Hi all,
I needed to have a kind of MAC support for rule servers as I do DNAT to
hosts that are
served by a DHCP server.
So I did the following :
When Shorewall script find a MAC address as a server, it tries to get his
IP thru the
arp table and then "resolve" the ARP address to the IP address of the
client.
Of course the main limitation of this is that you''ll have to restart
Shorewall each time
your client''s IP changes.
The other limitation is also that it only works if the arp entry is in your
arp table when
you launch shorewall (we perhaps could add a RARP query if not in arp table).
Anyway, it works great for me as my fw is also my dhcp server.
Then, such rule may have a kind of support :
DNAT net loc:~00-50-04-FC-83-5B tcp 4662 -
Here is the diff of the implementation whith the latest version (1-3-10) of
shorewall script
(/usr/lib/shorewall/firewall)
diff shorewall-1.3.10/firewall /usr/lib/shorewall/firewall
584a585,595
> # Translate a arp address to IP using ARP
table #
> # Makes a Warning if the ARP is not in ARP table
> # Example:
~01-02-03-04-05-06 #
> mac_to_ip() # $1 = MAC address formated as in mac_match
> {
> macaddr=`echo $1 | sed ''s/~//;s/-/:/g''`
> echo `arp -a | grep $macaddr |sed
''s/.*(\([0-9]*.[0-9]*.[0-9]*.[0-9]*\)).*/\1/''`
> }
>
>
>
1843a1855,1863
> ~*)
> serv=`mac_to_ip $server`
> if [ -z "$serv" ]; then
> error_message " Warning -- Failed to resole MAC
$server"
> echo " -> INGORING Rule : $rule"
> break 1
> fi
> echo " Translating MAC address : $server into $serv"
> ;;
Many thanks, Tom, for your wonderfull job.
Sincerely,
Romain Bourgue