diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index aff050a3b..8133a72c4 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -317,13 +317,15 @@ sub process_routestopped() {
while ( read_a_line ) {
- my $routeback = 0;
-
my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
- fatal_error "Unknown interface ($interface)" unless known_interface $interface;
+ my $interfaceref;
+
+ fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
$hosts = ALLIP unless $hosts && $hosts ne '-';
+ my $routeback = 0;
+
my @hosts;
$seq++;
@@ -338,24 +340,12 @@ sub process_routestopped() {
}
unless ( $options eq '-' ) {
-
for my $option (split /,/, $options ) {
if ( $option eq 'routeback' ) {
if ( $routeback ) {
warning_message "Duplicate 'routeback' option ignored";
} else {
- my $chainref = $filter_table->{FORWARD};
-
$routeback = 1;
-
- for my $host ( split /,/, $hosts ) {
- add_rule( $chainref ,
- match_source_dev( $interface ) .
- match_dest_dev( $interface ) .
- match_source_net( $host ) .
- match_dest_net( $host ) );
- clearrule;
- }
}
} elsif ( $option eq 'source' ) {
for my $host ( split /,/, $hosts ) {
@@ -376,6 +366,19 @@ sub process_routestopped() {
}
}
+ if ( $routeback || $interfaceref->{options}{routeback} ) {
+ my $chainref = $filter_table->{FORWARD};
+
+ for my $host ( split /,/, $hosts ) {
+ add_rule( $chainref ,
+ match_source_dev( $interface ) .
+ match_dest_dev( $interface ) .
+ match_source_net( $host ) .
+ match_dest_net( $host ) );
+ clearrule;
+ }
+ }
+
push @allhosts, @hosts;
}
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 4246337df..91d95a499 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -40,6 +40,9 @@ Changes in Shorewall 4.4.9
19) Allow definition of an addressless bridge without a zone.
+20) In the routestopped file, assume 'routeback' if the interface has
+ 'routeback'.
+
Changes in Shorewall 4.4.8
1) Correct handling of RATE LIMIT on NAT rules.
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 2ac978bb2..0a0e50db3 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -393,6 +393,10 @@ None.
7) The generated ruleset now uses conntrack match for state matching,
if it is available.
+8) In /etc/shorewall/routestopped, the 'routeback' option is assumed
+ if the interface has 'routeback' specified (either explicitly or
+ detected).
+
----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
I N P R I O R R E L E A S E S
diff --git a/manpages/shorewall-routestopped.xml b/manpages/shorewall-routestopped.xml
index 4749e837b..941d3a06e 100644
--- a/manpages/shorewall-routestopped.xml
+++ b/manpages/shorewall-routestopped.xml
@@ -75,7 +75,12 @@
Set up a rule to ACCEPT traffic from these hosts back to
- themselves.
+ themselves. Beginning with Shorewall 4.4.9, this option is
+ automatically set if routeback is specified in shorewall-interfaces
+ (5) or if the rules compiler detects that the interface is a
+ bridge.
diff --git a/manpages6/shorewall6-routestopped.xml b/manpages6/shorewall6-routestopped.xml
index 0d068fb14..24c2fe093 100644
--- a/manpages6/shorewall6-routestopped.xml
+++ b/manpages6/shorewall6-routestopped.xml
@@ -71,7 +71,12 @@
Set up a rule to ACCEPT traffic from these hosts back to
- themselves.
+ themselves. Beginning with Shorewall 4.4.9, this option is
+ automatically set if routeback is specified in shorewall6-interfaces
+ (5) or if the rules compiler detects that the interface is a
+ bridge.