From 88f9a3e2553d36ff7548a8e0007cb4d52dda1ef1 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Fri, 7 Aug 2015 14:09:08 -0700
Subject: [PATCH] Allow zero-valued options on multi-zoned interfaces

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Zones.pm | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index 40cf78072..b636c0ed7 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -1208,18 +1208,20 @@ sub process_interface( $$ ) {
 
 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};
 
-	    if ( $zone ) {
-		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} & VSERVER && ! ( $type & IF_OPTION_VSERVER );
-	    } else {
-		fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
-	    }
-
 	    my $hostopt = $type & IF_OPTION_HOST;
 
-	    fatal_error "The \"$option\" option is not allowed on a bridge port" if $port && ! $hostopt;
-
 	    $type &= MASK_IF_OPTION;
 
+	    unless ( $type == BINARY_IF_OPTION && defined $value && $value eq '0' ) {
+		if ( $zone ) {
+		    fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} & VSERVER && ! ( $type & IF_OPTION_VSERVER );
+		} else {
+		    fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
+		}
+	    }
+
+	    fatal_error "The \"$option\" option is not allowed on a bridge port" if $port && ! $hostopt;
+
 	    if ( $type == SIMPLE_IF_OPTION ) {
 		fatal_error "Option $option does not take a value" if defined $value;
 		if ( $option eq 'blacklist' ) {