diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index f7352aa90..e9a058b3f 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -1,3 +1,7 @@ +Changes in 3.9.3 + +1) Apply Steven Springl's patch for port checking. + Changes in 3.9.2 1) Implement '-C {shell|perl}'. diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 7427eb8a7..1fae06d9c 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 3.9.2 +Shorewall 3.9.3 ---------------------------------------------------------------------------- R E L E A S E H I G H L I G H T S ---------------------------------------------------------------------------- @@ -15,75 +15,19 @@ Shorewall 3.9.2 You must install Shorewall and at least one of the compiler packages (you may install them both). -Problems corrected in Shorewall 3.9.2 +Problems corrected in Shorewall 3.9.3 -1) When the -e flag was passed to the compiler, the generated script - looked for the file /usr/share/shorewall/lib.base. This totally - broke Shorewall Lite. +1) If a rule specified a source or destination port of 0 for TCP or UDP it was + ignored. -2) The params file was being copied into the generated script - independent of the setting of EXPORTPARAMS. + The test for the presence of a source or destination port if the protocol is + not specified also ignored port 0. -3) The 'refresh' command no longer fails with an error - 'define_firewalll: not found'. + Patch courtesy of Steven Springl. -5) An wildcard interface in /etc/shorewall/hosts resulted in a - compilation error. +Other changes in Shorewall 3.9.3 - Example: - - vpn tun+:0.0.0.0/0 ipsec - -6) Non-calculated rates that specified a unit resulted in a - compilation error. Non-calculated rates are those that are not - calculated from 'full'. - - Example: - - eth1.100 1 24kbit full 2 default - ------ - -7) When shorewall-shell was not installed, 'shorewall stop' and - 'shorewall clear' failed with the diagnostic: - - ERROR: USE_ACTIONS=Yes requires the Shorewall Library actions - (/usr/share/shorewall-shell/lib.actions) which is not installed. - -8) When shorewall-shell was not installed, 'shorewall add' and - 'shorewall clear' failed with the diagnostic: - - ERROR: The add command requires the Shorewall library dynamiczones - (/usr/share/shorewall-shell/lib.dynamiczones) which is not - installed - - With shorewall-shell installed, 'shorewall add' failed with: - - ERROR: Only one firewall zone may be defined - -9) 'shorewall add' and 'shorewall delete' now work again. - -10) A syntax error in the lib.base Shell library has been corrected. - -11) When ROUTE_FILTER=Yes in shorewall.conf, Shorewall no longer clears - the rp_filter flag for all interfaces. - -12) When LOG_MARTIANS=Yes in shorewall.conf, Shorewall no longer clears - the log_martians flag for all interfaces. - -13) Thanks to Steven Springl, various problems with ICMP rules have - been corrected. - -Other changes in Shorewall 3.9.2 - -1) A LOCKFILE option has been added to shorewall.conf. This file is - used to serialize updates to the active firewall configuration. - - If not specified, the defaults are: - - Shorewall - /var/lib/shorewall/lock - Shorewall Lite - /var/lib/shorewall-lite/lock - -2) A new IPPserver macro has been added for CUPS print servers. +None. Migration Considerations: diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 496af2fdd..36224332a 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -644,9 +644,9 @@ sub do_proto( $$$ ) if ( $proto ) { if ( $proto =~ /^(tcp|udp|6|17)$/i ) { $output = "-p $proto "; - if ( $ports ) { - my @ports = split /,/, $ports; - my $count = @ports; + my @ports = split /,/, $ports; + my $count = @ports; + if ( $count ) { if ( $count > 1 ) { fatal_error "Port list requires Multiport support in your kernel/iptables: $ports" unless $capabilities{MULTIPORT}; @@ -666,9 +666,9 @@ sub do_proto( $$$ ) } } - if ( $sports ) { - my @ports = split /,/, $sports; - my $count = @ports; + @ports = split /,/, $sports; + $count = @ports; + if ( $count ) { if ( $count > 1 ) { fatal_error "Port list requires Multiport support in your kernel/iptables: $sports" unless $capabilities{MULTIPORT}; @@ -693,16 +693,17 @@ sub do_proto( $$$ ) fatal_error 'Multiple ICMP types are not permitted' if $count > 1; $output .= "-p icmp "; $output .= "--icmp-type $ports " if $count; - fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne ""; + fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne ''; } elsif ( $proto =~ /^(ipp2p(:(tcp|udp|all)))?$/i ) { require_capability( 'IPP2P' , 'PROTO = ipp2p' ); $proto = $2 ? $3 : 'tcp'; $ports = 'ipp2p' unless $ports; $output .= "-p $proto -m ipp2p --$ports "; } else { + fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $proto, rule \"$line\"" if $ports ne '' || $sports ne ''; $output .= "-p $proto "; } - } elsif ( $ports || $sports ) { + } elsif ( $ports ne '' || $sports ne '' ) { fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO, rule \"$line\"" }