diff --git a/Shorewall/compiler b/Shorewall/compiler index e99437518..787643db7 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -5358,10 +5358,14 @@ if [ -f \${VARDIR}/save ]; then DROP|reject|logdrop|logreject) case \$rest in \$rangematch*) - run_iptables -A dynamic -m iprange --src-range \${rest#source IP range} + run_iptables -A dynamic -m iprange --src-range \${rest#source IP range} -j \$target ;; *) - run_iptables -A dynamic -s \$address -j \$target + if [ -z "\$rest" ]; then + run_iptables -A dynamic -s \$address -j \$target + else + error_message "WARNING: Unable to restore dynamic rule \"\$target \$ignore1 \$ignore2 \$address \$ignore3 \$rest\"" + fi ;; esac ;; diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index cf8a9a305..f612b32f3 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -842,7 +842,7 @@ make_verbose() { # # Executor for drop,reject,... commands # -block() # $1 = command, $2 = Finished, $3 = Original Command $4 - $n addresses +block() # $1 = command, $2 = Finished, $3 - $n addresses { local chain=$1 finished=$2 diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 44a75e784..d21b87b46 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -32,6 +32,11 @@ Problems Corrected in 3.4.0 Final 1) The route_rules file was being ignored. This has been corrected. +2) If an IP range was specified in a 'drop' or 'reject' (including the + logging forms) and a 'shorewall save' was performed, then the next + time that Shorewall was restarted, new connections from outside the + firewall were totally blocked. + Other Changes in 3.4.0 Final 1) A warning is now issued when 'loose' and 'balance' are specified together