-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Steven,
On 11/02/2016 04:03 PM, Steven Jan Springl wrote:
>
> Confirmed, the patch fixes the issue.
>
Thanks.
> --------------------------------------------------------
>
> Snat rule:
>
> SNAT(0) 10.1.2.0/24 eth0 tcp
>
> produces error message:
>
> iptables-restore v1.4.21: Port '0' not valid
>
> Similarly snat rule:
>
> SNAT(0-10) 10.1.2.0/24 eth0 tcp
>
> produces error message:
>
> iptables-restore v1.4.21: Port '0-10' not valid
>
> --------------------------------------------------------
>
> Snat rule:
>
> SNAT(:persistent) 10.1.2.0/24 eth0 tcp
>
> Generates iptables-rule:
>
> -A SHOREWALL -o eth0 -p 6 -s 10.1.2.0/24 -j SNAT --persistent
>
> Which produces errror message:
>
> iptables-restore v1.4.21: SNAT: option "--to-source" must be
> specified
>
> A similar problem occurs with the following snat rule:
>
> SNAT(:random) 10.1.2.0/24 eth0 tcp
>
The attached patch seems to catch these errors.
Thanks again,
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJYGqCFAAoJEJbms/JCOk0QYYYP/3PdlgXyxpv5z7Q5BI+oTMmM
HOa0qQETY1OBQ2tUi6a3MsWwajwWBJuWiCriryMTA/a6dRw1Em87ImFEyn2H3zau
C1HXnwq/t75ORpZgPzgaD4ICx8sc0wdsgY7jUEzU9992vbe+2AcZ9MP0D6h/n7Sf
XC0aONX5aApi5yQ7IIORyuif/nahMT9ET+GSuyksAZGqjlXRon/Qw5tjsUsg2hoV
3h23hgVYtbXD2m9095/YQWk/OttR+ctWXaUKCgrRMC5dnf4OIRr0nzIjTxYw8iT7
udXJPam26h2Uh031kqE6Ma7vUp7hXjfZl3s51I6uung+T7U4Xl5DG5XD+Cx7YYRi
RzrgKQ1YnPmv4lDMiYPoLSh58NiZ17X+9xGKG8GChObmq+plJVb7QiOe10mAQZIw
7lHo4/pGxfn3WzyI+VNs/QqgJg9Mf2vlonx7XF+j/fMxcEXUD6b7u8JlyuY8QVfp
orM4oeCjXTlduKBILo9vuFr0+6H8a6MEv1eoTObh0nBnj2Dm1PLs1ECDKJtmb7Aq
OF0vEAHUQs0v9vOtUz7T/82+cDgIPgRCH1nEA0HeJVGDINM9Zvo9dtokVKF814KV
kqK0P2wPYQn540FpZgSMJJNJZrA4t1bZ572ep+6RDb5ffKst/4SEtj+Apwrwfcb1
rgpJpQg24ptvSfGNORCJ
=B/j/
-----END PGP SIGNATURE-----
diff --git a/Shorewall/Perl/Shorewall/IPAddrs.pm b/Shorewall/Perl/Shorewall/IPAddrs.pm
index b358848..0b24641 100644
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -472,7 +472,7 @@ sub validate_portpair1( $$ ) {
fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
- $portpair = "0$portpair" if substr( $portpair, 0, 1 ) eq ':';
+ $portpair = "1$portpair" if substr( $portpair, 0, 1 ) eq ':';
$portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
my @ports = split /-/, $portpair, 2;
@@ -483,9 +483,10 @@ sub validate_portpair1( $$ ) {
if ( @ports == 2 ) {
$what = 'port range';
- fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+ fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
} else {
$what = 'port';
+ fatal_error 'Invalid port number (0)' unless $portpair;
}
fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index d92ab91..79294fb 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -5509,6 +5509,8 @@ sub process_snat1( $$$$$$$$$$$$ ) {
$detectaddress = 1;
}
} else {
+ fatal_error "SNAT rules must spacify a new source address and/or new source ports" unless supplied $addresses;
+
my $addrlist = '';
my @addrs = split_list $addresses, 'address';
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
