Fix 'check' but in setup_masq

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3346 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -20,3 +20,5 @@ Changes in 3.1.x.
 9) Merge Fabio Longerai's 'length' patch.
 
 10) Add the "-p" option to the compile command.
+
+11) Fix 'check' bug in setup_masq

Shorewall/firewall

@@ -2823,8 +2823,25 @@ setup_mac_lists() {
     #
     # Process the maclist file producing the verification rules
     #
-    while read interface mac addresses; do
+    while read disposition interface mac addresses; do
-	expandv interface mac addresses
+	expandv disposition interface mac addresses
+
+	case $disposition in
+	    ACCEPT)
+		disposition=RETURN
+		;;
+	    REJECT)
+		[ $MACLIST_TABLE = mangle ] && fatal_error "DISPOSITION = REJECT is incompatible with MACLIST_TABLE=mangle"
+		;;
+	    DROP)
+		;;
+	    *)
+		addresses="$mac"
+		mac="$interface"
+		interface="$disposition"
+		disposition=RETURN
+		;;
+	esac
 
 	physdev_part=
 
@@ -2843,13 +2860,21 @@ setup_mac_lists() {
 	    fatal_error "No hosts on $interface have the maclist option specified"
 	fi
 
-	macpart=$(mac_match $mac)
+	if [ x${mac:=-} = x- ]; then
+	    if [ -z "$addresses" ]; then
+		fatal_error "You must specify a MAC address or an IP address"
+	    else
+		mac=
+	    fi
+	else
+	    macpart=$(mac_match $mac)
+	fi
 
 	if [ -z "$addresses" ]; then
-	    run_iptables -t $MACLIST_TABLE -A $chain $macpart $physdev_part -j RETURN
+	    run_iptables -t $MACLIST_TABLE -A $chain $macpart $physdev_part -j $disposition
 	else
 	    for address in $(separate_list $addresses) ; do
-		run_iptables2 -t $MACLIST_TABLE -A $chain $macpart -s $address $physdev_part -j RETURN
+		run_iptables2 -t $MACLIST_TABLE -A $chain $macpart -s $address $physdev_part -j $disposition
 	    done
 	fi
     done < $TMP_DIR/maclist
@@ -7371,7 +7396,7 @@ setup_masq()
 
 	[ -z "$pre_nat" ] && chain=$(masq_chain $interface) || chain=$(snat_chain $interface)
 
-	ensurenatchain $chain
+	[ $COMMAND = compile ] && ensurenatchain $chain
 
 	case $destnets in
 	    !*)

Shorewall/maclist

@@ -10,13 +10,18 @@
 #
 # Columns are:
 #
+#	DISPOSITION	ACCEPT or DROP (if MACLIST_TABLE=filter, then REJECT
+#			is also allowed)
+#
 #	INTERFACE	Network interface to a host. If the interface
 #			names a bridge, it may be optionally followed by
 #			a colon (":") and a physical port name (e.g.,
 #			br0:eth4).
 #
 #	MAC		MAC address of the host -- you do not need to use
-#			the Shorewall format for MAC addresses here
+#			the Shorewall format for MAC addresses here. If IP
+#			ADDRESSES is supplied then MAC can be supplied as
+#			a dash ("-")
 #
 #	IP ADDRESSES	Optional -- if specified, both the MAC and IP address
 #			must match. This column can contain a comma-separated
@@ -27,5 +32,5 @@
 # For additional information, see http://shorewall.net/MAC_Validation.html
 #
 ###############################################################################
-#INTERFACE		MAC			IP ADDRESSES (Optional)
+#DISPOSITION	INTERFACE		MAC			IP ADDRESSES (Optional)
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Shorewall/releasenotes.txt

@@ -1,4 +1,4 @@
-Shorewall 3.1.3
+Shorewall 3.1.4
 
 Note to users upgrading from Shorewall 2.x or 3.0
 
@@ -26,23 +26,10 @@ Note to users upgrading from Shorewall 2.x or 3.0
    Please see the "Migration Considerations" below for additional upgrade
    information.
 
-New Features in 3.1.3
+Problems Corrected in 3.1.4
 
-1)  A LENGTH column has been added to the /etc/shorewall/tcrules file to allow
+1) "shorewall check" generates an error if there are entries in
-    packet marking by packet length. Patch courtesy of Fabio Longerai.
+   /etc/shorewall/massq.
-
-2)  When a compiled script encounters an error, the firewall is now put in the
-    "stopped" state without the need for running "/sbin/shorewall stop".
-
-3)  The -p option to the 'compile command now generates a complete firewall
-    program that can be placed in /etc/init.d (on SuSE) and installed using
-    "insserv". If the system where you install the program does not have
-    Shorewall installed, you will need to generate the program with the "-e"
-    option.
-
-    In 3.1.4, I hope to have support for other distributions included.
-
-4)  A Whois macro has been added (courtesy of Paul Gear).
 
 Migration Considerations:
 

Shorewall/shorewall

@@ -488,7 +488,9 @@ save_config() {
 
     [ "$nolock" ] || mutex_off
 }
-
+#
+# Start Command Executor
+#
 start_command() {
     local finished=0
 
@@ -588,7 +590,9 @@ start_command() {
 	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
     fi
 }
-
+#
+# Compile Command Executor
+#
 compile_command() {
     local finished=0
 
@@ -662,7 +666,9 @@ compile_command() {
 
     exec $SHOREWALL_SHELL $FIREWALL $debugging generate $file
 }
-
+#
+# Restart Command Executor
+#
 restart_command() {
     local finished=0
 
@@ -725,7 +731,9 @@ restart_command() {
 
     exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock restart
 }
-
+#
+# Check Command Executor
+#
 check_command() {
     local finished=0
 
@@ -784,7 +792,9 @@ check_command() {
 
     exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock check
 }
-
+#
+# Reload Command Executor
+#
 reload_command() {
     local finished=0
 
@@ -853,7 +863,9 @@ reload_command() {
 
     [ -n "$nolock" ] || mutex_off
 }
-
+#
+# Show Command Executor
+#
 show_command() {
     local finished=0
 
@@ -988,7 +1000,9 @@ show_command() {
 	;;
     esac
 }
-
+#
+# Dump Command Executor
+#
 dump_command() {
     local finished=0
 
@@ -1098,7 +1112,9 @@ dump_command() {
 	show_classifiers
 	fi
 }
-
+#
+# Restore Comand Executor
+#
 restore_command() {
     local finished=0