Add 'physical' interface option for bridge ports

Shorewall/Perl/Shorewall/Chains.pm

@@ -1727,7 +1727,6 @@ sub match_source_dev( $ ) {
     my $interfaceref =  known_interface( $interface );
     my $physical     = $interfaceref->{physical};
     if ( $interfaceref && $interfaceref->{options}{port} ) {
-	$interface =~ s/\++/+/;
 	"-i $interfaceref->{bridge} -m physdev --physdev-in $physical ";
     } else {
 	"-i $physical ";
@@ -1744,7 +1743,6 @@ sub match_dest_dev( $ ) {
     my $physical     = $interfaceref->{physical};
     if ( $interfaceref && $interfaceref->{options}{port} ) {
 	if ( $capabilities{PHYSDEV_BRIDGE} ) {
-	    $interface =~ s/\++/+/;
 	    "-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $physical ";
 	} else {
 	    "-o $interfaceref->{bridge} -m physdev --physdev-out $physical ";

Shorewall/Perl/Shorewall/Zones.pm

@@ -144,6 +144,7 @@ our %reservedName = ( all => 1,
 #                                     bridge      => <bridge>
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                     number      => <ordinal position in the interfaces file>
+#                                     physical    => <physical interface name>
 #                                   }
 #                 }
 #

docs/bridge-Shorewall-perl.xml

@@ -619,6 +619,60 @@ br0             192.168.1.0/24  routeback
     firewall rules.</para>
   </section>
 
+  <section id="Multiple">
+    <title>Multiple Bridges with Wildcard Ports</title>
+
+    <para>It is sometimes required to configure multiple bridges on a single
+    firewall/gateway. The following seemingly valid configuration results in a
+    compile-time error</para>
+
+    <simplelist>
+      <member>ERROR: Duplicate Interface Name (p+)</member>
+    </simplelist>
+
+    <para><filename>/etc/shorewall/zones</filename>:</para>
+
+    <programlisting>       #ZONE            TYPE    
+       fw               firewall
+       world            ipv4
+       z1:world         bport4
+       z2:world         bport4</programlisting>
+
+    <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+    <programlisting>       #ZONE            INTERFACE       BROADCAST       OPTIONS
+       world            br0             -               bridge
+       world            br1             -               bridge
+       z1               br0:p+
+       z2               br1:p+</programlisting>
+
+    <para>The reason is that the Shorewall implementation requires each bridge
+    port to have a unique name. The <option>physical</option> interface option
+    was added in Shorewall 4.4.4 to work around this problem. The above
+    configuration may be defined using the following in
+    <filename>/etc/shorewall/interfaces</filename>: </para>
+
+    <programlisting>       #ZONE            INTERFACE       BROADCAST       OPTIONS
+       world            br0             -               bridge
+       world            br1             -               bridge
+       z1               br0:x+          -               physical=p+
+       z2               br1:y+          -               physical=p+</programlisting>
+
+    <para>In this configuration, 'x+' is the logical name for ports p+ on
+    bridge br0 while 'y+' is the logical name for ports p+ on bridge
+    br1.</para>
+
+    <para>If you need to refer to a particular port on br1 (for example
+    p1023), you write it as y1023; Shorewall will translate that name to p1023
+    when needed.</para>
+
+    <para>Example from /etc/shorewall/rules:</para>
+
+    <programlisting>       #ACTION    SOURCE    DEST       PROTO    DEST
+       #                                        PORT(S)
+       REJECT     z1:x1023  z1:x1024   tcp      1234</programlisting>
+  </section>
+
   <section id="bridge-router">
     <title>Combination Router/Bridge</title>
 

manpages/shorewall-interfaces.xml

@@ -123,7 +123,7 @@ loc     eth2            -</programlisting>
           <para>If you use the special value <emphasis
           role="bold">detect</emphasis>, Shorewall will detect the broadcast
           address(es) for you if your iptables and kernel include Address Type
-          Match support. </para>
+          Match support.</para>
 
           <para>If your iptables and/or kernel lack Address Type Match support
           then you may list the broadcast address(es) for the network(s) to
@@ -188,7 +188,8 @@ loc     eth2            -</programlisting>
 
                 <para>2 - reply only if the target IP address is local address
                 configured on the incoming interface and the sender's IP
-                address is part from same subnet on this interface's address</para>
+                address is part from same subnet on this interface's
+                address</para>
 
                 <para>3 - do not reply for local addresses configured with
                 scope host, only resolutions for global and link</para>
@@ -290,7 +291,8 @@ loc     eth2            -</programlisting>
                 role="bold">logmartians</emphasis>. Even if you do not specify
                 the <option>routefilter</option> option, it is a good idea to
                 specify <option>logmartians</option> because your distribution
-                may have enabled route filtering without you knowing it.</para>
+                may have enabled route filtering without you knowing
+                it.</para>
 
                 <para>Only those interfaces with the
                 <option>logmartians</option> option will have their setting
@@ -433,6 +435,21 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>physical=<emphasis
+              role="bold"><emphasis>name</emphasis></emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.4. This option may only be used
+                when defining a bridge port (:port appeared in the INTERFACE
+                column). When specified, the port name in the INTERFACE column
+                is a logical name that refers to the name given in this
+                option. It is useful when you want to specify the same
+                wildcard port name on two or more bridges. See <ulink
+                url="http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term>
 

manpages6/shorewall6-interfaces.xml

@@ -172,8 +172,21 @@ loc     eth2            -</programlisting>
                     cannot be obtained.</para>
                   </listitem>
                 </itemizedlist>
+              </listitem>
+            </varlistentry>
 
-                <para></para>
+            <varlistentry>
+              <term>physical=<emphasis
+              role="bold"><emphasis>name</emphasis></emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.4. This option may only be used
+                when defining a bridge port (:port appeared in the INTERFACE
+                column). When specified, the port name in the INTERFACE column
+                is a logical name that refers to the name given in this
+                option. It is useful when you want to specify the same
+                wildcard port name on two or more bridges. See <ulink
+                url="http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
               </listitem>
             </varlistentry>