diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 12764636b..38b8f4dd9 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -284,7 +284,6 @@ our %builtin_target = ( ACCEPT => 1,
RETURN => 1,
COUNT => 1,
DNAT => 1,
- SAME => 1,
LOG => 1,
NFLOG => 1,
QUEUE => 1,
@@ -1084,8 +1083,6 @@ sub initialize_chain_table()
'QUEUE!' => STANDARD,
'NFQUEUE' => STANDARD + NFQ,
'NFQUEUE!' => STANDARD + NFQ,
- 'SAME' => NATRULE,
- 'SAME-' => NATRULE + NATONLY,
'dropBcast' => BUILTIN + ACTION,
'allowBcast' => BUILTIN + ACTION,
'dropNotSyn' => BUILTIN + ACTION,
diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm
index c36808926..8e2fd1ce4 100644
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -219,21 +219,7 @@ sub setup_one_masq($$$$$$$)
} else {
$addresses =~ s/:random$// and $randomize = '--random ';
- if ( $addresses =~ /^SAME:nodst:/ ) {
- fatal_error "':random' is not supported by the SAME target" if $randomize;
- $target = '-j SAME --nodst ';
- $addresses =~ s/.*://;
- for my $addr ( split_list $addresses, 'address' ) {
- $target .= "--to $addr ";
- }
- } elsif ( $addresses =~ /^SAME:/ ) {
- fatal_error "':random' is not supported by the SAME target" if $randomize;
- $target = '-j SAME ';
- $addresses =~ s/.*://;
- for my $addr ( split_list $addresses, 'address' ) {
- $target .= "--to $addr ";
- }
- } elsif ( $addresses eq 'detect' ) {
+ if ( $addresses eq 'detect' ) {
my $variable = get_interface_address $interface;
$target = "-j SNAT --to-source $variable";
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index a4406298e..01c16b4c9 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1275,16 +1275,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$server = join ',', @servers;
}
- if ( $action eq 'SAME' ) {
- fatal_error 'Port mapping not allowed in SAME rules' if $serverport;
- fatal_error 'SAME not allowed with SOURCE=$FW' if $sourcezone eq firewall_zone;
- fatal_error "':random' is not supported by the SAME target" if $randomize;
- warning_message 'Netfilter support for SAME is being dropped in early 2008';
- $target = '-j SAME ';
- for my $serv ( split /,/, $server ) {
- $target .= "--to $serv ";
- }
- } elsif ( $action eq 'DNAT' ) {
+ if ( $action eq 'DNAT' ) {
$target = '-j DNAT ';
$serverport = ":$serverport" if $serverport;
for my $serv ( split /,/, $server ) {
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 3db0692e0..28931a89d 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -14,6 +14,8 @@ Changes in Shorewall 4.3.8
7) Add AUTOMAKE option
+8) Remove SAME support.
+
Changes in Shorewall 4.3.7
1) Fix forward treatment of interface options.
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 293f3e34e..34b82ae94 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -35,6 +35,10 @@ released late in 2009.
uses the new syntax exclusively, although the old syntax
continues to be supported.
+3) Support for the SAME target in /etc/shorewall/masq and
+ /etc/shorewall/rules has been removed, following the removal of the
+ underlying support in the Linux kernel.
+
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 3 . 8
----------------------------------------------------------------------------
diff --git a/manpages/shorewall-masq.xml b/manpages/shorewall-masq.xml
index e97fac3d8..e7882bc04 100644
--- a/manpages/shorewall-masq.xml
+++ b/manpages/shorewall-masq.xml
@@ -147,9 +147,7 @@
<varlistentry>
<term><emphasis role="bold">ADDRESS</emphasis> (Optional) - [<emphasis
role="bold">-</emphasis>|<emphasis
- role="bold">NONAT</emphasis>|[<emphasis
- role="bold">SAME:</emphasis>[<emphasis
- role="bold">nodst:</emphasis>]][<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
+ role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
role="bold">:random</emphasis>]|<emphasis
role="bold">detect</emphasis>|<emphasis
@@ -197,20 +195,6 @@
<programlisting> 192.0.2.4:5000-6000
:4000-5000</programlisting>
- <para>You can invoke the SAME target rather than the SNAT target by
- prefixing the column contents with <option>SAME:</option>.</para>
-
- <para>SAME works like SNAT with the exception that the same local IP
- address is assigned to each connection from a local address to a
- given remote address.</para>
-
- <para>If the <option>nodst:</option> option is included, then the
- same source address is used for a given internal system regardless
- of which remote system is involved.<warning>
- <para>Support for the SAME target is scheduled for removal from
- the Linux kernel in 2008.</para>
- </warning></para>
-
<para>If you simply place <emphasis role="bold">NONAT</emphasis> in
this column, no rewriting of the source IP address or port number
will be performed. This is useful if you want particular traffic to
diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml
index af80d29c9..55097358e 100644
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@@ -138,8 +138,6 @@
role="bold">REJECT</emphasis>[<option>!</option>]|<emphasis
role="bold">DNAT</emphasis>[<emphasis
role="bold">-</emphasis>]|<emphasis
- role="bold">SAME</emphasis>[<emphasis
- role="bold">-</emphasis>]|<emphasis
role="bold">REDIRECT</emphasis>[<emphasis
role="bold">-</emphasis>]|<emphasis
role="bold">CONTINUE</emphasis>[<option>!</option>]|<emphasis
@@ -262,32 +260,6 @@
</listitem>
</varlistentry>
- <varlistentry>
- <term><emphasis role="bold">SAME</emphasis></term>
-
- <listitem>
- <para>Similar to <emphasis role="bold">DNAT</emphasis> except
- that the port may not be remapped and when multiple server
- addresses are listed, all requests from a given remote system
- go to the same server.<warning>
- <para>Support for SAME is scheduled for removal from the
- Linux kernel in 2008.</para>
- </warning></para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><emphasis role="bold">SAME-</emphasis></term>
-
- <listitem>
- <para>Advanced users only.</para>
-
- <para>Like SAME but only generates the nat iptables rule and
- not the companion <emphasis role="bold">ACCEPT</emphasis>
- rule.</para>
- </listitem>
- </varlistentry>
-
<varlistentry>
<term><emphasis role="bold">REDIRECT</emphasis></term>
@@ -449,9 +421,9 @@
REJECT:info or DNAT:debug). This causes the packet to be
logged at the specified level. Note that if the <emphasis
role="bold">ACTION</emphasis> involves destination network
- address translation (DNAT, REDIRECT, SAME, etc.) then the
- packet is logged <emphasis role="bold">before</emphasis> the
- destination address is rewritten.</para>
+ address translation (DNAT, REDIRECT, etc.) then the packet is
+ logged <emphasis role="bold">before</emphasis> the destination
+ address is rewritten.</para>
<para>If the <emphasis role="bold">ACTION</emphasis> names an
<emphasis>action</emphasis> declared in <ulink