More port OPTIONS changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9622 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/Perl/Shorewall/Zones.pm

@@ -605,8 +605,10 @@ sub validate_interfaces_file( $ )
 		   OBSOLETE_IF_OPTION => 5,
 		   IPLIST_IF_OPTION   => 6,
 	           MASK_IF_OPTION     => 7,
+		       
 	           IF_OPTION_ZONEONLY => 8,
-	           IF_OPTION_HOST     => 16};
+	           IF_OPTION_HOST     => 16,
+	       };
 
     my %validoptions;
 
@@ -625,7 +627,7 @@ sub validate_interfaces_file( $ )
 			 optional    => SIMPLE_IF_OPTION,
 			 proxyarp    => BINARY_IF_OPTION,
 			 routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
-			 routefilter => BINARY_IF_OPTION + IF_OPTION_HOST,
+			 routefilter => BINARY_IF_OPTION ,
 			 sourceroute => BINARY_IF_OPTION,
 			 tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 			 upnp        => SIMPLE_IF_OPTION,
@@ -636,6 +638,7 @@ sub validate_interfaces_file( $ )
 			   bridge      => SIMPLE_IF_OPTION,
 			   dhcp        => SIMPLE_IF_OPTION,
 			   maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
+			   nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
 			   nosmurfs    => SIMPLE_IF_OPTION,
 			   optional    => SIMPLE_IF_OPTION,
 			   proxyndp    => BINARY_IF_OPTION,
@@ -698,8 +701,6 @@ sub validate_interfaces_file( $ )
 		}
 	    }
 
-	    fatal_error "Bridge Ports may not have options" if $options && $options ne '-';
-
 	    next if $port eq '';
 
 	    fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
@@ -740,6 +741,8 @@ sub validate_interfaces_file( $ )
 
 	my %options;
 
+	$options{port} = 1 if $port;
+
 	my $hostoptionsref = {};
 
 	if ( $options ) {
@@ -757,6 +760,8 @@ sub validate_interfaces_file( $ )
 
 		my $hostopt = $type & IF_OPTION_HOST;
 
+		fatal_error "The \"$option\" option is not allowed on a bridge port" if $port && ! $hostopt;
+
 		$type &= MASK_IF_OPTION;
 
 		if ( $type == SIMPLE_IF_OPTION ) {
@@ -830,8 +835,6 @@ sub validate_interfaces_file( $ )
 
 	    $hostoptionsref = \%hostoptions;
 
-	} elsif ( $port ) {
-	    $options{port} = 1;
 	}
 
 	$interfaces{$interface} = { name       => $interface ,

Shorewall/changelog.txt

@@ -8,6 +8,8 @@ Changes in Shorewall 4.3.7
 
 4)  Implement dynamic zones
 
+5)  Allow 'HOST' options on bridge ports.
+
 Changes in Shorewall 4.3.6
 
 1)  Add SAME tcrules target.

Shorewall/releasenotes.txt

@@ -34,13 +34,13 @@ released late in 2009.
           P R O B L E M S   C O R R E C T E D   I N   4 . 3 . 7
 ----------------------------------------------------------------------------
 
-1) Klemens Rutz reported a problem that affects all Shorewall-perl 4.2
-   and 4.3 versions.
+1)  Klemens Rutz reported a problem that affects all Shorewall-perl 4.2
+    and 4.3 versions.
 
-   The problem:
+    The problem:
 
-   a) Only occurs when there are more than one non-firewall zone.
-   b) Results in the following interface options not being applied to
+    a) Only occurs when there are more than one non-firewall zone.
+    b) Results in the following interface options not being applied to
       forwarded traffic.
 
 	blacklist
@@ -50,20 +50,31 @@ released late in 2009.
 	nosmurfs
 	tcpflags
 
-2) Matt LaPlante reported a problem whereby a valid DNAT- rule was
-   badly mis-handled.
+2)  Matt LaPlante reported a problem whereby a valid DNAT- rule was
+    badly mis-handled.
 
-   The rule:
+    The rule:
 
        DNAT-	loc	net:1.2.3.4:2525	tcp	25
 
-   The result:
+    The result:
 
      WARNING: Destination zone (1.2.3.4) ignored : /etc/shorewall/rules (line 459)
      Can't call method "inet_htoa" without a package or object reference at
        /usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 150,
       <$currentfile> line 459.
 
+3)  Previously, OPTIONS were not allowed with a bridge port in
+    /etc/shorewall/interfaces. That oversight has been corrected and
+    now the following OPTIONS are allowed:
+
+    	blacklist
+	maclist
+	norfc1918
+	nosmurfs
+	routeback
+	tcpflags
+
 ----------------------------------------------------------------------------
              K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------

manpages/shorewall-interfaces.xml

@@ -88,8 +88,30 @@ loc     eth2            -</programlisting>
           <para>(Shorewall-perl only) If a <replaceable>port</replaceable> is
           given, then the <replaceable>interface</replaceable> must have been
           defined previously with the <option>bridge</option> option. The
-          OPTIONS column must be empty when a <replaceable>port</replaceable>
-          is given.</para>
+          OPTIONS column may not contain the following options when a
+          <replaceable>port</replaceable> is given.</para>
+
+          <simplelist>
+            <member>arp_filter</member>
+
+            <member>arp_ignore</member>
+
+            <member>bridge</member>
+
+            <member>log_martians</member>
+
+            <member>mss</member>
+
+            <member>optional</member>
+
+            <member>proxyarp</member>
+
+            <member>routefilter</member>
+
+            <member>sourceroute</member>
+
+            <member>upnp</member>
+          </simplelist>
         </listitem>
       </varlistentry>
 

tools/build/buildshorewall

@@ -332,7 +332,7 @@ case $VERSION in
 	LITE6SVNBRANCH="/tags/${BASEVERSION}/Shorewall6-lite-${PATCHNUM}"
 	PERLBRANCH="tags/${BASEVERSION}/Shorewall-perl-${PATCHNUM}"
 	SHELLBRANCH="tags/${BASEVERSION}/Shorewall-shell-${PATCHNUM}"
-	DOCTAG="trunk/docs"
+	DOCTAG="branches/4.2/docs"
 	XMLPROJ="docs-4.2"
 	SAMPLESTAG="tags/${BASEVERSION}/Samples"
 	SAMPLES6TAG="trunk/Samples6"