From 17a7a0492d35bf4afc7a9a4304ab5d9008285983 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Sat, 5 Jul 2003 17:41:28 +0000
Subject: [PATCH] Take care of some ipcalc anomalies

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@634 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/firewall         | 6 ------
 Shorewall/functions        | 9 ++++++++-
 Shorewall/releasenotes.txt | 7 +++++++
 Shorewall/shorewall        | 1 +
 4 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/Shorewall/firewall b/Shorewall/firewall
index 0a8c6d25b..4ba763b21 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -2892,12 +2892,6 @@ rules_chain() # $1 = source zone, $2 = destination zone
     fatal_error "No appropriate chain for zone $1 to zone $2"
 }
 
-#
-#  Note: The following set of IP address manipulation functions have anomalous
-#        behavior when the shell only supports 32-bit signed arithmatic and
-#        the IP address is 128.0.0.0 or 128.0.0.1.
-#
-
 #
 #  echo the list of subnets routed out of a given interface
 #
diff --git a/Shorewall/functions b/Shorewall/functions
index a1f1ae7f0..306d7eef6 100755
--- a/Shorewall/functions
+++ b/Shorewall/functions
@@ -220,6 +220,11 @@ strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
     fi
 }
 
+#
+#  Note: The following set of IP address manipulation functions have anomalous
+#        behavior when the shell only supports 32-bit signed arithmatic and
+#        the IP address is 128.0.0.0 or 128.0.0.1.
+#
 #
 # So that emacs doesn't get lost, we use $LEFTSHIFT rather than <<
 #
@@ -294,7 +299,9 @@ ip_range() {
 # Netmask from CIDR
 #
 ip_netmask() {
-    echo $(( -1 $LEFTSHIFT $(( 32 - ${1#*/} )) ))
+    local vlsm=${1#*/}
+
+    [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
 }
 
 #
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 40d34aef9..0f198d9fd 100755
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -103,3 +103,10 @@ New Features:
          NETWORK=192.168.1.0
          BROADCAST=192.168.1.255
       [root@wookie root]#
+
+   Warning:
+
+      If your shell only supports 32-bit signed arithmatic (ash or
+      dash), then the ipcalc command produces incorrect information for
+      IP addresses 128.0.0.0-1 and for /1 networks. Bash should produce
+      correct information for all valid IP addresses.
diff --git a/Shorewall/shorewall b/Shorewall/shorewall
index 399f77352..d990b3e7b 100755
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -887,6 +887,7 @@ case "$1" in
 	
 	[ -z "$vlsm" ] && exit 2
 	[ "x$address" = "x$vlsm" ] && usage 2
+	[ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2
 
 	address=$address/$vlsm