Fix bogus code in process_tc_rule

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1413 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/changelog.txt

@@ -34,3 +34,7 @@ Changes since 2.0.2
     comments in the rules file WRT "all" in SOURCE or DEST.
 
 16) Pass INVALID icmp packets through the blacklisting chains.
+
+17) Fix bogus code in procerss_tc_rule()
+
+18) Fix security vulnerability involving temporary files/directories.

Shorewall2/firewall

@@ -2050,11 +2050,7 @@ process_tc_rule()
 	    esac
 	fi
 
-	if [ "x$dest" != "x-"  ]; then
+	[ "x$dest"   = "x-"  ] || r="${r}-d $dest "
-	    verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
-	    r="${r}$(match_dest_dev $dest) "
-	fi
-
 	[ "$proto"   = "all" ] || r="${r}-p $proto "
 	[ "x$port"   = "x-"  ] || r="${r}--dport $port "
 	[ "x$sport"  = "x-"  ] || r="${r}--sport $sport "

Shorewall2/releasenotes.txt

@@ -44,6 +44,14 @@ Problems Corrected since 2.0.2
     not possible to blacklist hosts that are mounting certain types of
     ICMP-based DOS attacks.
 
+Problems Corrected since 2.0.3
+
+1)  A non-empty DEST entry in /etc/shorewall/tcrules will generate an
+    error and Shorewall fails to start.
+
+2)  A potential security vulnerablilty in the way that Shorewall
+    handles temporary files and directories has been corrected.
+
 -----------------------------------------------------------------------
 Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3: