Re: [Shorewall-users] SNAT ipset support broken?

Tue, 05 Sep 2017 10:43:18 -0700 

On 09/05/2017 10:16 AM, Thomas Deutschmann wrote:
> Hi,
> 
> from
> 
>> # man shorewall-snat
> 
>>   [...]
>>   IPv4 Example 5:
>>      Connections leaving on eth0 and destined to any host defined in the 
>> ipset myset should have the source IP
>>      address changed to 206.124.146.177.
> 
>>                  #ACTION                 SOURCE          DEST
>>                  SNAT(206.124.146.177)   -               eth0+myset[dst]

That is a typo -- it should read:

   #ACTION                 SOURCE          DEST
   SNAT(206.124.146.177)   -               eth0:+myset[dst]

> 
> 
> However, if you have
> 
>> # cat /etc/shorewall/snat
>> #ACTION                  SOURCE       DEST
>> SNAT(206.124.146.177)    0.0.0.0/0    eth0+ipv4_forced_sip[dst]
> 
> you will get 
> 
>> Compiling /etc/shorewall/snat...
>>    ERROR: Unknown interface (eth0+ipv4_forced_sip[dst]) /etc/shorewall/snat 
>> (line 2)
> 
> on "shorewall safe-restart".
> 
> When you set
> 
>> SNAT(206.124.146.177)    0.0.0.0/0    eth0:+ipv4_forced_sip[dst]
>                                            ^^^
>                                             |
> 
> like you do it in the "rules" file, the firewall rulset will compile.
> However, the ipset isn't used:
> 
>> # shorewall show -t nat
>> [...]
>> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
>>  pkts bytes target     prot opt in     out     source               
>> destination
>>     1    40 SNAT       all  --  *      eth0    0.0.0.0/0            
>> 0.0.0.0/0            to:206.124.146.177
> 
> 
> Tested with shorewall-5.1.6.1.
> 

Patch attached.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 379be8923..6242d4408 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -5286,7 +5286,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    $interfaces = $1;
 	} elsif ( $dest =~ /^([^:]+):([^:]*)$/ ) {
 	    my ( $one, $two ) = ( $1, $2 );
-	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
+	    if ( $2 =~ /\./ || $2 =~ /^[+%]/ ) {
 		$interfaces = $one;
 		$destnets = $two;
 	    } else {

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to