From 6f48c5e0304411cb93fbca5b62773a6cb72d8fab Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Thu, 9 Sep 2004 20:18:49 +0000
Subject: [PATCH] Fixes for iprange implementation

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1614 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall2/changelog.txt    |  2 +
 Shorewall2/firewall         | 82 +++++++++++++++++++++++++++++--------
 Shorewall2/releasenotes.txt |  9 +++-
 3 files changed, 74 insertions(+), 19 deletions(-)

diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt
index d8760d50a..b8e4e36a0 100644
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@@ -71,3 +71,5 @@ Changes since 2.0.3
 
 34) Add CLASSIFY support.
 
+35) Fix iprange support so that ranges in both source and destination work.
+
diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index a322653a8..e8ec7204f 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -153,7 +153,8 @@ append_file() # $1 = File Name
 #
 run_iptables() {
 
-    [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
+    [ -n "$BRIDGING" ]      && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
+    [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
 
     if ! iptables $@ ; then
 	if [ -z "$stopping" ]; then
@@ -507,6 +508,20 @@ first_chains() #$1 = interface
    echo ${c}_fwd ${c}_in
 }
 
+#
+# Horrible hack to work around an iptables limitation
+#
+iprange_echo() 
+{
+    if [ -f $TMP_DIR/iprange ]; then
+	echo $@
+    else
+	echo "-m iprange $@"
+	> $TMP_DIR/iprange
+    fi
+}
+
+
 #
 # Source IP range
 #
@@ -514,7 +529,7 @@ source_ip_range() # $1 = Address or Address Range
 {
     case $1 in
 	*.*.*.*-*.*.*.*)
-	    echo "-m iprange --src-range $1"
+	    iprange_echo "--src-range $1"
 	    ;;
 	*)
 	    echo "-s $1"
@@ -529,7 +544,7 @@ dest_ip_range() # $1 = Address or Address Range
 {
     case $1 in
 	*.*.*.*-*.*.*.*)
-	    echo "-m iprange --dst-range $1"
+	    iprange_echo "--dst-range $1"
 	    ;;
 	*)
 	    echo "-d $1"
@@ -537,8 +552,35 @@ dest_ip_range() # $1 = Address or Address Range
     esac
 }
 
+both_ip_ranges() # $1 = Source address or range, $2 = dest address or range
+{
+    local prefix= match=
+
+    case $1 in 
+	*.*.*.*-*.*.*.*)
+	    prefix="-m iprange"
+	    match="--src-range $1"
+	    ;;
+	*)
+	    match="-s $1"
+	    ;;
+    esac
+
+    case $2 in 
+	*.*.*.*-*.*.*.*)
+	    prefix="-m iprange"
+	    match="$match --dst-range $2"
+	    ;;
+	*)
+	    match="$match -d $2"
+	    ;;
+    esac
+
+    echo "$prefix $match"
+}    
+
 #
-# Horrible hack to work around an iptables bug
+# Horrible hack to work around an iptables limitation
 #
 physdev_echo() 
 {
@@ -1391,7 +1433,7 @@ stop_firewall() {
 			else
 			    routeback=Yes
 			    for h in $(separate_list $host); do
-				iptables -A FORWARD -i $interface -s $h -o $interface $(dest_ip_range $h) -j ACCEPT
+				iptables -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
 			    done
 			fi
 			;;
@@ -1407,12 +1449,12 @@ stop_firewall() {
     for host in $hosts; do
 	interface=${host%:*}
 	networks=${host#*:}
-	iptables -A INPUT  -i $interface -s $networks -j ACCEPT
+	iptables -A INPUT  -i $interface $(source_ip_range $networks) -j ACCEPT
 	[ -z "$ADMINISABSENTMINDED" ] && \
 	    iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
 
 	for host1 in $hosts; do
-	    [ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -s $networks -o ${host1%:*} $(dest_ip_range ${host1#*:}) -j ACCEPT
+	    [ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
 	done
     done
 
@@ -1518,13 +1560,13 @@ setup_tunnels() # $1 = name of tunnels file
 	    run_iptables -A $outchain -p 51 $(dest_ip_range $1)   -j ACCEPT
 	fi
 
-	run_iptables -A $outchain -p udp -d $1 --dport 500 $options
+	run_iptables -A $outchain -p udp $(dest_ip_range $1) --dport 500 $options
 
 	if [ $kind = ipsec ]; then
-	    run_iptables -A $inchain  -p udp -s $1 --dport 500 $options
+	    run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 500 $options
 	else
-	    run_iptables -A $inchain  -p udp -s $1 --dport 500 $options
-	    run_iptables -A $inchain  -p udp -s $1 --dport 4500 $options
+	    run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 500 $options
+	    run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 4500 $options
 	fi
 
 	for z in $(separate_list $3); do
@@ -2712,7 +2754,7 @@ add_an_action()
 	;;
     *:*)
 	action_interface_verify ${client%:*}
-	cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
+	cli="$(match_source_dev ${client%:*}) $(source_ip_range ${client#*:})"
 	;;
     *.*.*)
 	cli="-s $client"
@@ -4873,7 +4915,7 @@ setup_masq()
 		    if [ -n "$networks" ]; then
 			for s in $networks; do
 			    for destnet in $(separate_list $destnets); do
-				addnatrule $chain $(dest_ip_range $destnet) $(source_ip_range $s) $proto $ports -j $newchain
+				addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports -j $newchain
 			    done
 			done
 		    else
@@ -4919,7 +4961,7 @@ setup_masq()
 	if [ -n "$networks" ]; then
 	    for network in $networks; do
 		for destnet in $(separate_list $destnets); do
-		    addnatrule $chain $(source_ip_range $network) $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist
+		    addnatrule $chain $(both_ip_ranges $network $destnet) $proto $ports $policy -j $target $addrlist
 		done
 
 		if [ -n "$addresses" ]; then
@@ -5914,8 +5956,9 @@ activate_rules()
 
 	if havenatchain $destchain ; then
 	    run_iptables -t nat -A $sourcechain $@ -j $destchain
-	elif [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]; then
-	    rm -f $TMP_DIR/physdev
+	else
+	    [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]      && -rm -f $TMP_DIR/physdev
+	    [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
 	fi
     }
 
@@ -5933,8 +5976,10 @@ activate_rules()
 	    eval run_iptables -t nat -I $sourcechain \
 		\$${sourcechain}_rule $@ -j $destchain
 	    eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
-	elif [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]; then
-	    rm -f $TMP_DIR/physdev
+	else 
+	    [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]      && rm -f $TMP_DIR/physdev
+	    [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
+
 	fi
     }
     #
@@ -6892,6 +6937,7 @@ do_initialize() {
     fi
 
     rm -f $TMP_DIR/physdev
+    rm -f $TMP_DIR/iprange
 }
 
 #
diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt
index 5dbd93406..978b969cc 100755
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@@ -1,4 +1,4 @@
-Shorewall 2.1.8
+Shorewall 2.1.9
 
 ----------------------------------------------------------------------
 Problems Corrected since 2.0.3
@@ -51,6 +51,13 @@ Problems corrected since 2.1.7
     automatically at boot. This feature was inadvertently removed in
     Shorewall 2.1.3.
 
+Problems corrected since 2.1.8
+
+1)  IP ranges in the routestopped and tunnels files now work.
+
+2)  Rules where an IP range appears in both the source and destination
+    now work correctly.
+
 -----------------------------------------------------------------------
 Issues when migrating from Shorewall 2.0 to Shorewall 2.1: