Update for 2.1.8

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1612 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2004-09-08 20:47:23 +00:00 · 2004-09-08 20:47:23 +00:00 · 2ff3d930a6
commit 2ff3d930a6
parent 23364290ae
15 changed files with 260 additions and 143 deletions
--- a/LrpN/etc/shorewall/blacklist
+++ b/LrpN/etc/shorewall/blacklist
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 -- Blacklist File
+# Shorewall 2.1 -- Blacklist File
 #
 # /etc/shorewall/blacklist
 #
@ -7,7 +7,9 @@
 #
 # Columns are:
 #
-#	ADDRESS/SUBNET 	- Host address, subnetwork or MAC address
+#	ADDRESS/SUBNET 	- Host address, subnetwork, MAC address or IP address
 #			  range (if your kernel and iptables contain iprange
 #			  match support).
 #
 # 			  MAC addresses must be prefixed with "~" and use "-"
 #			  as a separator.
--- a/LrpN/etc/shorewall/ecn
+++ b/LrpN/etc/shorewall/ecn
@ -12,7 +12,9 @@
 #			  the firewall
 #	HOST(S)		- (Optional) Comma-separated list of IP/subnet
 #			  If left empty or supplied as "-",
-#			  0.0.0.0/0 is assumed.
+#			  0.0.0.0/0 is assumed. If your kernel and iptables
 #			  include iprange match support then IP address ranges
 #			  are also permitted.
 ##############################################################################
 #INTERFACE	HOST(S)
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/LrpN/etc/shorewall/hosts
+++ b/LrpN/etc/shorewall/hosts
@ -28,12 +28,15 @@
 #			a) The IP address of a host
 #			b) A subnetwork in the form
 #			   <subnet-address>/<mask width>
-#			c) A physical port name; only allowed when the
+#			c) An IP address range of the form <low address>-<high
 #			   address>. Your kernel and iptables must have iprange
 #			   match support.
 #			d) A physical port name; only allowed when the
 #			   interface names a bridge created by the
 #			   brctl addbr command. This port must not
 #			   be defined in /etc/shorewall/interfaces and may
 #			   optionally followed by a colon (":") and a
-#			   host or network IP.
+#			   host or network IP or a range.
 #			   See http://www.shorewall.net/Bridge.html for details.
 #
 #		  Examples:
@ -43,6 +46,7 @@
 #			eth3:192.168.2.0/24,192.168.3.1
 #			br0:eth4
 #			br0:eth0:192.168.1.16/28
 #			eth4:192.168.1.44-192.168.1.49
 #
 #	OPTIONS - A comma-separated list of options. Currently-defined
 #		  options are:
--- a/LrpN/etc/shorewall/maclist
+++ b/LrpN/etc/shorewall/maclist
@ -15,7 +15,9 @@
 #
 #	IP ADDRESSES	Optional -- if specified, both the MAC and IP address
 #			must match. This column can contain a comma-separated
-#			list of host and/or subnet addresses.
+#			list of host and/or subnet addresses. If your kernel
 #			and iptables have iprange match support then IP 
 #			address ranges are also allowed.
 ##############################################################################
 #INTERFACE	        MAC			IP ADDRESSES (Optional)
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--- a/LrpN/etc/shorewall/routestopped
+++ b/LrpN/etc/shorewall/routestopped
@ -12,6 +12,10 @@
 #	INTERFACE	- Interface through which host(s) communicate with
 #			  the firewall
 #	HOST(S)		- (Optional) Comma-separated list of IP/subnet
 #			  addresses. If your kernel and iptables include
 #			  iprange match support, IP address ranges are also
 #			  allowed.
 #
 #			  If left empty or supplied as "-",
 #			  0.0.0.0/0 is assumed.
 #	OPTIONS         - (Optional) A comma-separated list of
--- a/LrpN/etc/shorewall/rules
+++ b/LrpN/etc/shorewall/rules
@ -118,6 +118,10 @@
 #			address; mac addresses must begin with "~" and must use
 #			"-" as a separator.
 #
 #			Hosts may be specified as an IP address range using the
 #			syntax <low address>-<high address>. This requires that
 #			your kernel and iptables contain iprange match support.
 #
 #			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
 #
 #			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
@ -129,6 +133,10 @@
 #			loc:~00-A0-C9-15-39-78  Host in the local zone with
 #                                               MAC address 00:A0:C9:15:39:78.
 #
 #			net:192.0.2.11-192.0.2.17
 #						Hosts 192.0.2.11-192.0.2.17 in
 #						the net zone.
 #
 #			Alternatively, clients may be specified by interface
 #			by appending ":" to the zone name followed by the
 #			interface name. For example, loc:eth1 specifies a
@ -159,7 +167,7 @@
 #				3. You may not specify both an interface and
 #				   an address.
 #
-#			Unlike in the SOURCE column, you may specify a range of
+#			Like in the SOURCE column, you may specify a range of
 #			up to 256 IP addresses using the syntax
 #			<first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
 #			the connections will be assigned to addresses in the
@ -237,14 +245,6 @@
 #			destination address in the connection request does not
 #			match any of the addresses listed.
 #
 #			The address (list) may optionally be followed by
 #			a colon (":") and a second IP address. This causes
 #			Shorewall to use the second IP address as the source
 #			address in forwarded packets. See the Shorewall
 #			documentation for restrictions concerning this feature.
 #			If no source IP address is given, the original source
 #			address is not altered.
 #
 #	RATE LIMIT	You may rate-limit the rule by placing a value in 
 #			this colume:
 # 
--- a/LrpN/etc/shorewall/tcrules
+++ b/LrpN/etc/shorewall/tcrules
@ -14,9 +14,8 @@
 # Columns are:
 #
 #
-#	MARK		The mark value which is an
+#	MARK/		a) A mark value which is a integer in the range 1-255
-#			integer in the range 1-255
+#       CLASSIFY
 #
 #			   May optionally be followed by ":P" or ":F"
 #			   where ":P" indicates that marking should occur in
 #			   the PREROUTING chain and ":F" indicates that marking
@ -25,9 +24,25 @@
 #			   determined by the setting of MARK_IN_FORWARD_CHAIN in
 #			   /etc/shorewall/shorewall.conf.
 #
 #			b) A classification of the form <major>:<minor> where
 #		    	   <major> and <minor> are integers. Corresponds to 
 #			   the 'class' specification in these traffic shaping
 #			   modules:
 #
 #				- atm
 #				- cbq
 #				- dsmark
 #				- pfifo_fast
 #				- htb
 #				- prio
 #
 #			   Marking always occurs in the POSTROUTING chain.
 #
 #	SOURCE 		Source of the packet. A comma-separated list of
 #			interface names, IP addresses, MAC addresses
-#			and/or subnets. Use $FW if the packet originates on
+#			and/or subnets. If your kernel and iptables include
 #			iprange match support, IP address ranges are also
 #			allowed. Use $FW if the packet originates on
 #			the firewall in which case the MARK column may NOT
 #			specify either ":P" or ":F" (marking always occurs
 #			in the OUTPUT chain).
@ -38,7 +53,9 @@
 #			Example: ~00-A0-C9-15-39-78
 #
 #	DEST		Destination of the packet. Comma separated list of
-#			IP addresses and/or subnets.
+#			IP addresses and/or subnets. If your kernel and 
 #			iptables include iprange match support, IP address
 #			ranges are also allowed.
 #
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
 #			or "all".
--- a/LrpN/etc/shorewall/tunnels
+++ b/LrpN/etc/shorewall/tunnels
@ -34,7 +34,10 @@
 #
 #	GATEWAY	    --	The IP address of the remote tunnel gateway. If the
 #			remote getway has no fixed address (Road Warrior)
-#			then specify the gateway as 0.0.0.0/0.
+#			then specify the gateway as 0.0.0.0/0. May be 
 #			specified as a network address and if your kernel and
 #			iptables include iprange match support then IP address
 #			ranges are also allowed.
 #
 #	GATEWAY
 #	ZONES --	Optional. If the gateway system specified in the third
--- a/LrpN/usr/share/shorewall/action.template
+++ b/LrpN/usr/share/shorewall/action.template
@ -65,6 +65,10 @@
 #
 #			155.186.235.0/24	Subnet 155.186.235.0/24
 #
 #			10.0.0.4-10.0.0.9	Range of IP addresses; your
 #						kernel and iptables must have
 #						iprange match support. 
 #
 #			192.168.1.1,192.168.1.2
 #						Hosts 192.168.1.1 and
 #						192.168.1.2.
@ -81,10 +85,6 @@
 #	DEST		Location of Server. Same as above with the exception that
 #			MAC addresses are not allowed.
 #
 #			Unlike in the SOURCE column, you may specify a range of
 #			up to 256 IP addresses using the syntax
 #			<first ip>-<last ip>.
 #
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
 #			"all".
 #
@ -159,6 +159,6 @@
 #					#of the 'kids' group
 #
 ######################################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE		USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#                       	        	PORT		PORT(S)    LIMIT	GROUP
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/LrpN/usr/share/shorewall/bogons
+++ b/LrpN/usr/share/shorewall/bogons
@ -14,7 +14,9 @@
 #
 # Columns are:
 #
-# 	SUBNET		The subnet (host addresses also allowed)
+# 	SUBNET		The subnet (host addresses also allowed as are IP
 #			address ranges provided that your kernel and iptables
 #			include iprange match support).
 #	TARGET		Where to send packets to/from this subnet
 #			RETURN	- let the packet be processed normally
 #			DROP	- silently drop the packet
--- a/LrpN/usr/share/shorewall/firewall
+++ b/LrpN/usr/share/shorewall/firewall
@ -507,6 +507,36 @@ first_chains() #$1 = interface
   echo ${c}_fwd ${c}_in
 }
 #
 # Source IP range
 #
 source_ip_range() # $1 = Address or Address Range
 {
    case $1 in
 	*.*.*.*-*.*.*.*)
 	    echo "-m iprange --src-range $1"
 	    ;;
 	*)
 	    echo "-s $1"
 	    ;;
    esac
 }
 #
 # Destination IP range
 #
 dest_ip_range() # $1 = Address or Address Range
 {
    case $1 in
 	*.*.*.*-*.*.*.*)
 	    echo "-m iprange --dst-range $1"
 	    ;;
 	*)
 	    echo "-d $1"
 	    ;;
    esac
 }
 #
 # Horrible hack to work around an iptables bug
 #
@ -529,17 +559,17 @@ match_source_hosts()
    if [ -n "$BRIDGING" ]; then
 	case $1 in
 	    *:*)
-		physdev_echo "--physdev-in ${1%:*} -s ${1#*:}"
+		physdev_echo "--physdev-in ${1%:*} $(source_ip_range ${1#*:})"
 		;;
 	    *.*.*.*)
-		echo -s $1
+		echo $(source_ip_range $1)
 		;;
 	    *)
 		physdev_echo "--physdev-in $1"
 		;;
 	esac
    else
-	echo -s $1
+	echo $(source_ip_range $1)
    fi
 }
@ -548,17 +578,17 @@ match_dest_hosts()
    if [ -n "$BRIDGING" ]; then
 	case $1 in
 	    *:*)
-		physdev_echo "--physdev-out ${1%:*} -d ${1#*:}"
+		physdev_echo "--physdev-out ${1%:*} $(dest_ip_range ${1#*:})"
 		;;
 	    *.*.*.*)
-		echo -d $1
+		echo $(dest_ip_range $1)
 		;;
 	    *)
 		physdev_echo "--physdev-out $1"
 		;;
 	esac
    else
-	echo -d $1
+	echo $(dest_ip_range $1)
    fi
 }
@ -638,6 +668,15 @@ match_ipsec_out() # $1 = zone, $2 = host
    fi
 }
 #
 # Jacket for ip_range() that takes care of iprange match
 #
 firewall_ip_range() # $1 = IP address or range
 {
    [ -n "$IPRANGE_MATCH" ] && echo $1 || ip_range $1
 }
 #
 #
 # Find hosts in a given zone
@ -1352,7 +1391,7 @@ stop_firewall() {
 			else
 			    routeback=Yes
 			    for h in $(separate_list $host); do
-				iptables -A FORWARD -i $interface -s $h -o $interface -d $h -j ACCEPT
+				iptables -A FORWARD -i $interface -s $h -o $interface $(dest_ip_range $h) -j ACCEPT
 			    done
 			fi
 			;;
@ -1370,10 +1409,10 @@ stop_firewall() {
 	networks=${host#*:}
 	iptables -A INPUT  -i $interface -s $networks -j ACCEPT
 	[ -z "$ADMINISABSENTMINDED" ] && \
-	    iptables -A OUTPUT -o $interface -d $networks -j ACCEPT
+	    iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
 	for host1 in $hosts; do
-	    [ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -s $networks -o ${host1%:*} -d ${host1#*:} -j ACCEPT
+	    [ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -s $networks -o ${host1%:*} $(dest_ip_range ${host1#*:}) -j ACCEPT
 	done
    done
@ -1472,11 +1511,11 @@ setup_tunnels() # $1 = name of tunnels file
 	[ $kind = IPSEC ] && kind=ipsec
 	options="-m state --state NEW -j ACCEPT"
-	addrule $inchain	  -p 50	 -s $1 -j ACCEPT
+	addrule $inchain	  -p 50	 $(source_ip_range $1) -j ACCEPT
-	addrule $outchain	  -p 50	 -d $1 -j ACCEPT
+	addrule $outchain	  -p 50	 $(dest_ip_range $1)   -j ACCEPT
 	if [ -z "$noah" ]; then
-	    run_iptables -A $inchain  -p 51	 -s $1 -j ACCEPT
+	    run_iptables -A $inchain  -p 51 $(source_ip_range $1) -j ACCEPT
-	    run_iptables -A $outchain -p 51	 -d $1 -j ACCEPT
+	    run_iptables -A $outchain -p 51 $(dest_ip_range $1)   -j ACCEPT
 	fi
 	run_iptables -A $outchain -p udp -d $1 --dport 500 $options
@ -1507,17 +1546,17 @@ setup_tunnels() # $1 = name of tunnels file
    setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol
    {
-	addrule $inchain  -p $3 -s $2 -j ACCEPT
+	addrule $inchain  -p $3 $(source_ip_range $2) -j ACCEPT
-	addrule $outchain -p $3 -d $2 -j ACCEPT
+	addrule $outchain -p $3 $(dest_ip_range $2) -j ACCEPT
 	progress_message "   $1 tunnel to $2 defined."
    }
    setup_pptp_client() # $1 = gateway
    {
-	addrule $outchain -p 47               -d $1 -j ACCEPT
+	addrule $outchain -p 47               $(dest_ip_range $1) -j ACCEPT
 	addrule $inchain  -p 47                                   -j ACCEPT
-	addrule $outchain -p tcp --dport 1723 -d $1 -j ACCEPT
+	addrule $outchain -p tcp --dport 1723 $(dest_ip_range $1) -j ACCEPT
 	progress_message "   PPTP tunnel to $1 defined."
    }
@ -1542,8 +1581,8 @@ setup_tunnels() # $1 = name of tunnels file
 		;;
 	esac
-	addrule $inchain  -p udp -s $1 --sport $p --dport $p -j ACCEPT
+	addrule $inchain  -p udp $(source_ip_range $1) --sport $p --dport $p -j ACCEPT
-	addrule $outchain -p udp -d $1 --sport $p --dport $p -j ACCEPT
+	addrule $outchain -p udp $(dest_ip_range $1)   --sport $p --dport $p -j ACCEPT
 	progress_message "   OPENVPN tunnel to $1:$p defined."
    }
@ -1570,8 +1609,8 @@ setup_tunnels() # $1 = name of tunnels file
 	p=${p:+--dport $p}
-	addrule $inchain  -p $protocol -s $1 $p -j ACCEPT
+	addrule $inchain  -p $protocol $(source_ip_range $1) $p -j ACCEPT
-	addrule $outchain -p $protocol -d $1 $p -j ACCEPT
+	addrule $outchain -p $protocol $(dest_ip_range $1)   $p -j ACCEPT
 	for z in $(separate_list $3); do
 	    if validate_zone $z; then
@ -1967,7 +2006,7 @@ delete_proxy_arp() {
 # Setup Static Network Address Translation (NAT)
 #
 setup_nat() {
-    local external= interface= internal= allints= localnat=
+    local external= interface= internal= allints= localnat= policyin= policyout=
    validate_one() #1 = Variable Name, $2 = Column name, $3 = value 
    {
@ -2005,15 +2044,15 @@ setup_nat() {
 	validate_one localnat "LOCAL"          $localnat
 	if [ -n "$allints" ]; then
-	    addnatrule nat_in  -d $external -j DNAT --to-destination $internal
+	    addnatrule nat_in  -d $external $policyin  -j DNAT --to-destination $internal
-	    addnatrule nat_out -s $internal -j SNAT --to-source $external
+	    addnatrule nat_out -s $internal $policyout -j SNAT --to-source $external
 	else
-	    addnatrule $(input_chain $iface) -d $external -j DNAT --to-destination $internal
+	    addnatrule $(input_chain $iface)  -d $external $policyin  -j DNAT --to-destination $internal
-	    addnatrule $(output_chain $iface) -s $internal -j SNAT --to-source $external
+	    addnatrule $(output_chain $iface) -s $internal $policyout -j SNAT --to-source $external
 	fi
 	[ -n "$localnat" ] && \
-	    run_iptables2 -t nat -A OUTPUT -d $external -j DNAT --to-destination $internal
+	    run_iptables2 -t nat -A OUTPUT -d $external $policyout -j DNAT --to-destination $internal
 	if [ -n "$add_ip_aliases" ]; then
 	    list_search $external $aliases_to_add || \
@ -2025,6 +2064,11 @@ setup_nat() {
    #
    > ${STATEDIR}/nat
    if [ -n "$POLICY_MATCH" ]; then
 	policyin="-m policy --pol none --dir in"
 	policyout="-m policy --pol none --dir out"
    fi
    save_progress_message "Restoring one-to-one NAT..."
    while read external interface internal allints localnat; do
@ -2124,19 +2168,26 @@ setup_ecn() # $1 = file name
 	for host in $hosts; do
 	    interface=${host%:*}
 	    h=${host#*:}
-	    run_iptables -t mangle -A $(ecn_chain $interface) -p tcp -d $h -j ECN --ecn-tcp-remove
+	    run_iptables -t mangle -A $(ecn_chain $interface) -p tcp $(dest_ip_range $h) -j ECN --ecn-tcp-remove
 	    progress_message "   ECN Disabled to $h through $interface"
 	done
    fi
 }
 #
-# Process a TC Rule - $marking_chain is assumed to contain the name of the
+# Process a TC Rule - $MARKING_CHAIN is assumed to contain the name of the
 #                     default marking chain
 #
 process_tc_rule()
 {
-    chain=$marking_chain
+    chain=$MARKING_CHAIN
    verify_designator() {
 	[ "$chain" = tcout ] && \
 	    fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
 	chain=$1
 	mark="${mark%:*}"
    }
    add_a_tc_rule() {
 	r=
@ -2179,33 +2230,37 @@ process_tc_rule()
 	    esac
 	fi
-	[ "x$dest"   = "x-"  ] || r="${r}-d $dest "
+	[ "x$dest"   = "x-"  ] || r="${r}$(dest_ip_range $dest) "
 	[ "x$proto"  = "x-"  ] && proto=all
 	[ "x$proto"  = "x"   ] && proto=all
 	[ "$proto"   = "all" ] || r="${r}-p $proto "
 	[ "x$port"   = "x-"  ] || r="${r}--dport $port "
 	[ "x$sport"  = "x-"  ] || r="${r}--sport $sport "
 	case $chain in
 	    tcpost)
 		run_iptables2 -t mangle -A tcpost $r -j CLASSIFY --set-class $mark
 		;;
 	    *)
 		run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark
 		;;
 	esac
    }
    if [ "$mark" != "${mark%:*}" ]; then
 	[ "$chain" = tcout ] && \
 	    fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
 	case "${mark#*:}" in
 	    p|P)
-		chain=tcpre
+		verify_designator tcpre
 		;;
 	    f|F)
-		chain=tcfor
+		verify_designator tcfor
 		;;
 	    *)
-		fatal_error "Invalid chain designator: (${mark#*:}) in rule \"$rule\""
+		chain=tcpost
 		;;
 	esac
 	mark="${mark%:*}"
    fi
    for source in $(separate_list ${sources:=-}); do
@ -2232,6 +2287,7 @@ setup_tc1() {
    run_iptables -t mangle -N tcpre
    run_iptables -t mangle -N tcfor
    run_iptables -t mangle -N tcout
    run_iptables -t mangle -N tcpost
    #
    # Process the TC Rules File
    #
@ -2249,6 +2305,7 @@ setup_tc1() {
    run_iptables -t mangle -A FORWARD     -j tcfor
    run_iptables -t mangle -A PREROUTING  -j tcpre
    run_iptables -t mangle -A OUTPUT      -j tcout
    run_iptables -t mangle -A POSTROUTING -j tcpost
    run_user_exit tcstart
@ -2367,10 +2424,10 @@ process_accounting_rule() {
    [ -n "$dest" ] && case $dest in
 	*:*)
 	    accounting_interface_verify ${dest%:*}
-	    rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})"
+	    rule="$rule $(dest_ip_range ${dest#*:}) $(match_dest_dev ${dest%:*})"
 	    ;;
 	*.*.*.*)
-	    rule="$rule -d $dest"
+	    rule="$rule $(dest_ip_range $dest)"
 	    ;;
 	-|all|any)
 	    ;;
@ -2501,6 +2558,10 @@ check_config() {
    verify_os_version
    if [ -n "$BRIDGING" ]; then
 	[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
    fi
    echo "Determining Zones..."
    determine_zones
@ -2730,14 +2791,14 @@ add_an_action()
    if [ $COMMAND != check ]; then
       if [ -n "${serv}" ]; then
 	    for serv1 in $(separate_list $serv); do
-		for srv in $(ip_range $serv1); do
+		for srv in $(firewall_ip_range $serv1); do
 		    if [ -n "$loglevel" ]; then
 			log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" $userandgroup \
-			    $(fix_bang $proto $sports $multiport $cli -d $srv $dports)
+			    $(fix_bang $proto $sports $multiport $cli $(source_ip_range $srv) $dports)
 		    fi
 		    run_iptables2 -A $chain $proto $multiport $cli $sports \
-			-d $srv $dports $ratelimit $userandgroup -j $target
+			$(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target
 		done
 	    done
 	else
@ -3465,11 +3526,11 @@ add_nat_rule() {
 		createnatchain $chain
 		for adr in $(separate_list $addr); do
-		    run_iptables2 -t nat -A OUTPUT $cli $proto $userandgroup $multiport $sports $dports -d $adr -j $chain
+		    run_iptables2 -t nat -A OUTPUT $cli $proto $userandgroup $multiport $sports $dports $(dest_ip_range $adr) -j $chain
 		done
 		for adr in $excludedests; do
-		    addnatrule $chain -d $adr -j RETURN
+		    addnatrule $chain $(dest_ip_range $adr) -j RETURN
 		done
 		if [ -n "$loglevel" ]; then
@ -3481,10 +3542,10 @@ add_nat_rule() {
 		for adr in $(separate_list $addr); do
 		    if [ -n "$loglevel" ]; then
 			log_rule_limit $loglevel OUTPUT OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \
-			    $(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports)
+			    $(fix_bang $proto $cli $sports $userandgroup $(dest_ip_range $adr) $multiport $dports)
 		    fi
-		    run_iptables2 -t nat -A OUTPUT $ratelimit $proto $sports $userandgroup -d $adr $multiport $dports -j $target1
+		    run_iptables2 -t nat -A OUTPUT $ratelimit $proto $sports $userandgroup $(dest_ip_range $adr) $multiport $dports -j $target1
 		done
 	    fi
 	else
@ -3496,7 +3557,7 @@ add_nat_rule() {
 		createnatchain $chain
 		for adr in $(separate_list $addr); do
-		    addnatrule $(dnat_chain $source) $cli $proto $multiport $sports $dports -d $adr -j $chain
+		    addnatrule $(dnat_chain $source) $cli $proto $multiport $sports $dports $(dest_ip_range $adr) -j $chain
 		done
 		for z in $(separate_list $excludezones); do
@ -3507,7 +3568,7 @@ add_nat_rule() {
 		done
 		for adr in $excludedests; do
-		    addnatrule $chain -d $adr -j RETURN
+		    addnatrule $chain $(dest_ip_range $adr) -j RETURN
 		done
 		if [ -n "$loglevel" ]; then
@ -3520,7 +3581,7 @@ add_nat_rule() {
 		    if [ -n "$loglevel" ]; then
 			ensurenatchain $chain
 			log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -t nat \
-			    $(fix_bang $proto $cli $sports -d $adr $multiport $dports)
+			    $(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports)
 		    fi
 		    addnatrule $chain $proto $ratelimit $cli $sports \
@ -3607,10 +3668,10 @@ add_a_rule()
 	;;
    *:*)
 	rule_interface_verify ${client%:*}
-	cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
+	cli="$(match_source_dev ${client%:*}) $(source_ip_range ${client#*:})"
 	;;
    *.*.*)
-	cli="-s $client"
+	cli="$(source_ip_range $client)"
 	;;
    ~*)
 	cli=$(mac_match $client)
@ -3723,30 +3784,30 @@ add_a_rule()
 	    if [ -z "$dnat_only" ]; then
 		if [ -n "$serv" ]; then
 		    for serv1 in $(separate_list $serv); do
-			for srv in $(ip_range $serv1); do
+			for srv in $(firewall_ip_range $serv1); do
 			    if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
 				for adr in $(separate_list $addr); do
 				    if [ -n "$loglevel" -a -z "$natrule" ]; then
 					log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -m conntrack --ctorigdst $adr \
-					    $userandgroup $(fix_bang $proto $sports $multiport $cli -d $srv $dports)
+					    $userandgroup $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
 				    fi
 				    run_iptables2 -A $chain $proto $ratelimit $multiport $cli $sports \
-					-d $srv $dports -m conntrack --ctorigdst $adr $userandgroup -j $target
+					$(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $userandgroup -j $target
 				done
 			    else
 				if [ -n "$loglevel" -a -z "$natrule" ]; then
 				    log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \
-					$(fix_bang $proto $sports $multiport $cli -d $srv $dports)
+					$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
 				fi
 				[ -n "$nonat" ] && \
 				    addnatrule $(dnat_chain $source) $proto $multiport \
-				        $cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN
+				        $cli $sports $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j RETURN
 				[ "$logtarget" != NONAT ] && \
 				    run_iptables2 -A $chain $proto $multiport $cli $sports \
-					-d $srv $dports $ratelimit $userandgroup -j $target
+					$(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target
 			    fi
 			done
 		    done
@ -3848,10 +3909,10 @@ process_rule() # $1 = target
 	    expandv logtag
 	fi
-	if [ $loglevel = none ]; then
+	if [ "$loglevel" = none ]; then
 	    [ "$target" = LOG ] && return
 	    loglevel=
 	    logtag=
 	    [ $target = LOG ] && return
 	fi
 	loglevel=${loglevel%\!}	
@ -4219,7 +4280,7 @@ process_tos_rule() {
 	    #
 	    # IP Address or networks
 	    #
-	    src="-s $src"
+	    src="$(source_ip_range $src)"
 	    ;;
 	~*)
 	    src=$(mac_match $src)
@ -4316,7 +4377,7 @@ process_tos_rule() {
    esac
    for dest in $dst; do
-	dest="-d $dest"
+	dest="$(dest_ip_range $dest)"
 	case $srczone in
 	$FW)
@ -4778,12 +4839,12 @@ setup_masq()
 		destnets=${destnets#!}
 		for destnet in $(separate_list $destnets); do
-		    addnatrule $newchain -d $destnet -j RETURN
+		    addnatrule $newchain $(dest_ip_range $destnet) -j RETURN
 		done
 		if [ -n "$networks" ]; then
 		    for s in $networks; do
-			addnatrule $chain -s $s $proto $ports $policy -j $newchain
+			addnatrule $chain $(source_ip_range $s) $proto $ports $policy -j $newchain
 		    done
 		    networks=
 		else
@ -4799,7 +4860,7 @@ setup_masq()
 		if [ -n "$nomasq" ]; then
 		    for addr in $(separate_list $nomasq); do
-			addnatrule $chain -s $addr -j RETURN
+			addnatrule $chain $(source_ip_range $addr) -j RETURN
 		    done
 		    source="$source except $nomasq"
 		fi
@ -4812,12 +4873,12 @@ setup_masq()
 		    if [ -n "$networks" ]; then
 			for s in $networks; do
 			    for destnet in $(separate_list $destnets); do
-				addnatrule $chain -d $destnet -s $s $proto $ports -j $newchain
+				addnatrule $chain $(dest_ip_range $destnet) $(source_ip_range $s) $proto $ports -j $newchain
 			    done
 			done
 		    else
 			for destnet in $(separate_list $destnets); do
-			    addnatrule $chain -d $destnet $proto $ports $policy -j $newchain
+			    addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $newchain
 			done
 		    fi
@ -4830,7 +4891,7 @@ setup_masq()
 		    policy=
 		    for addr in $(separate_list $nomasq); do
-			addnatrule $chain -s $addr -j RETURN
+			addnatrule $chain $(source_ip_range $addr) -j RETURN
 		    done
 		    source="$source except $nomasq"
@ -4858,7 +4919,7 @@ setup_masq()
 	if [ -n "$networks" ]; then
 	    for network in $networks; do
 		for destnet in $(separate_list $destnets); do
-		    addnatrule $chain -s $network -d $destnet $proto $ports $policy -j $target $addrlist
+		    addnatrule $chain $(source_ip_range $network) $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist
 		done
 		if [ -n "$addresses" ]; then
@ -4869,7 +4930,7 @@ setup_masq()
 	    done
 	else
 	    for destnet in $(separate_list $destnets); do
-		addnatrule $chain -d $destnet $proto $ports $policy -j $target $addrlist
+		addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist
 	    done
 	    if [ -n "$addresses" ]; then
@ -4927,7 +4988,7 @@ process_blacklist_rec() {
 	    source="--match mac --mac-source $addr"
 	    ;;
 	*)
-	    source="-s $addr"
+	    source="$(source_ip_range $addr)"
 	    ;;
 	esac
@ -5185,12 +5246,15 @@ determine_capabilities() {
    CONNTRACK_MATCH=
    MULTIPORT=
    POLICY_MATCH=
    PHYSDEV_MATCH=
    IPRANGE_MATCH=
    if qt iptables -N fooX1234 ; then
 	qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
        qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT               && MULTIPORT=Yes
 	qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT                   && POLICY_MATCH=Yes
-	
+	qt iptables -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT                     && PHYSDEV_MATCH=Yes
 	qt iptables -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
 	qt iptables -F fooX1234
 	qt iptables -X fooX1234
@ -5223,6 +5287,8 @@ report_capabilities() {
    report_capability $CONNTRACK_MATCH "Connection Tracking Match"
    report_capability $PKTTYPE "Packet Type Match"
    report_capability $POLICY_MATCH "Policy Match"
    report_capability $PHYSDEV_MATCH "Physdev Match"
    report_capability $IPRANGE_MATCH "IP range Match"
 }
 #
@ -5237,6 +5303,10 @@ initialize_netfilter () {
    report_capabilities
    if [ -n "$BRIDGING" ]; then
 	[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
    fi
    echo "Determining Zones..."
    determine_zones
@ -5369,7 +5439,7 @@ initialize_netfilter () {
 	    while read target ignore1 ignore2 address rest; do
 		case $target in
 		    DROP|reject)
-			run_iptables2 -A dynamic -s $address -j $target
+			run_iptables2 -A dynamic $(source_ip_range $address) -j $target
 			;;
 		    *)
 			;;
@ -5408,7 +5478,7 @@ add_common_rules() {
    #
    for address in $broadcasts ; do
 	[ -n "$SMURF_LOG_LEVEL" ] && log_rule $SMURF_LOG_LEVEL smurfs DROP -s $address
-	run_iptables -A smurfs -s $address -j DROP
+	run_iptables -A smurfs $(source_ip_range $address) -j DROP
    done
    #
    # Reject Rules -- Don't respond to broadcasts with an ICMP
@ -5551,7 +5621,7 @@ add_common_rules() {
 		    ;;
 	    esac
-	    run_iptables2 -A norfc1918 -s $networks -j $target
+	    run_iptables2 -A norfc1918 $(source_ip_range $networks) -j $target
 	    if [ -n "$CONNTRACK_MATCH" ]; then
 		#
@ -5563,7 +5633,7 @@ add_common_rules() {
 		# No connection tracking match but we have mangling -- add a rule to
 		# the mangle table
 		#
-		run_iptables2 -t mangle -A man1918 -d $networks -j $target
+		run_iptables2 -t mangle -A man1918 $(dest_ip_range $networks) -j $target
 	    fi
 	done < $TMP_DIR/rfc1918
@ -5612,7 +5682,7 @@ add_common_rules() {
 		    ;;
 	    esac
-	    run_iptables2 -A nobogons -s $networks -j $target
+	    run_iptables2 -A nobogons $(source_ip_range $networks) -j $target
 	done < $TMP_DIR/bogons
@ -6328,7 +6398,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
    chain=${zone}_dnat
    if nat_chain_exists $chain; then
-	do_iptables -t nat -A $(dynamic_in $interface) -s $host $policyin -j $chain
+	do_iptables -t nat -A $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
    fi
    #
    # Insert new rules into the filter table for the passed interface
@ -6336,7 +6406,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
    while read z1 z2 chain; do
 	if [ "$z1" = "$zone" ]; then
 	    if [ "$z2" = "$FW" ]; then
-		do_iptables -A $(dynamic_in $interface) -s $host $policyin -j $chain
+		do_iptables -A $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
 	    else
 		source_chain=$(dynamic_fwd $interface)
 		eval dest_hosts=\"\$${z2}_hosts\"
@ -6346,7 +6416,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    hosts=${h#*:}
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			do_iptables -A $source_chain -s $host -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
+			do_iptables -A $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
 		    fi
 		done
 	    fi
@ -6355,7 +6425,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		#
 		# Add a rule to the dynamic out chain for the interface
 		#
-		do_iptables -A $(dynamic_out $interface) -d $host $policyout -j $chain
+		do_iptables -A $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
 	    else
 		eval source_hosts=\"\$${z1}_hosts\"
@ -6364,7 +6434,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    hosts=${h#*:}
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface -d $host $policyout -j $chain
+			do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
 		    fi
 		done
 	    fi
@ -6479,14 +6549,14 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
    #
    # Delete any nat table entries for the host(s)
    #
-    qt iptables -t nat -D $(dynamic_in $interface) -s $host $policyin -j ${zone}_dnat
+    qt iptables -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat
    #
    # Delete rules rules the input chains for the passed interface
    #
    while read z1 z2 chain; do
 	if [ "$z1" = "$zone" ]; then
 	    if [ "$z2" = "$FW" ]; then
-		qt iptables -D $(dynamic_in $interface) -s $host $policyin -j $chain
+		qt iptables -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
 	    else
 		source_chain=$(dynamic_fwd $interface)
 		eval dest_hosts=\"\$${z2}_hosts\"
@ -6496,13 +6566,13 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    hosts=${h#*:}
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			qt iptables -D $source_chain -s $host -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
+			qt iptables -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
 		    fi
 		done
 	    fi
 	elif [ "$z2" = "$zone" ]; then
 	    if [ "$z1" = "$FW" ]; then
-		qt iptables -D $(dynamic_out $interface) -d $host $policyout -j $chain
+		qt iptables -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
 	    else
 		eval source_hosts=\"\$${z1}_hosts\"
@ -6511,7 +6581,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    hosts=${h#*:}
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface -d $host $policyout -j $chain
+			qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
 		    fi
 		done
 	    fi
@ -6773,7 +6843,7 @@ do_initialize() {
    [ -z "$BOGON_LOG_LEVEL" ]   && BOGON_LOG_LEVEL=info
    MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN)
-    [ -n "$MARK_IN_FORWARD_CHAIN" ] && marking_chain=tcfor || marking_chain=tcpre
+    [ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre
    if [ -n "$TC_ENABLED" ]; then
 	CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC)
    else
--- a/LrpN/usr/share/shorewall/functions
+++ b/LrpN/usr/share/shorewall/functions
@ -547,6 +547,13 @@ ip_range() {
    local first last l x y z vlsm
    case $1 in
 	!*)
 	    #
 	    # Let iptables complain if it's a range
 	    #
 	    echo $1
 	    return
 	    ;;
 	[0-9]*.*.*.*-*.*.*.*)
            ;;
 	*)
--- a/LrpN/usr/share/shorewall/help
+++ b/LrpN/usr/share/shorewall/help
@ -46,7 +46,9 @@ add)
 address|host)
        echo "<$1>: 
    May be either a host IP address such as 192.168.1.4 or a network address in
-    CIDR format like 192.168.1.0/24"
+    CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange
    match support then IP address ranges of the form <low address>-<high address>
    are also permitted."
 	;;
 allow)
--- a/LrpN/usr/share/shorewall/rfc1918
+++ b/LrpN/usr/share/shorewall/rfc1918
@ -1,5 +1,5 @@
 #
-# Shorewall 2.0-- RFC1918 File
+# Shorewall 2.1 -- RFC1918 File
 #
 # /etc/shorewall/rfc1918
 #
@ -12,7 +12,9 @@
 #
 # Columns are:
 #
-# 	SUBNET		The subnet (host addresses also allowed)
+# 	SUBNET		The subnet (host addresses also allowed as are IP
 #			address ranges provided that your kernel and iptables
 #			have iprange match support).
 #	TARGET		Where to send packets to/from this subnet
 #			RETURN	- let the packet be processed normally
 #			DROP	- silently drop the packet
--- a/LrpN/usr/share/shorewall/version
+++ b/LrpN/usr/share/shorewall/version
@ -1 +1 @@
-2.1.7
+2.1.8