From 96bef5bd497f4999baaa8d97eddcfb308035f66d Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 3 May 2010 12:31:11 -0700 Subject: [PATCH] Assume 'routeback' in routestopped based on interface config. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 33 +++++++++++++++------------ Shorewall/changelog.txt | 3 +++ Shorewall/releasenotes.txt | 4 ++++ manpages/shorewall-routestopped.xml | 7 +++++- manpages6/shorewall6-routestopped.xml | 7 +++++- 5 files changed, 37 insertions(+), 17 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index aff050a3b..8133a72c4 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -317,13 +317,15 @@ sub process_routestopped() { while ( read_a_line ) { - my $routeback = 0; - my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file'; - fatal_error "Unknown interface ($interface)" unless known_interface $interface; + my $interfaceref; + + fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface; $hosts = ALLIP unless $hosts && $hosts ne '-'; + my $routeback = 0; + my @hosts; $seq++; @@ -338,24 +340,12 @@ sub process_routestopped() { } unless ( $options eq '-' ) { - for my $option (split /,/, $options ) { if ( $option eq 'routeback' ) { if ( $routeback ) { warning_message "Duplicate 'routeback' option ignored"; } else { - my $chainref = $filter_table->{FORWARD}; - $routeback = 1; - - for my $host ( split /,/, $hosts ) { - add_rule( $chainref , - match_source_dev( $interface ) . - match_dest_dev( $interface ) . - match_source_net( $host ) . - match_dest_net( $host ) ); - clearrule; - } } } elsif ( $option eq 'source' ) { for my $host ( split /,/, $hosts ) { @@ -376,6 +366,19 @@ sub process_routestopped() { } } + if ( $routeback || $interfaceref->{options}{routeback} ) { + my $chainref = $filter_table->{FORWARD}; + + for my $host ( split /,/, $hosts ) { + add_rule( $chainref , + match_source_dev( $interface ) . + match_dest_dev( $interface ) . + match_source_net( $host ) . + match_dest_net( $host ) ); + clearrule; + } + } + push @allhosts, @hosts; } diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 4246337df..91d95a499 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -40,6 +40,9 @@ Changes in Shorewall 4.4.9 19) Allow definition of an addressless bridge without a zone. +20) In the routestopped file, assume 'routeback' if the interface has + 'routeback'. + Changes in Shorewall 4.4.8 1) Correct handling of RATE LIMIT on NAT rules. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 2ac978bb2..0a0e50db3 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -393,6 +393,10 @@ None. 7) The generated ruleset now uses conntrack match for state matching, if it is available. +8) In /etc/shorewall/routestopped, the 'routeback' option is assumed + if the interface has 'routeback' specified (either explicitly or + detected). + ---------------------------------------------------------------------------- V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S I N P R I O R R E L E A S E S diff --git a/manpages/shorewall-routestopped.xml b/manpages/shorewall-routestopped.xml index 4749e837b..941d3a06e 100644 --- a/manpages/shorewall-routestopped.xml +++ b/manpages/shorewall-routestopped.xml @@ -75,7 +75,12 @@ Set up a rule to ACCEPT traffic from these hosts back to - themselves. + themselves. Beginning with Shorewall 4.4.9, this option is + automatically set if routeback is specified in shorewall-interfaces + (5) or if the rules compiler detects that the interface is a + bridge. diff --git a/manpages6/shorewall6-routestopped.xml b/manpages6/shorewall6-routestopped.xml index 0d068fb14..24c2fe093 100644 --- a/manpages6/shorewall6-routestopped.xml +++ b/manpages6/shorewall6-routestopped.xml @@ -71,7 +71,12 @@ Set up a rule to ACCEPT traffic from these hosts back to - themselves. + themselves. Beginning with Shorewall 4.4.9, this option is + automatically set if routeback is specified in shorewall6-interfaces + (5) or if the rules compiler detects that the interface is a + bridge.