On 04/28/2011 07:07 AM, Tom Eastep wrote: > > I stand humbly corrected and I'll see what I can do about restoring that > functionality in Shorewall 4.4.19. >
Here is a patch that restores the functionality. It applies (with
possible offset) back at least as far as 4.4.11.6.
As with the Shorewall 3.x implementation, the destination port is opened
from the SOURCE zone to the specified server when an ipset name appears
in the ORIGINAL DEST column of a DNAT rule. So for example:
DNAT net loc:1.2.3.4 tcp 80 - +foo
will also implicitly add this rule:
ACCEPT net loc:1.2.3.4 tcp 80
You have been warned.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index d5c7461..3ec70e3 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -2013,6 +2013,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
$loglevel = '';
$dest = $server;
$action = 'ACCEPT';
+ $origdest = ALLIP if $origdest =~ /[+]/;
}
} elsif ( $actiontype & NONAT ) {
#
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
