diff --git a/Shorewall/firewall b/Shorewall/firewall index ffbd9832f..16e35d883 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -494,10 +494,17 @@ first_chains() #$1 = interface # find_hosts() # $1 = host zone { - local hosts + local hosts interface address addresses while read z hosts options; do - [ "x`expand $z`" = "x$1" ] && expandv hosts && echo `separate_list $hosts` + if [ "x`expand $z`" = "x$1" ]; then + expandv hosts + interface=${hosts%:*} + addresses=${hosts#*:} + for address in `separate_list $addresses`; do + echo $interface:$address + done + fi done < $TMP_DIR/hosts } @@ -635,18 +642,20 @@ validate_hosts_file() { r="$z $hosts $options" validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" + interface=${hosts%:*} + + list_search $interface $all_interfaces || \ + startup_error "Unknown interface ($interface) in record \"$r\"" + + hosts=${hosts#*:} + for host in `separate_list $hosts`; do - interface=${host%:*} - - list_search $interface $all_interfaces || \ - startup_error "Unknown interface ($interface) in record \"$r\"" - for option in `separate_list $options`; do case $option in maclist|-) ;; routeback) - eval ${z}_routeback=\"$host \$${z}_routeback\" + eval ${z}_routeback=\"$interface:$host \$${z}_routeback\" ;; *) error_message "Warning: Invalid option ($option) in record \"$r\"" diff --git a/Shorewall/hosts b/Shorewall/hosts index c38ae4a2e..a60b16bee 100644 --- a/Shorewall/hosts +++ b/Shorewall/hosts @@ -20,7 +20,7 @@ # ZONE - The name of a zone defined in /etc/shorewall/zones # # HOST(S) - The name of an interface followed by a colon (":") and -# either: +# a comma-separated list whose elements are either: # # a) The IP address of a host # b) A subnetwork in the form @@ -33,6 +33,7 @@ # # eth1:192.168.1.3 # eth2:192.168.2.0/24 +# eth3:192.168.2.0/24,192.168.3.1 # # OPTIONS - A comma-separated list of options. Currently-defined # options are: diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 8288f28cc..3def75ac5 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -14,6 +14,22 @@ Problems Corrected: 3) Corrected a problem in Beta 1 where DNS names containing a "-" were mis-handled when they appeared in the DEST column of a rule. +Migration Issues: + +1) In earlier versions, an undocumented feature allowed entries in + the host file as follows: + + z eth1:192.168.1.0/24,eth2:192.168.2.0/24 + + This capability was never documented and has been removed in 1.4.6 + to allow entries of the following format: + + z eth1:192.168.1.0/24,192.168.2.0/24 + +2) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been + removed from /etc/shorewall/shorewall.conf. These capabilities are + now automatically detected by Shorewall (see below). + New Features: 1) A 'newnotsyn' interface option has been added. This option may be @@ -118,6 +134,9 @@ New Features: construct an efficient set of rules that accept connections from a range of network addresses. + Note: If your shell only supports 32-bit signed arithmetic (ash or + dash) then the range may not span 128.0.0.0. + Example: [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9 @@ -133,3 +152,10 @@ New Features: 192.168.12.0/29 192.168.12.8/31 [root@gateway root]# + +10) A list of host/net addresses is now allowed in an entry in + /etc/shorewall/hosts. + + Example: + + foo eth1:192.168.1.0/24,192.168.2.0/24