Re: [Shorewall-users] Shorewall 3.9.1

Tue, 17 Apr 2007 09:22:24 -0700 

Tom

Further testing of 3.9.1 has revealed various problems with rules for ICMP 
traffic.

A rule of the type:

ACCEPT  lan:192.168.0.3  fw  icmp  8

correctly produces an iptables rule:

-A lan2fw -s 192.168.0.3 -p icmp -m icmp -icmp-type 8 -j ACCEPT

However a rule of type:

ACCEPT  lan:192.168.0.3  fw  icmp

incorrectly produces an iptables rule without an icmp protocol:

-A lan2fw -s 192.168.0.3 -j ACCEPT

Rule:

ACCEPT  lan:192.168.0.3  fw  icmp  0

also produces an iptables rule without a protocol:

-A lan2fw -s 192.168.0.3 -j ACCEPT

Specifying a rule of type:

ACCEPT  lan:192.168.0.3  fw  icmp  8  4

correctly generates shorewall error:

ERROR: SOURCE PORTS(S) not permitted with ICMP .......

However a rule with source port 0:

ACCEPT  lan:192.168.0.3  fw  icmp  8  0

does not produce an error message.

A rule with multiple ICMP types:

ACCEPT  lan:192.168.0.3  fw  icmp  8,3

results in an iptables error:

iptables-restore v1.3.6: Invalid ICMP type '8,3'


A patch is attached to correct these problems.

Steven.

--- /root/shorewall/Chains.pm	2007-04-16 18:55:05.000000000 +0100
+++ Chains.pm	2007-04-17 14:12:18.000000000 +0100
@@ -688,8 +688,12 @@
 		}
 	    }
 	} elsif ( $proto =~ /^(icmp|1)$/i ) {
-	    $output .= "-p icmp --icmp-type $ports " if $ports;
-	    fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports;
+	    my @ports = split /,/, $ports;
+	    my $count = @ports;
+	    fatal_error 'Multiple ICMP types are not permitted' if $count > 1;
+	    $output .= "-p icmp ";
+	    $output .= "--icmp-type $ports " if $count;
+	    fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne "";
 	} elsif ( $proto =~ /^(ipp2p(:(tcp|udp|all)))?$/i ) {
 	    require_capability( 'IPP2P' , 'PROTO = ipp2p' );
 	    $proto = $2 ? $3 : 'tcp';

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to