Don't use multiport match on ICMP

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@760 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2003-10-08 15:07:18 +00:00 · 2003-10-08 15:07:18 +00:00 · 5b54d21d07
commit 5b54d21d07
parent cb3f099ad2
6 changed files with 30 additions and 0 deletions
--- a/STABLE/changelog.txt
+++ b/STABLE/changelog.txt
@ -3,3 +3,5 @@ Changes since 1.4.7
 1) Applied patch from Tuomo Soini that fixes syntax error occuring with
   some versions of 'ash'.

+2) Applied Andrew Zhoglo's patch that avoids using multiport match for
+   ICMP.
--- a/STABLE/firewall
+++ b/STABLE/firewall
@ -2764,6 +2764,9 @@ process_rule() # $1 = target
    case $logtarget in
 	DNAT*)
 	    if [ -n "$MULTIPORT" -a \
+                "$protocol" != "icmp" -a \
+                "$protocol" != "ICMP" -a \
+                "$protocol" != "1" -a \
 		"$ports" = "${ports%:*}" -a \
 		"$cports" = "${cports%:*}" -a \
 		`list_count $ports` -le 15 -a \
@ -2801,6 +2804,9 @@ process_rule() # $1 = target
 	*)

 	    if [ -n "$MULTIPORT" -a \
+                "$protocol" != "icmp" -a \
+                "$protocol" != "ICMP" -a \
+                "$protocol" != "1" -a \
 		"$ports" = "${ports%:*}" -a \
 		"$cports" = "${cports%:*}" -a \
 		`list_count $ports` -le 15 -a \
--- a/STABLE/releasenotes.txt
+++ b/STABLE/releasenotes.txt
@ -11,6 +11,13 @@ Problems Corrected since version 1.4.6:
   cannot open shared object file: No such file or directory
   Try `iptables -h' or 'iptables --help' for more information.

+2) Andres Zhoglo has supplied a correction that avoids trying to use
+   the multiport match iptables facility on ICMP rules.
+
+   Example of rule that previously caused "shorewall start" to fail:
+
+	   ACCEPT      loc  $FW  icmp    0,8,11,12
+
 Migration Issues:

 None.
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -3,3 +3,5 @@ Changes since 1.4.7
 1) Applied patch from Tuomo Soini that fixes syntax error occuring with
   some versions of 'ash'.

+2) Applied Andrew Zhoglo's patch that avoids using multiport match for
+   ICMP.
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -2764,6 +2764,9 @@ process_rule() # $1 = target
    case $logtarget in
 	DNAT*)
 	    if [ -n "$MULTIPORT" -a \
+                "$protocol" != "icmp" -a \
+                "$protocol" != "ICMP" -a \
+                "$protocol" != "1" -a \
 		"$ports" = "${ports%:*}" -a \
 		"$cports" = "${cports%:*}" -a \
 		`list_count $ports` -le 15 -a \
@ -2801,6 +2804,9 @@ process_rule() # $1 = target
 	*)

 	    if [ -n "$MULTIPORT" -a \
+                "$protocol" != "icmp" -a \
+                "$protocol" != "ICMP" -a \
+                "$protocol" != "1" -a \
 		"$ports" = "${ports%:*}" -a \
 		"$cports" = "${cports%:*}" -a \
 		`list_count $ports` -le 15 -a \
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -11,6 +11,13 @@ Problems Corrected since version 1.4.6:
   cannot open shared object file: No such file or directory
   Try `iptables -h' or 'iptables --help' for more information.

+2) Andres Zhoglo has supplied a correction that avoids trying to use
+   the multiport match iptables facility on ICMP rules.
+
+   Example of rule that previously caused "shorewall start" to fail:
+
+	   ACCEPT      loc  $FW  icmp    0,8,11,12
+
 Migration Issues:

 None.