From 0a87d4db6a3c9525b61b66c44c93ac5a78bd1c37 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Mon, 13 Sep 2004 22:16:15 +0000
Subject: [PATCH] Allow bang range; relax OpenVPN source port restriction

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1621 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall2/changelog.txt    |  2 ++
 Shorewall2/firewall         | 22 ++++++++++++++++++----
 Shorewall2/releasenotes.txt |  4 +++-
 3 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt
index b08840c2f..9912e4936 100644
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@@ -79,3 +79,5 @@ Changes since 2.0.3
 37) Fixed proxy arp flag setting for complex configurations.
 
 38) Added RETAIN_ALIASES option.
+
+39) Relax OpenVPN source port restrictions.
diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index e69498247..628a192a6 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -527,7 +527,14 @@ source_ip_range() # $1 = Address or Address Range
 {
     case $1 in
 	*.*.*.*-*.*.*.*)
-	    iprange_echo "--src-range $1"
+	    case $1 in
+		!*)
+		    iprange_echo "! --src-range ${1#!}"
+		    ;;
+		*)
+		    iprange_echo "--src-range $1"
+		    ;;
+	    esac
 	    ;;
 	*)
 	    echo "-s $1"
@@ -542,7 +549,14 @@ dest_ip_range() # $1 = Address or Address Range
 {
     case $1 in
 	*.*.*.*-*.*.*.*)
-	    iprange_echo "--dst-range $1"
+	    case $1 in
+		!*)
+		    iprange_echo "! --dst-range ${1#!}"
+		    ;;
+		*)
+		    iprange_echo "--dst-range $1"
+		    ;;
+	    esac
 	    ;;
 	*)
 	    echo "-d $1"
@@ -1608,8 +1622,8 @@ setup_tunnels() # $1 = name of tunnels file
 		;;
 	esac
 
-	addrule $inchain  -p udp $(source_ip_range $1) --sport $p --dport $p -j ACCEPT
-	addrule $outchain -p udp $(dest_ip_range $1)   --sport $p --dport $p -j ACCEPT
+	addrule $inchain  -p udp $(source_ip_range $1) --dport $p -j ACCEPT
+	addrule $outchain -p udp $(dest_ip_range $1)   --dport $p -j ACCEPT
 
 	progress_message "   OPENVPN tunnel to $1:$p defined."
     }
diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt
index 4e85ea208..b0ae50b11 100755
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@@ -406,7 +406,9 @@ New Features:
     changed.
 
 8)  To improve interoperability, tunnels of type 'ipsec' no longer
-    enforce the use of source port 500 for ISAKMP.
+    enforce the use of source port 500 for ISAKMP and OpenVPN 
+    tunnels no longer enforce use of the specified port as both the
+    source and destination ports.
 
 9)  A new 'allowBcast' builtin action has been added -- it silently
     allows broadcasts and multicasts.