Apply Steven Springl's patch for ICMP

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5970 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/changelog.txt

@@ -16,3 +16,6 @@ Changes in 3.9.2
 7)  Moved lib.dynamiczones to Shorewall.
 
 8)  Fix silly bug in lib.base.
+
+9)  Apply Steven Springl's patch for ICMP.
+

Shorewall-common/releasenotes.txt

@@ -70,6 +70,9 @@ Problems corrected in Shorewall 3.9.2
 12) When LOG_MARTIANS=Yes in shorewall.conf, Shorewall no longer clears
     the log_martians flag for all interfaces.
 
+13) Thanks to Steven Springl, various problems with ICMP rules have
+    been corrected.
+
 Other changes in Shorewall 3.9.2
 
 1)  A LOCKFILE option has been added to shorewall.conf. This file is

Shorewall-perl/Shorewall/Chains.pm

@@ -688,8 +688,12 @@ sub do_proto( $$$ )
 		}
 	    }
 	} elsif ( $proto =~ /^(icmp|1)$/i ) {
-	    $output .= "-p icmp --icmp-type $ports " if $ports;
-	    fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports;
+	    my @ports = split /,/, $ports;
+	    my $count = @ports;
+	    fatal_error 'Multiple ICMP types are not permitted' if $count > 1;
+	    $output .= "-p icmp ";
+	    $output .= "--icmp-type $ports " if $count;
+	    fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne "";
 	} elsif ( $proto =~ /^(ipp2p(:(tcp|udp|all)))?$/i ) {
 	    require_capability( 'IPP2P' , 'PROTO = ipp2p' );
 	    $proto = $2 ? $3 : 'tcp';