On 3/16/2015 1:58 PM, Steven Jan Springl wrote: > On Monday 16 Mar 2015 17:48:23 Tom Eastep wrote: >> Beta 2 is now available for testing. > > Tom > > Command: > > shorewall open 192.168.100.1 192.168.200.1 icmp 8 > > produces error message: > > iptables v1.4.14: multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP > > Should it be possible to specify an icmp type?
Steven, Please give the attached patch a try. Lightly tested here. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index a3ffea2..d06a938 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -2089,6 +2089,8 @@ delete_command() {
open_close_command() {
local command
local desc
+ local proto
+ local icmptype
open_close_setup() {
[ -n "$g_nolock" ] || mutex_on
@@ -2152,7 +2154,11 @@ open_close_command() {
desc="from $1 to $2"
if [ $# -ge 3 ]; then
- command="$command -p $3"
+ proto=$3
+
+ [ $proto = icmp -a $g_family -eq 6 ] && proto=58
+
+ command="$command -p $proto"
case $3 in
[0-9]*)
@@ -2162,22 +2168,57 @@ open_close_command() {
desc="$desc $3"
;;
esac
+
+ if [ $g_family -eq 4 ]; then
+ if [ $proto = 6 -o $proto = icmp ]; then
+ proto=icmp
+ icmptype='--icmp-type'
+ fi
+ else
+ if [ $proto = 58 -o $proto = ipv6-icmp ]; then
+ proto=icmp
+ icmptype='--icmpv6-type'
+ fi
+ fi
fi
if [ $# -eq 4 ]; then
- command="$command -m multiport --dports $4"
+ if [ $proto = icmp ]; then
+ case $4 in
+ *,*)
+ fatal_error "Only a single ICMP type may be specified"
+ ;;
+ [0-9]*)
+ desc="$desc type $4"
+ ;;
+ *)
+ desc="$desc $4"
+ ;;
+ esac
- case $4 in
- [0-9]*,)
- desc="$desc ports $4"
- ;;
- [0-9]*)
- desc="$desc port $4"
+ command="$command $icmptype $4"
+ else
+ case $4 in
+ *,*)
+ command="$command -m multiport --dports $4"
;;
*)
- desc="$desc $4"
+ command="$command --dport $4"
;;
- esac
+ esac
+
+ case $4 in
+ [0-9]*,)
+ desc="$desc ports $4"
+ ;;
+ [0-9]*)
+ desc="$desc port $4"
+ ;;
+ *)
+ desc="$desc $4"
+ ;;
+ esac
+ fi
fi
command="$command -j ACCEPT"
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
