Restore fw->fw redirection; Check for SPT=0 in SYN

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@367 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/firewall

@@ -907,8 +907,14 @@ validate_rule() {
     chain=${source}2${dest}
 
     if [ "x$chain" = x${FW}2${FW} ]; then
+	case $logtarget in
+	    REDIRECT)
+		;;
+	    *)
 		error_message "WARNING: fw -> fw rules are not supported; rule \"$rule\" ignored"
 		return
+		;;
+	esac
     fi
 
     #
@@ -2132,6 +2138,7 @@ add_a_rule()
 	    add_nat_rule
 	fi
 
+	if [ $chain != ${FW}2${FW} ]; then
 	    serv="${serv:+-d $serv}"
 
 	    if [ -n "$loglevel" ]; then
@@ -2147,8 +2154,10 @@ add_a_rule()
 		fi
 	    fi
 
+
 	    run_iptables -A $chain $proto $multiport $state $cli $sports \
 		$serv $dports -j $target
+	fi
     else
 
 	# Destination is a simple zone
@@ -2286,12 +2295,20 @@ process_rule() # $1 = target
 
     chain=${source}2${dest}
 
+    ensurechain $chain
+
     if [ "x$chain" = x${FW}2${FW} ]; then
+	case $logtarget in
+	    REDIRECT)
+		;;
+	    *)
 		error_message "WARNING: fw -> fw rules are not supported; rule \"$rule\" ignored"
 		return
-    fi
-
+		;;
+	esac
+    else
 	ensurechain $chain
+    fi
 
     # Generate Netfilter rule(s)
 
@@ -3500,6 +3517,12 @@ add_common_rules() {
 	run_iptables -A tcpflags -p tcp --tcp-flags ALL NONE        $disposition
 	run_iptables -A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST $disposition
 	run_iptables -A tcpflags -p tcp --tcp-flags SYN,FIN SYN,FIN $disposition
+	#
+	# A Shorewall user reported seeing outgoing SYN ACK packets with DPT=0
+	# That prompted me to add the following which will stop an incoming
+	# SYN with SPT=0
+	#
+	run_iptables -A tcpflags -p tcp --syn --sport 0             $disposition
 	
 	for interface in $interfaces; do
 	    for chain in `first_chains $interface`; do