From 17f91376932b18d5ac2f4f2a58ef17d24185c907 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Tue, 19 Jun 2007 15:45:39 +0000
Subject: [PATCH] Fix DYNAMIC_ZONES=Yes and the new bridge code

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6598 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall-common/changelog.txt         |  2 ++
 Shorewall-common/firewall              | 18 ++++++------------
 Shorewall-common/lib.config            | 22 ++++++++++++++++++++--
 Shorewall-common/releasenotes.txt      |  6 ++++++
 Shorewall-perl/Shorewall/Interfaces.pm |  1 -
 5 files changed, 34 insertions(+), 15 deletions(-)

diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt
index d546af939..6e6f413c6 100644
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@@ -6,6 +6,8 @@ Changes in 4.0.0 Beta 6
 
 3)  Improve compiler selection.
 
+4)  DYNAMIC_ZONES=Yes and bridges.
+
 Changes in 4.0.0 Beta 5
 
 1)  Fix undefined function call when both an input interface and an
diff --git a/Shorewall-common/firewall b/Shorewall-common/firewall
index b767a5cc7..2fdba01a5 100755
--- a/Shorewall-common/firewall
+++ b/Shorewall-common/firewall
@@ -1,16 +1,11 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V3.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.0
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
-#     tcstart from tc4shorewall       Version 0.5
-#     (c) 2005 Arne Bernin <arne@ucbering.de>
-#     Modified by Tom Eastep for integration into the Shorewall distribution
-#     published under GPL Version 2#
-#
 #	Complete documentation is available at http://shorewall.net
 #
 #	This program is free software; you can redistribute it and/or modify
@@ -31,14 +26,13 @@
 #
 #	Commands are:
 #
-#	   shorewall restart			  Restarts the firewall
-#	   shorewall stop			  Stops the firewall
-#	   shorewall reset			  Resets iptables packet and
+#	   firewall stop			  Stops the firewall
+#	   firewall reset			  Resets iptables packet and
 #						  byte counts
-#	   shorewall clear			  Remove all Shorewall chains
+#	   firewall clear			  Remove all Shorewall chains
 #						  and rules/policies.
-#          shorewall add <iface>[:<host>] zone    Adds a host or subnet to a zone
-#          shorewall delete <iface>[:<host>] zone Deletes a host or subnet from a zone
+#          firewall add <iface>[:<host>] zone     Adds a host or subnet to a zone
+#          firewall delete <iface>[:<host>] zone  Deletes a host or subnet from a zone
 #
 # Mutual exclusion -- These functions are jackets for the mutual exclusion
 #		      routines in $FUNCTIONS. They invoke
diff --git a/Shorewall-common/lib.config b/Shorewall-common/lib.config
index 7d50020bc..7a15f2b44 100644
--- a/Shorewall-common/lib.config
+++ b/Shorewall-common/lib.config
@@ -291,6 +291,12 @@ determine_zones()
 		    done
 		    FW=$zone
 		    ;;
+		bport|bport4)
+		    [ "$PROGRAM" = compiler ] && startup_error "Invalid Zone Type: $type"
+		    list_search $zone $ZONES $FW && startup_error "Zone $zone is defined more than once"
+		    merge_zone
+		    IPV4_ZONES="$IPV4_ZONES $zone"
+		    ;;
 		*)
 		    startup_error "Invalid Zone Type: $type"
 		    ;;
@@ -333,8 +339,20 @@ validate_interfaces_file() {
 	wildcard=
 
 	case $interface in
-	    *:*|+)
-		startup_error "Invalid Interface Name: $interface"
+	    *:*)
+		if [ "$PROGRAM" != compiler ]; then
+		    #
+		    # Assume that this is 4.0 syntax for a bridge
+		    #
+		    local bridge=${interface%:*}
+		    list_search $bridge $ALL_INTERFACES || startup_error "Unknown Interface: $bridge"  
+		    interface=${interface#*:}
+		else 
+		    startup_error "Invalid Interface Name: $interface"
+		fi
+		;;
+	    +)
+		startup_error "Invalid Interface Name: +"
 		;;
 	    *+)
 		wildcard=Yes
diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index dd485a6da..3c35bcb3f 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -21,6 +21,12 @@ Problems corrected in 4.0.0 Beta 6.
     /etc/shorewall/maclist entry would cause Perl error messages to be
     issued.
 
+2)  Shorewall-perl now catches invalid interface names in the
+    /etc/shorewall/routestopped file.
+
+3)  The new bridge implementation introduced with Beta 5 now works with
+    DYNAMIC_ZONES=Yes.
+
 Other changes in Shorewall 4.0.0 Beta 6
 
 1)  When a Shorewall release includes detection of an additional
diff --git a/Shorewall-perl/Shorewall/Interfaces.pm b/Shorewall-perl/Shorewall/Interfaces.pm
index 77c6e1aea..2d6cadd9b 100644
--- a/Shorewall-perl/Shorewall/Interfaces.pm
+++ b/Shorewall-perl/Shorewall/Interfaces.pm
@@ -245,7 +245,6 @@ sub validate_interfaces_file( $ )
 	    fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
 	    fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
 	    fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} ne 'bport4';
-	    fatal_error "Bridge Ports are not compatible with DYNAMIC_ZONES=Yes" if $config{DYNAMIC_ZONES};
 
 	    if ( $zone ) {
 		if ( $zoneref->{bridge} ) {