7 @@ sub setup_one_masq($$$$$$$)
} else {
$addresses =~ s/:random$// and $randomize = '--random ';
- if ( $addresses =~ /^SAME:nodst:/ ) {
- fatal_error "':random' is not supported by the SAME target" if $randomize;
- $target = '-j SAME --nodst ';
- $addresses =~ s/.*://;
- for my $addr ( split_list $addresses, 'address' ) {
- $target .= "--to $addr ";
- }
- } elsif ( $addresses =~ /^SAME:/ ) {
- fatal_error "':random' is not supported by the SAME target" if $randomize;
- $target = '-j SAME ';
- $addresses =~ s/.*://;
- for my $addr ( split_list $addresses, 'address' ) {
- $target .= "--to $addr ";
- }
- } elsif ( $addresses eq 'detect' ) {
+ if ( $addresses eq 'detect' ) {
my $variable = get_interface_address $interface;
$target = "-j SNAT --to-source $variable";
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index a4406298e..01c16b4c9 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1275,16 +1275,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$server = join ',', @servers;
}
- if ( $action eq 'SAME' ) {
- fatal_error 'Port mapping not allowed in SAME rules' if $serverport;
- fatal_error 'SAME not allowed with SOURCE=$FW' if $sourcezone eq firewall_zone;
- fatal_error "':random' is not supported by the SAME target" if $randomize;
- warning_message 'Netfilter support for SAME is being dropped in early 2008';
- $target = '-j SAME ';
- for my $serv ( split /,/, $server ) {
- $target .= "--to $serv ";
- }
- } elsif ( $action eq 'DNAT' ) {
+ if ( $action eq 'DNAT' ) {
$target = '-j DNAT ';
$serverport = ":$serverport" if $serverport;
for my $serv ( split /,/, $server ) {
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 3db0692e0..28931a89d 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -14,6 +14,8 @@ Changes in Shorewall 4.3.8
7) Add AUTOMAKE option
+8) Remove SAME support.
+
Changes in Shorewall 4.3.7
1) Fix forward treatment of interface options.
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 293f3e34e..34b82ae94 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -35,6 +35,10 @@ released late in 2009.
uses the new syntax exclusively, although the old syntax
continues to be supported.
+3) Support for the SAME target in /etc/shorewall/masq and
+ /etc/shorewall/rules has been removed, following the removal of the
+ underlying support in the Linux kernel.
+
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 3 . 8
----------------------------------------------------------------------------
diff --git a/manpages/shorewall-masq.xml b/manpages/shorewall-masq.xml
index e97fac3d8..e7882bc04 100644
--- a/manpages/shorewall-masq.xml
+++ b/manpages/shorewall-masq.xml
@@ -147,9 +147,7 @@
ADDRESS (Optional) - [-|NONAT|[SAME:[nodst:]][address-or-address-range[,address-or-address-range]...][:lowportNONAT|[address-or-address-range[,address-or-address-range]...][:lowport-highport][:random]|detect| 192.0.2.4:5000-6000
:4000-5000
- You can invoke the SAME target rather than the SNAT target by
- prefixing the column contents with .
-
- SAME works like SNAT with the exception that the same local IP
- address is assigned to each connection from a local address to a
- given remote address.
-
- If the option is included, then the
- same source address is used for a given internal system regardless
- of which remote system is involved.
- Support for the SAME target is scheduled for removal from
- the Linux kernel in 2008.
-
-
If you simply place NONAT in
this column, no rewriting of the source IP address or port number
will be performed. This is useful if you want particular traffic to
diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml
index af80d29c9..55097358e 100644
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@@ -138,8 +138,6 @@
role="bold">REJECT[]|DNAT[-]|SAME[-]|REDIRECT[-]|CONTINUE[]|
-
- SAME
-
-
- Similar to DNAT except
- that the port may not be remapped and when multiple server
- addresses are listed, all requests from a given remote system
- go to the same server.
- Support for SAME is scheduled for removal from the
- Linux kernel in 2008.
-
-
-
-
-
- SAME-
-
-
- Advanced users only.
-
- Like SAME but only generates the nat iptables rule and
- not the companion ACCEPT
- rule.
-
-
-
REDIRECT
@@ -449,9 +421,9 @@
REJECT:info or DNAT:debug). This causes the packet to be
logged at the specified level. Note that if the ACTION involves destination network
- address translation (DNAT, REDIRECT, SAME, etc.) then the
- packet is logged before the
- destination address is rewritten.
+ address translation (DNAT, REDIRECT, etc.) then the packet is
+ logged before the destination
+ address is rewritten.
If the ACTION names an
action declared in