On 02/27/2013 07:30 AM, Tom Eastep wrote: > On 02/27/2013 04:43 AM, Steven Jan Springl wrote: > >> Kernel 3.8 has config. option CONFIG_IP6_NF_TARGET_MASQUERADE >> >> Shorewall6 snat entry: >> >> eth0 2001:2::/56 :random >> >> Produces ip6tables rule: >> >> -A eth0_masq -s 2001:2::/56 -j MASQUERADE --random >> >> Which ip6tables-restore accepts. >> >> I am using ip6tables 1.4.17. >> >> Note, kernel 3.7 also has the above config. option, but I haven't tried it. > > This is a fine kettle of fish; my 3.7.4 Fedora 18 Kernel does not enable > that option. > > Attached are three patches which: > > - Correct the 'NONAT:random' error you reported in an earlier post. > - Rename /etc/shorewall6/snat to /etc/shorewall6/masq > - Add a MASQUERADE Target capability and bump the current CAPSVERSION > - Requires MASQUERADE Target support for MASQUERADE rules > Here's another one that requires MASQUERADE target support when a rule such as the following is present:
p3p1:[2001:470:b:227::0]/64 ::/0 :random -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm
index 8f5538d..05c4cfb 100644
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -172,7 +172,7 @@ sub process_one_masq1( $$$$$$$$$$ )
#
if ( $addresses ne '-' ) {
if ( $addresses eq 'random' ) {
- require_capability 'MASQUERADE_TGT', 'Masquerade rules', '';
+ require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '') if $family == F_IPV6;
$randomize = '--random ';
} else {
$addresses =~ s/:persistent$// and $persistent = ' --persistent ';
@@ -198,7 +198,7 @@ sub process_one_masq1( $$$$$$$$$$ )
fatal_error "'random' may not be specified with 'NONAT'" if $randomize;
$target = 'RETURN';
$add_snat_aliases = 0;
- } else {
+ } elsif ( $addresses ) {
my $addrlist = '';
my @addrs = split_list $addresses, 'address';
@@ -307,13 +307,15 @@ sub process_one_masq1( $$$$$$$$$$ )
}
$target .= $addrlist;
+ } else {
+ require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' ) if $family == F_IPV6;
}
}
$target .= $randomize;
$target .= $persistent;
} else {
- require_capability 'MASQUERADE_TGT', 'Masquerade rules', '';
+ require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' ) if $family == F_IPV6;
$add_snat_aliases = 0;
}
#
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
