extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-25 04:01:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

Don't use multiport match on ICMP

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@760 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-10-08 15:07:18 +00:00
parent cb3f099ad2
commit 5b54d21d07
6 changed files with 30 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
STABLE/changelog.txt
View File

@ -3,3 +3,5 @@ Changes since 1.4.7
1) Applied patch from Tuomo Soini that fixes syntax error occuring with 1) Applied patch from Tuomo Soini that fixes syntax error occuring with
some versions of 'ash'. some versions of 'ash'.
2) Applied Andrew Zhoglo's patch that avoids using multiport match for
ICMP.

6
STABLE/firewall
View File

@ -2764,6 +2764,9 @@ process_rule() # $1 = target
case $logtarget in case $logtarget in
DNAT*) DNAT*)
if [ -n "$MULTIPORT" -a \ if [ -n "$MULTIPORT" -a \
"$protocol" != "icmp" -a \
"$protocol" != "ICMP" -a \
"$protocol" != "1" -a \
"$ports" = "${ports%:*}" -a \ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \ "$cports" = "${cports%:*}" -a \
`list_count $ports` -le 15 -a \ `list_count $ports` -le 15 -a \
@ -2801,6 +2804,9 @@ process_rule() # $1 = target
*) *)
if [ -n "$MULTIPORT" -a \ if [ -n "$MULTIPORT" -a \
"$protocol" != "icmp" -a \
"$protocol" != "ICMP" -a \
"$protocol" != "1" -a \
"$ports" = "${ports%:*}" -a \ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \ "$cports" = "${cports%:*}" -a \
`list_count $ports` -le 15 -a \ `list_count $ports` -le 15 -a \

7
STABLE/releasenotes.txt
View File

@ -11,6 +11,13 @@ Problems Corrected since version 1.4.6:
cannot open shared object file: No such file or directory cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information. Try `iptables -h' or 'iptables --help' for more information.
2) Andres Zhoglo has supplied a correction that avoids trying to use
the multiport match iptables facility on ICMP rules.
Example of rule that previously caused "shorewall start" to fail:
ACCEPT loc $FW icmp 0,8,11,12
Migration Issues: Migration Issues:
None. None.

2
Shorewall/changelog.txt
View File

@ -3,3 +3,5 @@ Changes since 1.4.7
1) Applied patch from Tuomo Soini that fixes syntax error occuring with 1) Applied patch from Tuomo Soini that fixes syntax error occuring with
some versions of 'ash'. some versions of 'ash'.
2) Applied Andrew Zhoglo's patch that avoids using multiport match for
ICMP.

6
Shorewall/firewall
View File

@ -2764,6 +2764,9 @@ process_rule() # $1 = target
case $logtarget in case $logtarget in
DNAT*) DNAT*)
if [ -n "$MULTIPORT" -a \ if [ -n "$MULTIPORT" -a \
"$protocol" != "icmp" -a \
"$protocol" != "ICMP" -a \
"$protocol" != "1" -a \
"$ports" = "${ports%:*}" -a \ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \ "$cports" = "${cports%:*}" -a \
`list_count $ports` -le 15 -a \ `list_count $ports` -le 15 -a \
@ -2801,6 +2804,9 @@ process_rule() # $1 = target
*) *)
if [ -n "$MULTIPORT" -a \ if [ -n "$MULTIPORT" -a \
"$protocol" != "icmp" -a \
"$protocol" != "ICMP" -a \
"$protocol" != "1" -a \
"$ports" = "${ports%:*}" -a \ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \ "$cports" = "${cports%:*}" -a \
`list_count $ports` -le 15 -a \ `list_count $ports` -le 15 -a \

7
Shorewall/releasenotes.txt
View File

@ -11,6 +11,13 @@ Problems Corrected since version 1.4.6:
cannot open shared object file: No such file or directory cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information. Try `iptables -h' or 'iptables --help' for more information.
2) Andres Zhoglo has supplied a correction that avoids trying to use
the multiport match iptables facility on ICMP rules.
Example of rule that previously caused "shorewall start" to fail:
ACCEPT loc $FW icmp 0,8,11,12
Migration Issues: Migration Issues:
None. None.