Allow simple configuration of a bridge with no IP address

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-14 19:54:06 +01:00 · 2010-04-27 12:26:58 -07:00 · 2010-04-27 12:26:58 -07:00 · d8b0f496df
commit d8b0f496df
parent 4b6bff7693
4 changed files with 30 additions and 6 deletions
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -1689,9 +1689,12 @@ sub add_interface_jumps {
    # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
    #
    for my $interface ( @_ ) {
-	my $forwardref = $filter_table->{forward_chain $interface};
-	my $inputref   = $filter_table->{input_chain $interface};
-	my $outputref  = $filter_table->{output_chain $interface};
+	my $forwardref   = $filter_table->{forward_chain $interface};
+	my $inputref     = $filter_table->{input_chain $interface};
+	my $outputref    = $filter_table->{output_chain $interface};
+	my $interfaceref = find_interface($interface);
+
+	add_rule ( $filter_table->{FORWARD}, match_source_dev( $interface) . match_dest_dev( $interface) . '-j ACCEPT' ) unless $interfaceref->{nets} || ! $interfaceref->{options}{routeback};

 	add_jump( $filter_table->{FORWARD} , $forwardref , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref;
 	add_jump( $filter_table->{INPUT}   , $inputref ,   0, match_source_dev( $interface ) ) unless $input_jump_added{$interface}   || ! use_input_chain $interface, $inputref;
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@ -223,7 +223,7 @@ sub initialize( $ ) {
 				  nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  optional    => SIMPLE_IF_OPTION,
 				  proxyarp    => BINARY_IF_OPTION,
-				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
+				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  routefilter => NUMERIC_IF_OPTION ,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@ -251,7 +251,7 @@ sub initialize( $ ) {
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
-				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
+				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION,
@ -663,7 +663,7 @@ sub add_group_to_zone($$$$$)
 	push @$new, $host;
    }

-    $zoneref->{options}{in_out}{routeback} = 1 if $options->{routeback};
+    $zoneref->{options}{in_out}{routeback} = 1 if $options->{routeback} || $interfaces{$interface}{options}{routeback};

    my $gtype = $type == IPSEC ? 'ipsec' : 'ip';

--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -38,6 +38,8 @@ Changes in Shorewall 4.4.9

 18) Fix rare optimization bug.

+19) Allow definition of an addressless bridge without a zone.
+
 Changes in Shorewall 4.4.8

 1)  Correct handling of RATE LIMIT on NAT rules.
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -367,6 +367,25 @@ None.
    searches the current LOGFILE for Netfilter messages matching the
    supplied regex.

+6)  There are some instances where a bridge with no IP address is
+    configured. Prior to Shorewall 4.4.9, this required the following:
+
+    /etc/shorewall/interfaces:
+    #ZONE	INTERFACE	BROADCAST	OPTIONS
+    dummy	br0		-		routeback
+    
+    /etc/shorewall/policy:
+    #SOURCE	DEST		POLICY
+    dummy	all		NONE
+    all		dummy		NONE
+
+    Beginning in this release, a single entry will suffice:
+
+    /etc/shorewall/interfaces:
+    #ZONE	INTERFACE	BROADCAST	OPTIONS
+    -		br0		-		routeback
+
+
 ----------------------------------------------------------------------------
 V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
      I N   P R I O R  R E L E A S E S