On 09/05/2017 10:16 AM, Thomas Deutschmann wrote: > Hi, > > from > >> # man shorewall-snat > >> [...] >> IPv4 Example 5: >> Connections leaving on eth0 and destined to any host defined in the >> ipset myset should have the source IP >> address changed to 206.124.146.177. > >> #ACTION SOURCE DEST >> SNAT(206.124.146.177) - eth0+myset[dst]
That is a typo -- it should read: #ACTION SOURCE DEST SNAT(206.124.146.177) - eth0:+myset[dst] > > > However, if you have > >> # cat /etc/shorewall/snat >> #ACTION SOURCE DEST >> SNAT(206.124.146.177) 0.0.0.0/0 eth0+ipv4_forced_sip[dst] > > you will get > >> Compiling /etc/shorewall/snat... >> ERROR: Unknown interface (eth0+ipv4_forced_sip[dst]) /etc/shorewall/snat >> (line 2) > > on "shorewall safe-restart". > > When you set > >> SNAT(206.124.146.177) 0.0.0.0/0 eth0:+ipv4_forced_sip[dst] > ^^^ > | > > like you do it in the "rules" file, the firewall rulset will compile. > However, the ipset isn't used: > >> # shorewall show -t nat >> [...] >> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) >> pkts bytes target prot opt in out source >> destination >> 1 40 SNAT all -- * eth0 0.0.0.0/0 >> 0.0.0.0/0 to:206.124.146.177 > > > Tested with shorewall-5.1.6.1. > Patch attached. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 379be8923..6242d4408 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -5286,7 +5286,7 @@ sub process_snat1( $$$$$$$$$$$$ ) { $interfaces = $1; } elsif ( $dest =~ /^([^:]+):([^:]*)$/ ) { my ( $one, $two ) = ( $1, $2 ); - if ( $2 =~ /\./ || $2 =~ /^%/ ) { + if ( $2 =~ /\./ || $2 =~ /^[+%]/ ) { $interfaces = $one; $destnets = $two; } else {
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users