On Tue, 2011-08-16 at 21:12 +0100, Steven Jan Springl wrote: > On a system that does not have Rawpost Table support, the attached config. > produces the following messages: > > iptables: No chain/target/match by that name. > > ERROR: Command "/usr/local/sbin/iptables -A eth0_out -s 88.88.88.2 -d > 192.168.2.0/24 -j RAWDNAT --to-dest 10.2.0.0/16" Failed
Steven, I had originally implemented Stateless NAT using a separate file. When I decided to use a single file, I neglected to check the Rawpost capability and to remove the function that processed the other file. The attached patch corrects both oversights. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm
index f361de3..98eab18 100644
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -442,6 +442,8 @@ sub setup_netmap() {
my $table = 'raw';
my @match = ();
+ require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
+
unless ( $interfaceref->{root} ) {
@match = imatch_dest_dev( $interface );
$interface = $interfaceref->{name};
@@ -485,83 +487,6 @@ sub setup_netmap() {
}
-#
-# Setup Raw NAT
-#
-sub setup_rawnat() {
-
- if ( my $fn = open_file 'rawnat' ) {
-
- first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'RAWPOST_TABLE' , 'a non-empty rawnat file' , 's'; } );
-
- while ( read_a_line ) {
-
- my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'rawnat file';
-
- validate_net $net1, 0;
- validate_net $net2, 0;
-
- $net3 = ALLIP if $net3 eq '-';
-
- for my $interface ( split_list $interfacelist, 'interface' ) {
-
- my @rulein;
- my @ruleout;
- my $iface = $interface;
-
- fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
-
- unless ( $interfaceref->{root} ) {
- @rulein = imatch_source_dev( $interface );
- @ruleout = imatch_dest_dev( $interface );
- $interface = $interfaceref->{name};
- }
-
- if ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
- my ( $target , $chain ) = ( $1, $2 );
- my $table = 'raw';
- my $match = 'o';
-
- if ( $chain eq 'P' ) {
- $chain = prerouting_chain $interface;
- $match = 'i';
- } elsif ( $chain eq 'O' ) {
- $chain = output_chain $interface;
- } else {
- $chain = postrouting_chain $interface;
- $table = 'rawpost';
- }
-
- if ( $target eq 'DNAT' ) {
- add_ijump( ensure_chain( $table, $chain ) ,
- j => 'RAWDNAT',
- targetopts => "--to-dest $net2",
- imatch_source_net( $net3 ) ,
- imatch_dest_net( $net1 ) ,
- $match => $interface,
- $interfaceref->{root} ? () : @rulein );
- } else {
- add_ijump( ensure_chain( $table, $chain ) ,
- j => 'RAWSNAT',
- targetopts => "--to-source $net2",
- imatch_dest_net( $net3 ) ,
- imatch_source_net( $net1 ) ,
- $match => $interface,
- $interfaceref->{root} ? () : @ruleout );
- }
- } else {
- fatal_error "Invalid type ($type)";
- }
-
- progress_message " $net1 on $iface mapped to $net2 ($type)";
- }
- }
-
- clear_comment;
- }
-
-}
-
sub add_addresses () {
if ( @addresses_to_add ) {
my @addrs = @addresses_to_add;
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
