From 8581c53b9fdb56036963b220b30a6aa7bb7045e3 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 24 Nov 2009 08:51:46 -0800 Subject: [PATCH] Move some fixes from 4.4.5 to 4.4.4.2 --- Shorewall/Perl/Shorewall/IPAddrs.pm | 44 +++++++++++++++++++---------- Shorewall/changelog.txt | 4 +++ Shorewall/known_problems.txt | 5 ++++ Shorewall/releasenotes.txt | 14 +++++++++ 4 files changed, 52 insertions(+), 15 deletions(-) diff --git a/Shorewall/Perl/Shorewall/IPAddrs.pm b/Shorewall/Perl/Shorewall/IPAddrs.pm index ea1da5f79..40b9d5755 100644 --- a/Shorewall/Perl/Shorewall/IPAddrs.pm +++ b/Shorewall/Perl/Shorewall/IPAddrs.pm @@ -72,7 +72,7 @@ our @EXPORT = qw( ALLIPv4 validate_icmp6 ); our @EXPORT_OK = qw( ); -our $VERSION = '4.4_1'; +our $VERSION = '4.4_4'; # # Some IPv4/6 useful stuff @@ -302,7 +302,7 @@ sub validate_port( $$ ) { my $value; if ( $port =~ /^(\d+)$/ ) { - return $port if $port <= 65535; + return $port if $port && $port <= 65535; } else { $proto = proto_name $proto if $proto =~ /^(\d+)$/; $value = getservbyname( $port, $proto ); @@ -485,16 +485,16 @@ sub valid_6address( $ ) { return 0 unless ( @address == $max ) || $address =~ /::/; return 0 if $address =~ /:::/ || $address =~ /::.*::/; - if ( $address =~ /^:/ ) { - unless ( $address eq '::' ) { - return 0 if $address =~ /:$/ || $address =~ /^:.*::/; - } - } elsif ( $address =~ /:$/ ) { - return 0 if $address =~ /::.*:$/; + unless ( $address =~ /^::/ ) { + return 0 if $address =~ /^:/; } + unless ( $address =~ /::$/ ) { + return 0 if $address =~ /:$/; + } + for my $a ( @address ) { - return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && oct "0x$a" < 65536 ); + return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && length $a < 5 ); } 1; @@ -543,13 +543,27 @@ sub validate_6net( $$ ) { sub normalize_6addr( $ ) { my $addr = shift; - while ( $addr =~ tr/:/:/ < 6 ) { - $addr =~ s/::/:0::/; + if ( $addr eq '::' ) { + '0:0:0:0:0:0:0:0'; + } else { + # + # Suppress leading zeros + # + $addr =~ s/^0+//; + $addr =~ s/:0+/:/g; + $addr =~ s/^:/0:/; + $addr =~ s/:$/:0/; + + $addr =~ s/::/:0::/ while $addr =~ tr/:/:/ < 7; + # + # Note: "s/::/:0:/g" doesn't work here + # + 1 while $addr =~ s/::/:0:/; + + $addr =~ s/^0+:/0:/; + + $addr; } - - $addr =~ s/::/:0:/; - - $addr; } sub validate_6range( $$ ) { diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 132b7382b..7b58dd64c 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -4,6 +4,10 @@ Changes in Shorewall 4.4.4.1 2) Fix handling of interfaces with the 'bridge' option. +3) Disallow port 0 + +4) Improve IPv6 address validation and range checking. + Changes in Shorewall 4.4.4 1) Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf. diff --git a/Shorewall/known_problems.txt b/Shorewall/known_problems.txt index 83182a3d4..6092b7dc2 100644 --- a/Shorewall/known_problems.txt +++ b/Shorewall/known_problems.txt @@ -21,3 +21,8 @@ This problem is corrected in Shorewall 4.4.4.2. +5) An iptables-restore error can occur if port 0 is specified in some + contexts. + + In Shorewall 4.4.4.2, port 0 is flagged as an error in all + contexts. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index eaa8b3cf3..212cccb51 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -173,6 +173,20 @@ Shorewall 4.4.4 Patch Release 1 default. If, for some reason, you don't want 'track' then specify 'notrack' for the provider. +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 4 . 2 +---------------------------------------------------------------------------- + +1) Previously, DNS names were not accepted in some contexts by + Shorewall6. + +2) Validation of IPv6 addresses has been improved and now catches more + invalid addresses. + +3) Previously, port 0 was accepted in all contexts with the result + that iptables-restore errors could occur. Port 0 is now flagged as + an error. + ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 4 . 1 ----------------------------------------------------------------------------