diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 59dd0e49b..a773f0c53 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -6,6 +6,8 @@ Changes in 2.2.3 3) MACLIST_TTL added. +4) Fix ! in hosts file + Changes in 2.2.2 1) The 'check' command disclaimer is toned down further and only diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 515f181d3..1c3164e57 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -6372,7 +6372,7 @@ activate_rules() shift if havenatchain $destchain ; then - run_iptables -t nat -A $sourcechain $@ -j $destchain + run_iptables2 -t nat -A $sourcechain $@ -j $destchain else [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && -rm -f $TMP_DIR/physdev [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange @@ -6390,7 +6390,7 @@ activate_rules() shift if havenatchain $destchain; then - eval run_iptables -t nat -I $sourcechain \ + eval run_iptables2 -t nat -I $sourcechain \ \$${sourcechain}_rule $@ -j $destchain eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\) else @@ -6450,7 +6450,7 @@ activate_rules() interface=${host%%:*} networks=${host#*:} - run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain + run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain done fi fi @@ -6479,7 +6479,7 @@ activate_rules() interface=${host%%:*} networks=${host#*:} - run_iptables -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1 + run_iptables2 -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1 # # Add jumps from the builtin chains for DNAT and SNAT rules @@ -6487,10 +6487,10 @@ activate_rules() addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host) addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) - run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2 + run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2 if [ -n "$complex" ] && ! is_ipsec_host $zone $host ; then - run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain + run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain fi case $networks in @@ -6555,7 +6555,7 @@ activate_rules() # routeback was specified for this host group # if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then - run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain + run_iptables2 -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain fi done else @@ -6570,7 +6570,7 @@ activate_rules() networks1=${host1#*:} if [ "$host" != "$host1" ] || list_search $host $routeback; then - run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain + run_iptables2 -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain fi done done diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index e28620b40..3ba66ecb8 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -3,7 +3,10 @@ Shorewall 2.2.3 ----------------------------------------------------------------------- Problems corrected in version 2.2.3 -None. +1) If a zone is defined in /etc/shorewall/hosts using + :! in the HOSTS column then startup errors occur + on "shorewall [re]start". + ----------------------------------------------------------------------- New Features in version 2.2.3