From 8af394d5b58ce799d343443598f8e47289a5b92e Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 17 Apr 2007 15:07:11 +0000 Subject: [PATCH] Apply Steven Springl's patch for ICMP git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5970 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/changelog.txt | 3 +++ Shorewall-common/releasenotes.txt | 3 +++ Shorewall-perl/Shorewall/Chains.pm | 8 ++++++-- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 57898bd30..f7352aa90 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -16,3 +16,6 @@ Changes in 3.9.2 7) Moved lib.dynamiczones to Shorewall. 8) Fix silly bug in lib.base. + +9) Apply Steven Springl's patch for ICMP. + diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 6b989dae5..32415bc42 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -70,6 +70,9 @@ Problems corrected in Shorewall 3.9.2 12) When LOG_MARTIANS=Yes in shorewall.conf, Shorewall no longer clears the log_martians flag for all interfaces. +13) Thanks to Steven Springl, various problems with ICMP rules have + been corrected. + Other changes in Shorewall 3.9.2 1) A LOCKFILE option has been added to shorewall.conf. This file is diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 3bc21afda..65f686234 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -688,8 +688,12 @@ sub do_proto( $$$ ) } } } elsif ( $proto =~ /^(icmp|1)$/i ) { - $output .= "-p icmp --icmp-type $ports " if $ports; - fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports; + my @ports = split /,/, $ports; + my $count = @ports; + fatal_error 'Multiple ICMP types are not permitted' if $count > 1; + $output .= "-p icmp "; + $output .= "--icmp-type $ports " if $count; + fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne ""; } elsif ( $proto =~ /^(ipp2p(:(tcp|udp|all)))?$/i ) { require_capability( 'IPP2P' , 'PROTO = ipp2p' ); $proto = $2 ? $3 : 'tcp';