diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index b9097bb5a..5ee3bdfbc 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -1726,6 +1726,7 @@ sub match_source_dev( $ ) { return '' if $interface eq '+'; my $interfaceref = known_interface( $interface ); if ( $interfaceref && $interfaceref->{options}{port} ) { + $interface =~ s/\++/+/; "-i $interfaceref->{bridge} -m physdev --physdev-in $interface "; } else { "-i $interface "; @@ -1741,6 +1742,7 @@ sub match_dest_dev( $ ) { my $interfaceref = known_interface( $interface ); if ( $interfaceref && $interfaceref->{options}{port} ) { if ( $capabilities{PHYSDEV_BRIDGE} ) { + $interface =~ s/\++/+/; "-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface "; } else { "-o $interfaceref->{bridge} -m physdev --physdev-out $interface "; diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 1ada59bfd..bc1ce22a0 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -503,6 +503,9 @@ sub zone_report() if ( $hosts ) { my $grouplist = join ',', ( @$hosts ); $grouplist = join '!', ( $grouplist, $exclusions) if $exclusions; + + $interface =~ s/\++/+/; + if ( $family == F_IPV4 ) { progress_message_nocompress " $interface:$grouplist"; } else { @@ -560,6 +563,8 @@ sub dump_zone_contents() $grouplist = join '!', ( $grouplist, $exclusions ) if $exclusions; + $interface =~ s/\++/+/; + if ( $family == F_IPV4 ) { $entry .= " $interface:$grouplist"; } else { @@ -733,7 +738,18 @@ sub process_interface( $ ) { fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/; require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', ''); fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE}; - fatal_error "Duplicate Interface ($port)" if $interfaces{$port}; + + fatal_error "Invalid Interface Name ($interface:$port)" unless $port eq '' || $port =~ /^[\w.@%-]+\+?$/; + + if ( $port =~ /\+$/ ) { + while ( $interfaces{$port} ) { + fatal_error "Duplicate Interface ($interface:$port)" if $interfaces{$port}{bridge} eq $interface; + $port .= '+'; + } + } else { + fatal_error "Duplicate Interface ($port)" if $interfaces{$port}; + } + fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge}; fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT; @@ -747,8 +763,6 @@ sub process_interface( $ ) { next if $port eq ''; - fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/; - $bridge = $interface; $interface = $port; } else { diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 6a70a1a91..28feae1aa 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -8,6 +8,8 @@ Changes in Shorewall 4.4.4 4) Allow long port lists in /etc/shorewall/routestopped. +5) Handle duplicate wildcard ports on different bridges. + Changes in Shorewall 4.4.3 1) Move Debian INITLOG initialization to /etc/default/shorewall diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index b165d0e35..033bfe2b9 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -190,6 +190,25 @@ Shorewall 4.4.4 2) The Shorewall operations log (specified by STARTUP_LOG) is now secured 0600. +3) Previously, the following valid configuration would produce a fatal + error reporting "Duplicate interface name (p+)" + + /etc/shorewall/zones: + + #ZONE TYPE + fw firewall + world ipv4 + z1:world bport4 + z2:world bport4 + + /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS + world br0 - bridge + world br1 - bridge + z1 br0:p+ + z2 br1:p+ + ---------------------------------------------------------------------------- K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------