forked from extern/shorewall_code
Move some fixes from 4.4.5 to 4.4.4.2
This commit is contained in:
parent
c02ab429e6
commit
8581c53b9f
@ -72,7 +72,7 @@ our @EXPORT = qw( ALLIPv4
|
|||||||
validate_icmp6
|
validate_icmp6
|
||||||
);
|
);
|
||||||
our @EXPORT_OK = qw( );
|
our @EXPORT_OK = qw( );
|
||||||
our $VERSION = '4.4_1';
|
our $VERSION = '4.4_4';
|
||||||
|
|
||||||
#
|
#
|
||||||
# Some IPv4/6 useful stuff
|
# Some IPv4/6 useful stuff
|
||||||
@ -302,7 +302,7 @@ sub validate_port( $$ ) {
|
|||||||
my $value;
|
my $value;
|
||||||
|
|
||||||
if ( $port =~ /^(\d+)$/ ) {
|
if ( $port =~ /^(\d+)$/ ) {
|
||||||
return $port if $port <= 65535;
|
return $port if $port && $port <= 65535;
|
||||||
} else {
|
} else {
|
||||||
$proto = proto_name $proto if $proto =~ /^(\d+)$/;
|
$proto = proto_name $proto if $proto =~ /^(\d+)$/;
|
||||||
$value = getservbyname( $port, $proto );
|
$value = getservbyname( $port, $proto );
|
||||||
@ -485,16 +485,16 @@ sub valid_6address( $ ) {
|
|||||||
return 0 unless ( @address == $max ) || $address =~ /::/;
|
return 0 unless ( @address == $max ) || $address =~ /::/;
|
||||||
return 0 if $address =~ /:::/ || $address =~ /::.*::/;
|
return 0 if $address =~ /:::/ || $address =~ /::.*::/;
|
||||||
|
|
||||||
if ( $address =~ /^:/ ) {
|
unless ( $address =~ /^::/ ) {
|
||||||
unless ( $address eq '::' ) {
|
return 0 if $address =~ /^:/;
|
||||||
return 0 if $address =~ /:$/ || $address =~ /^:.*::/;
|
|
||||||
}
|
}
|
||||||
} elsif ( $address =~ /:$/ ) {
|
|
||||||
return 0 if $address =~ /::.*:$/;
|
unless ( $address =~ /::$/ ) {
|
||||||
|
return 0 if $address =~ /:$/;
|
||||||
}
|
}
|
||||||
|
|
||||||
for my $a ( @address ) {
|
for my $a ( @address ) {
|
||||||
return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && oct "0x$a" < 65536 );
|
return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && length $a < 5 );
|
||||||
}
|
}
|
||||||
|
|
||||||
1;
|
1;
|
||||||
@ -543,14 +543,28 @@ sub validate_6net( $$ ) {
|
|||||||
sub normalize_6addr( $ ) {
|
sub normalize_6addr( $ ) {
|
||||||
my $addr = shift;
|
my $addr = shift;
|
||||||
|
|
||||||
while ( $addr =~ tr/:/:/ < 6 ) {
|
if ( $addr eq '::' ) {
|
||||||
$addr =~ s/::/:0::/;
|
'0:0:0:0:0:0:0:0';
|
||||||
}
|
} else {
|
||||||
|
#
|
||||||
|
# Suppress leading zeros
|
||||||
|
#
|
||||||
|
$addr =~ s/^0+//;
|
||||||
|
$addr =~ s/:0+/:/g;
|
||||||
|
$addr =~ s/^:/0:/;
|
||||||
|
$addr =~ s/:$/:0/;
|
||||||
|
|
||||||
$addr =~ s/::/:0:/;
|
$addr =~ s/::/:0::/ while $addr =~ tr/:/:/ < 7;
|
||||||
|
#
|
||||||
|
# Note: "s/::/:0:/g" doesn't work here
|
||||||
|
#
|
||||||
|
1 while $addr =~ s/::/:0:/;
|
||||||
|
|
||||||
|
$addr =~ s/^0+:/0:/;
|
||||||
|
|
||||||
$addr;
|
$addr;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
sub validate_6range( $$ ) {
|
sub validate_6range( $$ ) {
|
||||||
my ( $low, $high ) = @_;
|
my ( $low, $high ) = @_;
|
||||||
|
@ -4,6 +4,10 @@ Changes in Shorewall 4.4.4.1
|
|||||||
|
|
||||||
2) Fix handling of interfaces with the 'bridge' option.
|
2) Fix handling of interfaces with the 'bridge' option.
|
||||||
|
|
||||||
|
3) Disallow port 0
|
||||||
|
|
||||||
|
4) Improve IPv6 address validation and range checking.
|
||||||
|
|
||||||
Changes in Shorewall 4.4.4
|
Changes in Shorewall 4.4.4
|
||||||
|
|
||||||
1) Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.
|
1) Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.
|
||||||
|
@ -21,3 +21,8 @@
|
|||||||
|
|
||||||
This problem is corrected in Shorewall 4.4.4.2.
|
This problem is corrected in Shorewall 4.4.4.2.
|
||||||
|
|
||||||
|
5) An iptables-restore error can occur if port 0 is specified in some
|
||||||
|
contexts.
|
||||||
|
|
||||||
|
In Shorewall 4.4.4.2, port 0 is flagged as an error in all
|
||||||
|
contexts.
|
||||||
|
@ -173,6 +173,20 @@ Shorewall 4.4.4 Patch Release 1
|
|||||||
default. If, for some reason, you don't want 'track' then specify
|
default. If, for some reason, you don't want 'track' then specify
|
||||||
'notrack' for the provider.
|
'notrack' for the provider.
|
||||||
|
|
||||||
|
----------------------------------------------------------------------------
|
||||||
|
P R O B L E M S C O R R E C T E D I N 4 . 4 . 4 . 2
|
||||||
|
----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
1) Previously, DNS names were not accepted in some contexts by
|
||||||
|
Shorewall6.
|
||||||
|
|
||||||
|
2) Validation of IPv6 addresses has been improved and now catches more
|
||||||
|
invalid addresses.
|
||||||
|
|
||||||
|
3) Previously, port 0 was accepted in all contexts with the result
|
||||||
|
that iptables-restore errors could occur. Port 0 is now flagged as
|
||||||
|
an error.
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
P R O B L E M S C O R R E C T E D I N 4 . 4 . 4 . 1
|
P R O B L E M S C O R R E C T E D I N 4 . 4 . 4 . 1
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
|
Loading…
Reference in New Issue
Block a user