diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index ffe3109c2..9520c5987 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -966,9 +966,13 @@ sub mac_match( $ ) { sub verify_mark( $ ) { my $mark = $_[0]; my $limit = $config{HIGH_ROUTE_MARKS} ? 0xFFFF : 0xFF; + my $value = numeric_value( $mark ); fatal_error "Invalid Mark or Mask value ($mark)" - unless numeric_value( $mark ) <= $limit; + unless $value <= $limit; + + fatal_error "Invalid High Mark or Mask value ($mark)" + if ( $value > 0xFF && $value & 0xFF ); } sub verify_small_mark( $ ) { diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 65639ab51..3fdb0db02 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -863,7 +863,7 @@ sub read_a_line() { # # Ignore ( concatenated ) Blank Lines # - $currentline = '', next if $currentline =~ /^\s*$/; + $currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/; # # Expand Shell Variables using %ENV diff --git a/Shorewall-perl/Shorewall/Proc.pm b/Shorewall-perl/Shorewall/Proc.pm index f5c0d3857..56031adac 100644 --- a/Shorewall-perl/Shorewall/Proc.pm +++ b/Shorewall-perl/Shorewall/Proc.pm @@ -96,7 +96,6 @@ sub setup_route_filtering() { save_progress_message "Setting up Route Filtering..."; - if ( $config{ROUTE_FILTER} ) { my $val = $config{ROUTE_FILTER} eq 'on' ? 1 : 0; @@ -115,7 +114,9 @@ sub setup_route_filtering() { " error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless interface_is_optional( $interface); emit "fi\n"; } - + # + # According to Documentation/networking/ip-sysctl.txt, this must be turned on to do any filtering + # emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter'; emit "[ -n \"\$NOROUTES\" ] || ip route flush cache"; diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm index 41c9e29bb..9ffca1e51 100644 --- a/Shorewall-perl/Shorewall/Providers.pm +++ b/Shorewall-perl/Shorewall/Providers.pm @@ -347,9 +347,9 @@ sub add_an_rtrule( $$$$ ) { validate_net ( $source, 0 ); $source = "iif $interface from $source"; } elsif ( $source =~ /\..*\..*/ ) { + validate_net ( $source, 0 ); $source = "from $source"; } else { - validate_net ( $source, 0 ); $source = "iif $source"; }