From 8fb003476d9203684d961faaa753f623963d079b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 1 May 2010 09:29:12 -0700 Subject: [PATCH] More comprehensive fix for duplicate / -[piosd] / Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 28 ++++++++++++++++++++++++---- Shorewall/releasenotes.txt | 10 ++++++---- 2 files changed, 30 insertions(+), 8 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index f9bfe6612..b6d953db1 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -645,6 +645,8 @@ sub add_jump( $$$;$$$ ) { my $param = $goto_ok && $toref && have_capability( 'GOTO_TARGET' ) ? 'g' : 'j'; + $fromref->{dont_optimize} = 1 if $predicate =~ /! -[piosd] /; + if ( defined $index ) { assert( ! $expandports ); insert_rule1( $fromref, $index, join( '', $predicate, "-$param $to" )); @@ -1429,6 +1431,14 @@ sub replace_references1( $$$ ) { my $table = $chainref->{table}; my $count = 0; my $name = $chainref->{name}; + # + # The caller has ensured that $matches does not contain /! -[piosd] / + # + my $hasp = $matches =~ / -p /; + my $hasi = $matches =~ / -i /; + my $haso = $matches =~ / -o /; + my $hass = $matches =~ / -s /; + my $hasd = $matches =~ / -d /; $name =~ s/\+/\\+/; # @@ -1447,9 +1457,14 @@ sub replace_references1( $$$ ) { for ( @{$fromref->{rules}} ) { if ( defined && /^-A $fromname .*-[jg] $name\b/ ) { # - # Prevent multiple '-p' matches + # Prevent multiple '-p', '-i', '-o', '-s' and '-d' matches # - s/ -p [^ ]+ / / if / -p / && $matches =~ / -p /; + s/( !)? -p [^ ]+ / / if $hasp; + s/( !)? -i [^ ]+ / / if $hasi; + s/( !)? -o [^ ]+ / / if $haso; + s/( !)? -s [^ ]+ / / if $hass; + s/( !)? -d [^ ]+ / / if $hasd; + s/\s+-([jg]) $name(\b)/$matches -$1 ${target}$2/; add_reference( $fromref, $chain_table{$table}{$target} ); $count++; @@ -1470,9 +1485,14 @@ sub replace_references1( $$$ ) { for ( @{$fromref->{rules}} ) { if ( defined && /^-A $fromname .*-[jg] $name\b/ ) { # - # Prevent multiple '-p' matches + # Prevent multiple '-p', '-i', '-o', '-s' and '-d' matches # - s/ -p [^ ]+ / / if / -p / && $matches =~ / -p /; + s/( !)? -p [^ ]+ / / if $hasp; + s/( !)? -i [^ ]+ / / if $hasi; + s/( !)? -o [^ ]+ / / if $haso; + s/( !)? -s [^ ]+ / / if $hass; + s/( !)? -d [^ ]+ / / if $hasd; + s/\s+-[jg] $name(\b)/$matches -j ${target}$1/; $count++; } diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 257be1cd3..dc663f574 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -229,11 +229,13 @@ I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E #ZONE INTERFACE BROADCAST OPTIONS vpn TUN+ - tun+ - /etc/shorewall/netmap: + /etc/shorewall/masq: - #TYPE NET1 INTEFACE NET2 - SNAT 1.2.3.0/24 TUN0 3.4.5.0/24 - DNAT 3.4.5.0/24 TUN0 1.2.3.0/24 + #INTERFACE SOURCE ADDRESS PROTO PORT + tun0 192.168.1.0/24 + + Use of tunN in the nat and netmap files also produced invalid + iptables-restore input. 4.4.8.4