diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 3cfce668f..a16114b8c 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -29,6 +29,5 @@ Changes since 1.4.5 12) Correct the implementation of destination IP list in DNAT[-] rules. -13) Check for broken shells that don't support "^" in arithmetic - expressions or whose arithmetic support is otherwise broken. +13) Check for shells whose arithmetic support is broken. diff --git a/Shorewall/firewall b/Shorewall/firewall index 41a216f3f..2036a82df 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -2060,7 +2060,7 @@ add_a_rule() ;; all|ALL) [ -n "$port" ] && \ - fatal_error "Port number not allowed with \"all\"; rule: \"$rule\"" + fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\"" proto= ;; *) @@ -2982,7 +2982,7 @@ ip_range() { # Netmask from CIDR # ip_netmask() { - echo $(( -1 $LEFTSHIFT $((32 - ${1#*/})) )) + echo $(( -1 $LEFTSHIFT $(( 32 - ${1#*/} )) )) } # @@ -2994,15 +2994,30 @@ networkaddress() { echo `encodeaddr $(($decodedaddr & $netmask))` } + +# +# The following hack is supplied to compensate for the fact that many of +# the popular light-weight Bourne shell derivatives don't support XOR ("^"). +# +# Note: 2147483647 = 0x7fffffff + +ip_broadcast() { + local x=$(( ${1#*/} - 1 )) + + [ $x -eq -1 ] && echo -1 || echo $(( 2147483647 >> $x )) +} + # # Calculate broadcast address from CIDR # broadcastaddress() { local decodedaddr=`decodeaddr ${1%/*}` local netmask=`ip_netmask $1` + local broadcast=`ip_broadcast $1` - echo `encodeaddr $(( $(($decodedaddr & $netmask)) | $(( $netmask ^ -1 )) ))` + echo `encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast ))` } + # # Test for subnet membership # @@ -3012,6 +3027,7 @@ in_subnet() # $1 = IP address, $2 = CIDR network test $(( `decodeaddr $1` & $netmask)) -eq $(( `decodeaddr ${2%/*}` & $netmask )) } + # # Set up Source NAT (including masquerading) # @@ -4608,18 +4624,7 @@ added_param_value_no() # $1 = Parameter Name, $2 = Parameter value # Initialize this program # do_initialize() { - # - # Code to determine if shell can support xor - # - check_xor() { - echo $(( 256 ^ -1 )) - } - check_xor1() { - local x=`check_xor 2> /dev/null` - [ -n "$x" ] && echo $x || echo 0 - } - # Run all utility programs using the C locale # # Thanks to Vincent Planchenault for this tip # @@ -4829,7 +4834,7 @@ do_initialize() { [ -n "$SHOREWALL_SHELL" ] || SHOREWALL_SHELL=/bin/sh temp=`decodeaddr 192.168.1.1` - if [ `encodeaddr $temp` != 192.168.1.1 -o `check_xor1` -ne -257 ]; then + if [ `encodeaddr $temp` != 192.168.1.1 ]; then startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall" fi } diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 7ca1dfaa4..e4d30a331 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,4 +1,4 @@ -This is a snapshot release of Shorewall. +This is a minor release of Shorewall. Problems Corrected: @@ -6,31 +6,11 @@ Problems Corrected: errors when started using the "service" mechanism has been worked around. -2) A problem introduced in earlier snapshots has been corrected. This - problem caused incorrect netfilter rules to be created when the - destination zone in a rule was qualified by an address in CIDR - format. - - Example: - - ACCEPT fw net:206.124.146.0/24 tcp pop3 - -3) A problem introduced in Snapshot 20030629 has been corrected whereby - the output of the capabilities report was corrupted in the case - where the capability was not available. - -4) Where a list of IP addresses appears in the DEST column of a DNAT[-] +2) Where a list of IP addresses appears in the DEST column of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in the nat table (one for each element in the list). Shorewall now correctly creates a single DNAT rule with multiple "--to-destination" clauses. -Migration Considerations: - - This version of Shorewall uses shell features that aren't available - in all shells. Before you upgrade to this version of Shorewall, you - should download and run the 'shellcheck.sh' script from - http://shorewall.net/pub/shorewall/misc. - New Features: 1) A 'newnotsyn' interface option has been added. This option may be