Don't add broadcasts to /0 groups

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1095 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -15,3 +15,7 @@ Changes since 1.4.9
    limiting (with an assist from Steven Jan Springl).
 
 7) Silently drop smurfs and broadcasts in the 'reject' chain.
+
+8) Add multicast to 'detectnets' zones.
+
+9) Don't add broadcasts to /0 groups.

Shorewall/firewall

@@ -4888,14 +4888,17 @@ activate_rules()
 	    [ -n "$complex" ] && \
 		run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
 
-	    if ! list_search $interface $need_broadcast ; then
-		eval options=\$`chain_base ${interface}`_options
-		list_search detectnets $options && need_broadcast="$need_broadcast $interface"
+	    if [ "$subnet" != 0.0.0.0/0 ]; then
+		if ! list_search $interface $need_broadcast ; then
+		    eval options=\$`chain_base ${interface}`_options
+		    list_search detectnets $options && need_broadcast="$need_broadcast $interface"
+		fi
 	    fi
 	done
 
 	for interface in $need_broadcast ; do
 	    run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1
+	    run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4     -j $chain1
 	done
    
 	for zone1 in $zones; do