Re: [Shorewall-users] Shorewall-3.9.2

Tue, 17 Apr 2007 13:34:48 -0700 

On Tuesday 17 April 2007 21:02, Tom Eastep wrote:
> I've uploaded 3.9.2 (again).
Tom

Testing of 3.9.2 has shown the following problems:

If a rule specifies a source or destination port of 0 for TCP or UDP it is 
ignored.

The test for the presence of a source or destination port if the protocol is 
not specified also ignores port 0.

A patch to fix these problems is attached. The patch also adds a check for the 
presence of source or destinations ports if the protocol is not TCP, UDP or 
ICMP.

Steven


--- /root/shorewall/Chains.pm	2007-04-17 19:07:22.000000000 +0100
+++ Chains.pm	2007-04-17 19:35:38.000000000 +0100
@@ -644,9 +644,9 @@
     if ( $proto ) {
 	if ( $proto =~ /^(tcp|udp|6|17)$/i ) {
 	    $output = "-p $proto ";
-	    if ( $ports ) {
-		my @ports = split /,/, $ports;
-		my $count = @ports;
+	    my @ports = split /,/, $ports;
+	    my $count = @ports;
+	    if ( $count ) {
 
 		if ( $count > 1 ) {
 		    fatal_error "Port list requires Multiport support in your kernel/iptables: $ports" unless $capabilities{MULTIPORT};
@@ -666,9 +666,9 @@
 		}
 	    }
 
-	    if ( $sports ) {
-		my @ports = split /,/, $sports;
-		my $count = @ports;
+	    @ports = split /,/, $sports;
+	    $count = @ports;
+	    if ( $count ) {
 
 		if ( $count > 1 ) {
 		    fatal_error "Port list requires Multiport support in your kernel/iptables: $sports" unless $capabilities{MULTIPORT};
@@ -700,9 +700,10 @@
 	    $ports = 'ipp2p' unless $ports;
 	    $output .= "-p $proto -m ipp2p --$ports ";
 	} else {
+	    fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $proto, rule \"$line\"" if $ports ne "" || $sports ne "";
 	    $output .= "-p $proto ";
 	}
-    } elsif ( $ports || $sports ) {
+    } elsif ( $ports ne "" || $sports ne "" ) {
 	fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO, rule \"$line\""
     }
 

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to