From 3cef6a2a9b359967d6a8e504404e3cbb6d4014b9 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Sun, 22 Jan 2006 02:35:15 +0000
Subject: [PATCH] Fix 'check' but in setup_masq

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3346 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/changelog.txt    |  2 ++
 Shorewall/firewall         | 37 +++++++++++++++++++++++++++++++------
 Shorewall/maclist          |  9 +++++++--
 Shorewall/releasenotes.txt | 21 ++++-----------------
 Shorewall/shorewall        | 32 ++++++++++++++++++++++++--------
 5 files changed, 68 insertions(+), 33 deletions(-)

diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index a99905e4f..071ecb542 100755
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -20,3 +20,5 @@ Changes in 3.1.x.
 9) Merge Fabio Longerai's 'length' patch.
 
 10) Add the "-p" option to the compile command.
+
+11) Fix 'check' bug in setup_masq
diff --git a/Shorewall/firewall b/Shorewall/firewall
index bffd046d5..127197244 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -2823,8 +2823,25 @@ setup_mac_lists() {
     #
     # Process the maclist file producing the verification rules
     #
-    while read interface mac addresses; do
-	expandv interface mac addresses
+    while read disposition interface mac addresses; do
+	expandv disposition interface mac addresses
+
+	case $disposition in
+	    ACCEPT)
+		disposition=RETURN
+		;;
+	    REJECT)
+		[ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle"
+		;;
+	    DROP)
+		;;
+	    *)
+		addresses="$mac"
+		mac="$interface"
+		interface="$disposition"
+		disposition=RETURN
+		;;
+	esac
 
 	physdev_part=
 
@@ -2843,13 +2860,21 @@ setup_mac_lists() {
 	    fatal_error "No hosts on $interface have the maclist option specified"
 	fi
 
-	macpart=$(mac_match $mac)
+	if [ x${mac:=-} = x- ]; then
+	    if [ -z "$addresses" ]; then
+		fatal_error "You must specify a MAC address or an IP address"
+	    else
+		mac=
+	    fi
+	else
+	    macpart=$(mac_match $mac)
+	fi
 
 	if [ -z "$addresses" ]; then
-	    run_iptables -t $MACLIST_TABLE -A $chain $macpart $physdev_part -j RETURN
+	    run_iptables -t $MACLIST_TABLE -A $chain $macpart $physdev_part -j $disposition
 	else
 	    for address in $(separate_list $addresses) ; do
-		run_iptables2 -t $MACLIST_TABLE -A $chain $macpart -s $address $physdev_part -j RETURN
+		run_iptables2 -t $MACLIST_TABLE -A $chain $macpart -s $address $physdev_part -j $disposition
 	    done
 	fi
     done < $TMP_DIR/maclist
@@ -7371,7 +7396,7 @@ setup_masq()
 
 	[ -z "$pre_nat" ] && chain=$(masq_chain $interface) || chain=$(snat_chain $interface)
 
-	ensurenatchain $chain
+	[ $COMMAND = compile ] && ensurenatchain $chain
 
 	case $destnets in
 	    !*)
diff --git a/Shorewall/maclist b/Shorewall/maclist
index 4d57106c0..b4ebe17e5 100644
--- a/Shorewall/maclist
+++ b/Shorewall/maclist
@@ -10,13 +10,18 @@
 #
 # Columns are:
 #
+#	DISPOSITION	ACCEPT or DROP (if MACLIST_TABLE=filter, then REJECT
+#			is also allowed)
+#
 #	INTERFACE	Network interface to a host. If the interface
 #			names a bridge, it may be optionally followed by
 #			a colon (":") and a physical port name (e.g.,
 #			br0:eth4).
 #
 #	MAC		MAC address of the host -- you do not need to use
-#			the Shorewall format for MAC addresses here
+#			the Shorewall format for MAC addresses here. If IP
+#			ADDRESSES is supplied then MAC can be supplied as
+#			a dash ("-")
 #
 #	IP ADDRESSES	Optional -- if specified, both the MAC and IP address
 #			must match. This column can contain a comma-separated
@@ -27,5 +32,5 @@
 # For additional information, see http://shorewall.net/MAC_Validation.html
 #
 ###############################################################################
-#INTERFACE		MAC			IP ADDRESSES (Optional)
+#DISPOSITION	INTERFACE		MAC			IP ADDRESSES (Optional)
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 442773e6e..97507188d 100755
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -1,4 +1,4 @@
-Shorewall 3.1.3
+Shorewall 3.1.4
 
 Note to users upgrading from Shorewall 2.x or 3.0
 
@@ -26,23 +26,10 @@ Note to users upgrading from Shorewall 2.x or 3.0
    Please see the "Migration Considerations" below for additional upgrade
    information.
 
-New Features in 3.1.3
+Problems Corrected in 3.1.4
 
-1)  A LENGTH column has been added to the /etc/shorewall/tcrules file to allow
-    packet marking by packet length. Patch courtesy of Fabio Longerai.
-
-2)  When a compiled script encounters an error, the firewall is now put in the
-    "stopped" state without the need for running "/sbin/shorewall stop".
-
-3)  The -p option to the 'compile command now generates a complete firewall
-    program that can be placed in /etc/init.d (on SuSE) and installed using
-    "insserv". If the system where you install the program does not have
-    Shorewall installed, you will need to generate the program with the "-e"
-    option.
-
-    In 3.1.4, I hope to have support for other distributions included.
-
-4)  A Whois macro has been added (courtesy of Paul Gear).
+1) "shorewall check" generates an error if there are entries in
+   /etc/shorewall/massq.
 
 Migration Considerations:
 
diff --git a/Shorewall/shorewall b/Shorewall/shorewall
index a192d3086..1a43a98e2 100755
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -488,7 +488,9 @@ save_config() {
 
     [ "$nolock" ] || mutex_off
 }
-
+#
+# Start Command Executor
+#
 start_command() {
     local finished=0
 
@@ -588,7 +590,9 @@ start_command() {
 	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
     fi
 }
-
+#
+# Compile Command Executor
+#
 compile_command() {
     local finished=0
 
@@ -662,7 +666,9 @@ compile_command() {
 
     exec $SHOREWALL_SHELL $FIREWALL $debugging generate $file
 }
-
+#
+# Restart Command Executor
+#
 restart_command() {
     local finished=0
 
@@ -725,7 +731,9 @@ restart_command() {
 
     exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock restart
 }
-
+#
+# Check Command Executor
+#
 check_command() {
     local finished=0
 
@@ -784,7 +792,9 @@ check_command() {
 
     exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock check
 }
-
+#
+# Reload Command Executor
+#
 reload_command() {
     local finished=0
 
@@ -853,7 +863,9 @@ reload_command() {
 
     [ -n "$nolock" ] || mutex_off
 }
-
+#
+# Show Command Executor
+#
 show_command() {
     local finished=0
 
@@ -988,7 +1000,9 @@ show_command() {
 	;;
     esac
 }
-
+#
+# Dump Command Executor
+#
 dump_command() {
     local finished=0
 
@@ -1098,7 +1112,9 @@ dump_command() {
 	show_classifiers
 	fi
 }
-
+#
+# Restore Comand Executor
+#
 restore_command() {
     local finished=0