Shorewall users - May 2004 - Fix for ''firewall'' script on shorewall delete

Hello,

I am using "shorewall add" and "shorewall delete" for
dynamically
adding and removing users to VPN chains when connecting to a VPN
gateway.

But ''shorewall delete'' has a little problem to delete the
correct
rules.

When issuing "shorewall delete iface:host zone", shorewall
tries to execute rules like:

   iptables -D source_chain -s host1 -o iface -s host2 -j chain

The result is that only some rules are deleted, but some still
remain in the source_chain, leading to a source_chain with
a growing number of rules which never get deleted.

The problem is located in delete_from_zone() where a call to
match_source_hosts is used instead of match_dest_hosts.

The following patch fixes this problem and should be applied against
the ''firewall'' script of shorewall 2.0.1 (errata version).

--- firewall.orig       2004-05-03 14:05:43.000000000 +0200
+++ firewall.patched    2004-05-03 14:25:39.000000000 +0200
@@ -5655,7 +5655,7 @@
                     hosts=${h#*:}

                     if [ "$iface" != "$interface" -o
"$hosts" != "$host" ]; then
-                       qt iptables -D $source_chain -s $host -o $iface
$(match_source_hosts $hosts) -j $chain
+                       qt iptables -D $source_chain -s $host -o $iface
$(match_dest_hosts $hosts) -j $chain
                     fi
                 done
             fi

Best regards,

Stefan

Stefan Engel wrote:

> The problem is located in delete_from_zone() where a call to
> match_source_hosts is used instead of match_dest_hosts.
> 
> The following patch fixes this problem and should be applied against
> the ''firewall'' script of shorewall 2.0.1 (errata
version).
Thanks!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net