Fix obscure bug with multiple addresses in masq

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.1
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.1
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
 %define version 4.4.1
-%define release 0base
+%define release 2
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -98,6 +98,10 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-2
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-1
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.1
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

Shorewall/Perl/Shorewall/Chains.pm

@@ -71,6 +71,7 @@ our %EXPORT_TAGS = (
 				       ALL_COMMANDS
 				       NOT_RESTORE
 
+				       initialize_chain_table
 				       add_commands
 				       move_rules
 				       move_rules1
@@ -296,7 +297,6 @@ our %builtin_target = ( ACCEPT   => 1,
 			NFQUEUE  => 1,
 			REDIRECT => 1 );
 
-sub initialize_chain_table();
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -357,8 +357,6 @@ sub initialize( $ ) {
     $global_variables   = 0;
     $idiotcount         = 0;
 
-    initialize_chain_table;
-
 }
 
 #
@@ -1041,7 +1039,7 @@ sub ensure_manual_chain($) {
 }
 
 #
-# Add all builtin chains to the chain table -- it is separate from initialize() for purely historical reasons.
+# Add all builtin chains to the chain table -- it is separate from initialize() because it depends on capabilities and configuration.
 # The function also initializes the target table with the pre-defined targets available for the specfied address family.
 #
 #

Shorewall/Perl/Shorewall/Compiler.pm

@@ -589,6 +589,8 @@ sub compiler {
     #
     get_configuration( $export );
 
+    initialize_chain_table;
+
     report_capabilities;
 
     require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
@@ -790,14 +792,20 @@ sub compiler {
 	#    (Produces setup_netfilter(), chainlist_reload() and define_firewall() )
 	#
 	generate_script_3( $chains );
-	#                               S T O P _ F I R E W A L L
-	#             (Writes the stop_firewall() function to the compiled script)
-	#
-	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
-	# for stopping the firewall
-	#
-	Shorewall::Chains::initialize( $family );
-	compile_stop_firewall( $test );
+    } else {
+	enable_object;
+    }
+    #                               S T O P _ F I R E W A L L
+    #             (Writes the stop_firewall() function to the compiled script)
+    #
+    # We must reinitialize Shorewall::Chains before generating the iptables-restore input
+    # for stopping the firewall
+    #
+    Shorewall::Chains::initialize( $family );
+    initialize_chain_table;
+    compile_stop_firewall( $test );
+    
+    if ( $objectfile ) {
 	#
 	# Copy the footer to the object
 	#

Shorewall/Perl/Shorewall/Config.pm

@@ -327,7 +327,7 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.1",
+		    VERSION => "4.4.1.2",
 		    CAPVERSION => 40401 ,
 		  );
 
@@ -1951,7 +1951,7 @@ sub determine_capabilities( $ ) {
 
     if ( $capabilities{NAT_ENABLED} ) {
 	if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
-	    $capabilities{PERSISTENT_SNAT} = qt1( "$iptables -t nat -A $sillyname -j SNAT --to source 1.2.3.4 --persistent" );
+	    $capabilities{PERSISTENT_SNAT} = qt1( "$iptables -t nat -A $sillyname -j SNAT --to-source 1.2.3.4 --persistent" );
 	    qt1( "$iptables -t NAT -F $sillyname" );
 	    qt1( "$iptables -t NAT -X $sillyname" );
 	}

Shorewall/Perl/Shorewall/Nat.pm

@@ -104,7 +104,7 @@ sub do_ipsec_options($)
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';
+    my ($interfacelist, $networks, $origaddresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';
 
     if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
@@ -208,7 +208,9 @@ sub process_one_masq( )
 	#
 	# Parse the ADDRESSES column
 	#
-	if ( $addresses ne '-' ) {
+	if ( $origaddresses ne '-' ) {
+	    my $addresses = $origaddresses;
+
 	    if ( $addresses eq 'random' ) {
 		$randomize = '--random ';
 	    } else {
@@ -226,7 +228,7 @@ sub process_one_masq( )
 		    if ( interface_is_optional $interface ) {
 			add_commands( $chainref,
 				      '',
-				      "if [ \"$variable\" != 0.0.0.0 ]; then" );
+				      qq(if [ "$variable" != 0.0.0.0 ]; then) );
 			incr_cmd_level( $chainref );
 			$detectaddress = 1;
 		    }
@@ -239,7 +241,11 @@ sub process_one_masq( )
 			if ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = '-j SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
-			    validate_address $ipaddr, 0;
+			    if ( $addr =~ /^(.+)-(.+)$/ ) {
+				validate_range( $1, $2 );
+			    } else {
+				validate_address $ipaddr, 0;
+			    }
 			    $addrlist .= "--to-source $addr ";
 			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
@@ -280,7 +286,7 @@ sub process_one_masq( )
 	if ( $add_snat_aliases ) {
 	    my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
 	    fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
-	    for my $address ( split_list $addresses, 'address' ) {
+	    for my $address ( split_list $origaddresses, 'address' ) {
 		my ( $addrs, $port ) = split /:/, $address;
 		next unless $addrs;
 		next if $addrs eq 'detect';

Shorewall/changelog.txt

@@ -1,3 +1,19 @@
+Changes in Shorewall 4.4.1.3
+
+1)  Process routestopped during 'check'
+
+2)  Apply Jesse Shrieve's patch for SNAT range.
+
+Changes in Shorewall 4.4.1.2
+
+1)  Re-initialize chain table before generating 'stop_firewall()'
+
+Changes in Shorewall 4.4.1.1
+
+1)  Fixed detection of Persistent SNAT
+
+2)  Fix compiler initialization fiasco.
+
 Changes in Shorewall 4.4.1
 
 1)  Deleted extra 'use ...IPAddrs.pm' from Nat.pm.

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.1
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

Shorewall/known_problems.txt

@@ -1 +1,22 @@
-There are no known problems in Shorewall version 4.4.1
+1)  The compiler's detection of Persistent SNAT support is broken.
+
+    Fixed in Shorewall 4.4.1.1
+
+2)  Initialization of the compiler's chain table was broken in ways
+    that prevented some features from working.
+
+    Fixed in Shorewall 4.4.1.1
+
+3)  Initialization of the compiler's chain table was still broken.
+
+    Fixed in Shorewall 4.4.1.2.
+
+4)  It is currently not possible to specify an address range in the
+    ADDRESS column of /etc/shorewall/masq.
+
+    Fixed in Shorewall 4.4.1.3.
+
+5)  The routestopped file is not being verified by 'shorewall check'.
+
+    Fixed in Shorewall 4.4.1.3.
+

Shorewall/releasenotes.txt

@@ -1,4 +1,4 @@
-Shorewall 4.4.1
+Shorewall 4.4.1 patch release 3
 
 ----------------------------------------------------------------------------
                R E L E A S E  4 . 4  H I G H L I G H T S
@@ -170,6 +170,30 @@ Shorewall 4.4.1
     now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
     then it may have no additional members in /etc/shorewall/hosts.
 
+----------------------------------------------------------------------------
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 . 3
+----------------------------------------------------------------------------
+1)  The routestopped file wasn't verified during 'shorewall check' and
+    'shorewall6 check'.
+
+2)  Previously, it was not possible to specify an IP address range in
+    ADDRESS column of /etc/shorewall/masq. Thanks go to Jessee Shrieve
+    for the patch.
+
+----------------------------------------------------------------------------
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 . 2
+----------------------------------------------------------------------------
+1)  The compiler's chain table was not being re-initialized prior to
+    creating the stop_firewall() function, resulting in Perl run-time
+    errors.
+----------------------------------------------------------------------------
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 . 1
+----------------------------------------------------------------------------
+1)  Detection of Persistent SNAT support was broken in the compiler.
+
+2)  Initialization of the compiler's chain table was broken in ways
+    that made some features not work and that caused Perl runtime errors.
+
 ----------------------------------------------------------------------------
           P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1
 ----------------------------------------------------------------------------

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
 %define version 4.4.1
-%define release 0base
+%define release 2
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -104,6 +104,10 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-2
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-1
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Sun Aug 09 2009 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.1
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

Shorewall6-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.1
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.1
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
 %define version 4.4.1
-%define release 0base
+%define release 2
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -89,6 +89,10 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-2
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-1
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.1
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

Shorewall6/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.1
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.1
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
 %define version 4.4.1
-%define release 0base
+%define release 2
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -93,6 +93,10 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-2
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-1
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.1
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

manpages/shorewall-zones.xml

@@ -112,7 +112,7 @@ c:a,b     ipv4</programlisting>
           <para>Where an <emphasis role="bold">ipsec</emphasis> zone is
           explicitly included as a child of an <emphasis
           role="bold">ipv4</emphasis> zone, the ruleset allows CONTINUE
-          policies (explicit or implicit) to work as expected. </para>
+          policies (explicit or implicit) to work as expected.</para>
 
           <para>In the future, Shorewall may make additional use of nesting
           information.</para>
@@ -138,7 +138,8 @@ c:a,b     ipv4</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">ipsec</emphasis></term>
+              <term><emphasis role="bold">ipsec</emphasis> (or <emphasis
+              role="bold">ipsec4</emphasis>)</term>
 
               <listitem>
                 <para>Communication with all zone hosts is encrypted. Your
@@ -160,7 +161,8 @@ c:a,b     ipv4</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>bport (or bport4)</term>
+              <term><emphasis role="bold">bport</emphasis> (or <emphasis
+              role="bold">bport4</emphasis>)</term>
 
               <listitem>
                 <para>The zone is associated with one or more ports on a

manpages6/shorewall6-zones.xml

@@ -138,7 +138,8 @@ c:a,b     ipv6</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">ipsec</emphasis></term>
+              <term><emphasis role="bold">ipsec</emphasis> (or <emphasis
+              role="bold">ipsec6</emphasis>)</term>
 
               <listitem>
                 <para>Communication with all zone hosts is encrypted. Your
@@ -160,7 +161,8 @@ c:a,b     ipv6</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>bport (or bport6)</term>
+              <term><emphasis role="bold">bport</emphasis> (or <emphasis
+              role="bold">bport6</emphasis>)</term>
 
               <listitem>
                 <para>The zone is associated with one or more ports on a