diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 6e0f8abe4..f46d1a9c1 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -14,6 +14,9 @@ Changes in 2.5.1 7) Add FASTACCEPT option in shorewall.conf. +8) Generate error for 'norfc1918' on an interface with an RFC 1918 IP + address. + Changes in 2.5.1ex/2.5.0 1) Clean up handling of zones diff --git a/Shorewall/firewall b/Shorewall/firewall index e7852e8a9..084d8146e 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1041,7 +1041,18 @@ validate_interfaces_file() { case $option in -) ;; - dhcp|norfc1918|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-) + dhcp|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-) + ;; + norfc1918) + addr=$(ip -f inet addr show $interface 2> /dev/null | grep inet | head -n1) + if [ -n "$addr" ]; then + addr=$(echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//') + for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do + if in_network $addr $network; then + startup_error "The 'norfc1918' option may not be specified on an interface with an RFC 1918 address. Interface:$interface" + fi + done + fi ;; arp_ignore=*) eval ${iface}_arp_ignore=${option#*=} @@ -2881,7 +2892,7 @@ setup_ecn() # $1 = file name # # Set up an exclusion chain # -build_exclusion_chain() # $1 = variableto store chain name in $2 = table, $3 = SOURCE exclusion list, $4 = DESTINATION exclusion list +build_exclusion_chain() # $1 = variable to store chain name into $2 = table, $3 = SOURCE exclusion list, $4 = DESTINATION exclusion list { local c=excl_${EXCLUSION_SEQ} net diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 2f4b89c6f..c43caf6eb 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -164,7 +164,7 @@ Migration Considerations: 8) The "shorewall forget" command now removes the dynamic blacklist save file (/var/lib/shorewall/save). -New Features in Shorewall 2.5.0 +New Features in Shorewall 2.5.* 1) Error and warning messages are made easier to spot by using capitalization (e.g., ERROR: and WARNING:). @@ -328,3 +328,6 @@ New Features in Shorewall 2.5.0 accepted early in the INPUT, FORWARD and OUTPUT chains. If you set FASTACCEPT=Yes then you may not specify ESTABLISHED policies in /etc/shorewall/policy (see above). + +9) Shorewall not generates an error if the 'norfc1918' option is + specified for an interface with an RFC 1918 address.