Allow bang range; relax OpenVPN source port restriction

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1621 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/changelog.txt

@@ -79,3 +79,5 @@ Changes since 2.0.3
 37) Fixed proxy arp flag setting for complex configurations.
 
 38) Added RETAIN_ALIASES option.
+
+39) Relax OpenVPN source port restrictions.

Shorewall2/firewall

@@ -527,7 +527,14 @@ source_ip_range() # $1 = Address or Address Range
 {
     case $1 in
 	*.*.*.*-*.*.*.*)
-	    iprange_echo "--src-range $1"
+	    case $1 in
+		!*)
+		    iprange_echo "! --src-range ${1#!}"
+		    ;;
+		*)
+		    iprange_echo "--src-range $1"
+		    ;;
+	    esac
 	    ;;
 	*)
 	    echo "-s $1"
@@ -542,7 +549,14 @@ dest_ip_range() # $1 = Address or Address Range
 {
     case $1 in
 	*.*.*.*-*.*.*.*)
-	    iprange_echo "--dst-range $1"
+	    case $1 in
+		!*)
+		    iprange_echo "! --dst-range ${1#!}"
+		    ;;
+		*)
+		    iprange_echo "--dst-range $1"
+		    ;;
+	    esac
 	    ;;
 	*)
 	    echo "-d $1"
@@ -1608,8 +1622,8 @@ setup_tunnels() # $1 = name of tunnels file
 		;;
 	esac
 
-	addrule $inchain  -p udp $(source_ip_range $1) --sport $p --dport $p -j ACCEPT
-	addrule $outchain -p udp $(dest_ip_range $1)   --sport $p --dport $p -j ACCEPT
+	addrule $inchain  -p udp $(source_ip_range $1) --dport $p -j ACCEPT
+	addrule $outchain -p udp $(dest_ip_range $1)   --dport $p -j ACCEPT
 
 	progress_message "   OPENVPN tunnel to $1:$p defined."
     }

Shorewall2/releasenotes.txt

@@ -406,7 +406,9 @@ New Features:
     changed.
 
 8)  To improve interoperability, tunnels of type 'ipsec' no longer
-    enforce the use of source port 500 for ISAKMP.
+    enforce the use of source port 500 for ISAKMP and OpenVPN 
+    tunnels no longer enforce use of the specified port as both the
+    source and destination ports.
 
 9)  A new 'allowBcast' builtin action has been added -- it silently
     allows broadcasts and multicasts.