Fix 'check' but in setup_masq

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3346 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-12-22 06:10:42 +01:00 · 2006-01-22 02:35:15 +00:00 · 2006-01-22 02:35:15 +00:00 · 3cef6a2a9b
commit 3cef6a2a9b
parent 91f64387e5
5 changed files with 68 additions and 33 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -20,3 +20,5 @@ Changes in 3.1.x.
 9) Merge Fabio Longerai's 'length' patch.

 10) Add the "-p" option to the compile command.
+
+11) Fix 'check' bug in setup_masq
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -2823,8 +2823,25 @@ setup_mac_lists() {
    #
    # Process the maclist file producing the verification rules
    #
-    while read interface mac addresses; do
-	expandv interface mac addresses
+    while read disposition interface mac addresses; do
+	expandv disposition interface mac addresses
+
+	case $disposition in
+	    ACCEPT)
+		disposition=RETURN
+		;;
+	    REJECT)
+		[ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle"
+		;;
+	    DROP)
+		;;
+	    *)
+		addresses="$mac"
+		mac="$interface"
+		interface="$disposition"
+		disposition=RETURN
+		;;
+	esac

 	physdev_part=

@ -2843,13 +2860,21 @@ setup_mac_lists() {
 	    fatal_error "No hosts on $interface have the maclist option specified"
 	fi

-	macpart=$(mac_match $mac)
+	if [ x${mac:=-} = x- ]; then
+	    if [ -z "$addresses" ]; then
+		fatal_error "You must specify a MAC address or an IP address"
+	    else
+		mac=
+	    fi
+	else
+	    macpart=$(mac_match $mac)
+	fi

 	if [ -z "$addresses" ]; then
-	    run_iptables -t $MACLIST_TABLE -A $chain $macpart $physdev_part -j RETURN
+	    run_iptables -t $MACLIST_TABLE -A $chain $macpart $physdev_part -j $disposition
 	else
 	    for address in $(separate_list $addresses) ; do
-		run_iptables2 -t $MACLIST_TABLE -A $chain $macpart -s $address $physdev_part -j RETURN
+		run_iptables2 -t $MACLIST_TABLE -A $chain $macpart -s $address $physdev_part -j $disposition
 	    done
 	fi
    done < $TMP_DIR/maclist
@ -7371,7 +7396,7 @@ setup_masq()

 	[ -z "$pre_nat" ] && chain=$(masq_chain $interface) || chain=$(snat_chain $interface)

-	ensurenatchain $chain
+	[ $COMMAND = compile ] && ensurenatchain $chain

 	case $destnets in
 	    !*)
--- a/Shorewall/maclist
+++ b/Shorewall/maclist
@ -10,13 +10,18 @@
 #
 # Columns are:
 #
+#	DISPOSITION	ACCEPT or DROP (if MACLIST_TABLE=filter, then REJECT
+#			is also allowed)
+#
 #	INTERFACE	Network interface to a host. If the interface
 #			names a bridge, it may be optionally followed by
 #			a colon (":") and a physical port name (e.g.,
 #			br0:eth4).
 #
 #	MAC		MAC address of the host -- you do not need to use
-#			the Shorewall format for MAC addresses here
+#			the Shorewall format for MAC addresses here. If IP
+#			ADDRESSES is supplied then MAC can be supplied as
+#			a dash ("-")
 #
 #	IP ADDRESSES	Optional -- if specified, both the MAC and IP address
 #			must match. This column can contain a comma-separated
@ -27,5 +32,5 @@
 # For additional information, see http://shorewall.net/MAC_Validation.html
 #
 ###############################################################################
-#INTERFACE		MAC			IP ADDRESSES (Optional)
+#DISPOSITION	INTERFACE		MAC			IP ADDRESSES (Optional)
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -1,4 +1,4 @@
-Shorewall 3.1.3
+Shorewall 3.1.4

 Note to users upgrading from Shorewall 2.x or 3.0

@ -26,23 +26,10 @@ Note to users upgrading from Shorewall 2.x or 3.0
   Please see the "Migration Considerations" below for additional upgrade
   information.

-New Features in 3.1.3
+Problems Corrected in 3.1.4

-1)  A LENGTH column has been added to the /etc/shorewall/tcrules file to allow
-    packet marking by packet length. Patch courtesy of Fabio Longerai.
-
-2)  When a compiled script encounters an error, the firewall is now put in the
-    "stopped" state without the need for running "/sbin/shorewall stop".
-
-3)  The -p option to the 'compile command now generates a complete firewall
-    program that can be placed in /etc/init.d (on SuSE) and installed using
-    "insserv". If the system where you install the program does not have
-    Shorewall installed, you will need to generate the program with the "-e"
-    option.
-
-    In 3.1.4, I hope to have support for other distributions included.
-
-4)  A Whois macro has been added (courtesy of Paul Gear).
+1) "shorewall check" generates an error if there are entries in
+   /etc/shorewall/massq.

 Migration Considerations:

--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@ -488,7 +488,9 @@ save_config() {

    [ "$nolock" ] || mutex_off
 }
-
+#
+# Start Command Executor
+#
 start_command() {
    local finished=0

@ -588,7 +590,9 @@ start_command() {
 	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
    fi
 }
-
+#
+# Compile Command Executor
+#
 compile_command() {
    local finished=0

@ -662,7 +666,9 @@ compile_command() {

    exec $SHOREWALL_SHELL $FIREWALL $debugging generate $file
 }
-
+#
+# Restart Command Executor
+#
 restart_command() {
    local finished=0

@ -725,7 +731,9 @@ restart_command() {

    exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock restart
 }
-
+#
+# Check Command Executor
+#
 check_command() {
    local finished=0

@ -784,7 +792,9 @@ check_command() {

    exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock check
 }
-
+#
+# Reload Command Executor
+#
 reload_command() {
    local finished=0

@ -853,7 +863,9 @@ reload_command() {

    [ -n "$nolock" ] || mutex_off
 }
-
+#
+# Show Command Executor
+#
 show_command() {
    local finished=0

@ -988,7 +1000,9 @@ show_command() {
 	;;
    esac
 }
-
+#
+# Dump Command Executor
+#
 dump_command() {
    local finished=0

@ -1098,7 +1112,9 @@ dump_command() {
 	show_classifiers
 	fi
 }
-
+#
+# Restore Comand Executor
+#
 restore_command() {
    local finished=0