From 5b54d21d078a1b574c5cddd575bead4b22b9dc19 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 8 Oct 2003 15:07:18 +0000 Subject: [PATCH] Don't use multiport match on ICMP git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@760 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- STABLE/changelog.txt | 2 ++ STABLE/firewall | 6 ++++++ STABLE/releasenotes.txt | 7 +++++++ Shorewall/changelog.txt | 2 ++ Shorewall/firewall | 6 ++++++ Shorewall/releasenotes.txt | 7 +++++++ 6 files changed, 30 insertions(+) diff --git a/STABLE/changelog.txt b/STABLE/changelog.txt index bcdda6917..eb2467a31 100644 --- a/STABLE/changelog.txt +++ b/STABLE/changelog.txt @@ -3,3 +3,5 @@ Changes since 1.4.7 1) Applied patch from Tuomo Soini that fixes syntax error occuring with some versions of 'ash'. +2) Applied Andrew Zhoglo's patch that avoids using multiport match for + ICMP. diff --git a/STABLE/firewall b/STABLE/firewall index 8aa168c8d..b7c3a4d66 100755 --- a/STABLE/firewall +++ b/STABLE/firewall @@ -2764,6 +2764,9 @@ process_rule() # $1 = target case $logtarget in DNAT*) if [ -n "$MULTIPORT" -a \ + "$protocol" != "icmp" -a \ + "$protocol" != "ICMP" -a \ + "$protocol" != "1" -a \ "$ports" = "${ports%:*}" -a \ "$cports" = "${cports%:*}" -a \ `list_count $ports` -le 15 -a \ @@ -2801,6 +2804,9 @@ process_rule() # $1 = target *) if [ -n "$MULTIPORT" -a \ + "$protocol" != "icmp" -a \ + "$protocol" != "ICMP" -a \ + "$protocol" != "1" -a \ "$ports" = "${ports%:*}" -a \ "$cports" = "${cports%:*}" -a \ `list_count $ports` -le 15 -a \ diff --git a/STABLE/releasenotes.txt b/STABLE/releasenotes.txt index e1ab0173d..281d13b55 100644 --- a/STABLE/releasenotes.txt +++ b/STABLE/releasenotes.txt @@ -11,6 +11,13 @@ Problems Corrected since version 1.4.6: cannot open shared object file: No such file or directory Try `iptables -h' or 'iptables --help' for more information. +2) Andres Zhoglo has supplied a correction that avoids trying to use + the multiport match iptables facility on ICMP rules. + + Example of rule that previously caused "shorewall start" to fail: + + ACCEPT loc $FW icmp 0,8,11,12 + Migration Issues: None. diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index bcdda6917..eb2467a31 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -3,3 +3,5 @@ Changes since 1.4.7 1) Applied patch from Tuomo Soini that fixes syntax error occuring with some versions of 'ash'. +2) Applied Andrew Zhoglo's patch that avoids using multiport match for + ICMP. diff --git a/Shorewall/firewall b/Shorewall/firewall index 8aa168c8d..b7c3a4d66 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -2764,6 +2764,9 @@ process_rule() # $1 = target case $logtarget in DNAT*) if [ -n "$MULTIPORT" -a \ + "$protocol" != "icmp" -a \ + "$protocol" != "ICMP" -a \ + "$protocol" != "1" -a \ "$ports" = "${ports%:*}" -a \ "$cports" = "${cports%:*}" -a \ `list_count $ports` -le 15 -a \ @@ -2801,6 +2804,9 @@ process_rule() # $1 = target *) if [ -n "$MULTIPORT" -a \ + "$protocol" != "icmp" -a \ + "$protocol" != "ICMP" -a \ + "$protocol" != "1" -a \ "$ports" = "${ports%:*}" -a \ "$cports" = "${cports%:*}" -a \ `list_count $ports` -le 15 -a \ diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index e1ab0173d..281d13b55 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -11,6 +11,13 @@ Problems Corrected since version 1.4.6: cannot open shared object file: No such file or directory Try `iptables -h' or 'iptables --help' for more information. +2) Andres Zhoglo has supplied a correction that avoids trying to use + the multiport match iptables facility on ICMP rules. + + Example of rule that previously caused "shorewall start" to fail: + + ACCEPT loc $FW icmp 0,8,11,12 + Migration Issues: None.