[Shorewall-users] SNAT ipset support broken?

Thomas Deutschmann Tue, 05 Sep 2017 10:19:58 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,


from

> # man shorewall-snat
> 
>   [...]
>   IPv4 Example 5:
>      Connections leaving on eth0 and destined to any host defined in the 
> ipset myset should have the source IP
>      address changed to 206.124.146.177.
>   
>                  #ACTION                 SOURCE          DEST
>                  SNAT(206.124.146.177)   -               eth0+myset[dst]


However, if you have

> # cat /etc/shorewall/snat
> #ACTION                  SOURCE       DEST
> SNAT(206.124.146.177)    0.0.0.0/0    eth0+ipv4_forced_sip[dst]

you will get 

> Compiling /etc/shorewall/snat...
>    ERROR: Unknown interface (eth0+ipv4_forced_sip[dst]) /etc/shorewall/snat 
> (line 2)

on "shorewall safe-restart".

When you set

> SNAT(206.124.146.177)    0.0.0.0/0    eth0:+ipv4_forced_sip[dst]
                                           ^^^
                                            |

like you do it in the "rules" file, the firewall rulset will compile.
However, the ipset isn't used:

> # shorewall show -t nat
> [...]
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>     1    40 SNAT       all  --  *      eth0    0.0.0.0/0            0.0.0.0/0 
>            to:206.124.146.177


Tested with shorewall-5.1.6.1.

IPSET exists:

> # ipset list -n | grep ipv4_for
> ipv4_forced_sip


- -- 
Regards,
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0

iQJ8BAEBCgBmBQJZrtv9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzM0M1ODQ4MkM0MDIyOTJEMkUzQzVDMDY5
NzA5RjkwQzNDOTZGRkM4AAoJEJcJ+Qw8lv/IjQAP/2/+bgF4TYVwaVDgFheJrJws
WLkIcg+D+wBhosTKCdNNBA2MW8d+wGdeYuic7gYI4UHThEUdLSJu3KiJksjfwL+E
Leh+uyyWBWWmZMDjqBRRE1ipLBFcQmzP8e8htRr3mMlM3FfD5SYspoyYjBd3SheI
Ow76Fu1hlRHKj0KAFMaeFf/cPVf9wkiu/Hj0yOIgPbqQDMWI4LcWqcGvIE8JJLh7
UAMISrNZlpmhtKP8ds+WIr0XLRV3pMmAghkNjrsNBaK6fgK41BeOEhMQZQMMnGA2
meYIKfodHlvC932XhprD/dlcwsyVH/QVqkO7PnFkJVAgKlqELt3wqL9tnpaFWAsq
1AftEbSqlOzOfH70hd+klUE+rVFnwX6xNWj/gE1VcgBaAVlRL4EwjTia28wjvpk2
i7z4oX4/FljzMiV8RTJvgXG6OPF0jbZKNlFbgwS8l1taHw4txg5AedVCbPxEMiKJ
0qFT9jrUU+RmZ7pOlz3+daoG88uyRK+EewT4rf/03IaItxa8gmWGzsTHsiY6HUEl
BIE8joS9h9lNYvEavfSIkiG6k8azYSB76BtFJtgbtv+Ofe8+Ij7UfqgnAEu/nVrN
6Z916IM/bvCE1j3fLGHKNphSGn/B5xo0cdkhgeR6SSVPeXSwVaz1Z/ggBB3K2XED
0alUQEN0AyT+Jm8ri8BH
=spzR
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] SNAT ipset support broken?

Reply via email to