From bbe514b4176925913b2ac372cc86e19de419833d Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Sat, 14 Aug 2004 20:44:15 +0000
Subject: [PATCH] Add 'allowBcast' standard action

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1539 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall2/actions.std      |  1 +
 Shorewall2/firewall         | 36 ++++++++++++++++++++++++++++++++++--
 Shorewall2/releasenotes.txt |  3 +++
 3 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/Shorewall2/actions.std b/Shorewall2/actions.std
index b65a2dd32..052ddf316 100644
--- a/Shorewall2/actions.std
+++ b/Shorewall2/actions.std
@@ -4,6 +4,7 @@
 #
 # Builtin Actions are:
 #
+#    allowBcast		#Silently Allow Broadcast/multicast
 #    dropBcast          #Silently Drop Broadcast/multicast
 #    dropNonSyn         #Silently Drop Non-syn TCP packets
 #    rejNonSyn          #Silently Reject Non-syn TCP packets
diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index 3b7c8f63c..853408528 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -3017,7 +3017,7 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
 #
 process_actions1() {
 	
-    ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid"
+    ACTIONS="dropBcast allowBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid"
     USEDACTIONS=
 
     strip_file actions
@@ -3170,12 +3170,44 @@ process_actions3() {
 		    fi
 		fi
 		;;
+	    allowBcast)
+		if [ "$COMMAND" != check ]; then
+		    if [ -n "$PKTTYPE" ]; then
+			case $xlevel in
+			    none'!')
+	                        ;;
+			    *)
+			        if [ -n "$xlevel" ]; then
+				    log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type broadcast
+				    log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -m pkttype --pkt-type multicast
+				fi
+				;;
+			esac
+			
+			run_iptables -A allowBcast -m pkttype --pkt-type broadcast -j ACCEPT
+			run_iptables -A allowBcast -m pkttype --pkt-type multicast -j ACCEPT
+		    else
+			for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
+			    case $xlevel in
+				none*)
+				    ;;
+				*)
+				    [ -n "$xlevel" ] && \
+					log_rule_limit ${xlevel%\!} $xchain allowBcast $2 "" "$xtag" -d $address
+				    ;;
+			    esac
+			    
+			    run_iptables -A $xchain -d $address -j ACCEPT
+			done
+		    fi
+		fi
+		;;
 	    dropNonSyn)
 		error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\""
 		
 		if [ "$COMMAND" != check ]; then
 		    [ -n "$xlevel" ] && \
-			log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -p tcp ! --syn
+			log_rule_limit ${xlevel%\!} $xchain dropNonSyn $2 "" "$xtag" -p tcp ! --syn
 		    run_iptables -A $xchain -p tcp ! --syn -j DROP
 		fi
 		;;
diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt
index 6fb32e27d..81e283284 100755
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@@ -264,3 +264,6 @@ New Features:
  
 8)  To improve interoperability, tunnels of type 'ipsec' no longer
     enforce the use of source port 500 for ISAKMP.
+
+9)  A new 'allowBcast' builtin action has been added -- it silently
+    allows broadcasts and multicasts.