From 00c61997f4f0c7503c82d96b3f40dc24115737a7 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Sat, 27 Nov 2004 16:50:38 +0000
Subject: [PATCH] Fix 'add' and 'delete' with bridging

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1778 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 STABLE2/changelog.txt    |  2 ++
 STABLE2/firewall         | 35 +++++++++++++++++++++++------------
 STABLE2/help             | 12 ++++++------
 STABLE2/releasenotes.txt | 14 +++++++++++++-
 4 files changed, 44 insertions(+), 19 deletions(-)

diff --git a/STABLE2/changelog.txt b/STABLE2/changelog.txt
index 04699221c..e16074461 100644
--- a/STABLE2/changelog.txt
+++ b/STABLE2/changelog.txt
@@ -87,3 +87,5 @@ Changes in 2.0.11
 Changes in 2.0.12
 
 1) Correct typo in shorewall.conf.
+
+2) Fix "shorewall add" and "shorewall delete" with bridging.
diff --git a/STABLE2/firewall b/STABLE2/firewall
index 6991997b3..3108589fe 100755
--- a/STABLE2/firewall
+++ b/STABLE2/firewall
@@ -178,6 +178,16 @@ run_iptables2() {
     run_iptables $(fix_bang $@)
 }
 
+#
+# Quietly run iptables
+#
+qt_iptables() {
+
+    [ -n "$BRIDGING" ]      && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
+
+    qt $IPTABLES $@
+}
+
 #
 # Run ip and if an error occurs, stop the firewall and quit
 #
@@ -5673,6 +5683,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 
     do_iptables() # $@ = command
     {
+	[ -n "$BRIDGING" ]      && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
 	if ! iptables $@ ; then
 	    startup_error "Can't add $1 to zone $2"
 	fi
@@ -5681,7 +5692,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
     #
     # Isolate interface and host parts
     #
-    interface=${1%:*}
+    interface=${1%%:*}
     host=${1#*:}
 
     [ -z "$host" ] && host="0.0.0.0/0"
@@ -5756,7 +5767,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
     chain=${zone}_dnat
 
     if nat_chain_exists $chain; then
-	do_iptables -t nat -A $(dynamic_in $interface) -s $host -j $chain
+	do_iptables -t nat -A $(dynamic_in $interface) $(match_source_hosts $host) -j $chain
     fi
     #
     # Insert new rules into the filter table for the passed interface
@@ -5764,7 +5775,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
     while read z1 z2 chain; do
 	if [ "$z1" = "$zone" ]; then
 	    if [ "$z2" = "$FW" ]; then
-		do_iptables -A $(dynamic_in $interface) -s $host -j $chain
+		do_iptables -A $(dynamic_in $interface) $(match_source_hosts $host) -j $chain
 	    else
 		source_chain=$(dynamic_fwd $interface)
 		eval dest_hosts=\"\$${z2}_hosts\"
@@ -5774,7 +5785,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    hosts=${h#*:}
 
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			do_iptables -A $source_chain -s $host -o $iface $(match_dest_hosts $hosts) -j $chain
+			do_iptables -A $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) -j $chain
 		    fi
 		done
 	    fi
@@ -5783,7 +5794,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		#
 		# Add a rule to the dynamic out chain for the interface
 		#
-		do_iptables -A $(dynamic_out $interface) -d $host -j $chain
+		do_iptables -A $(dynamic_out $interface) $(match_destination_hosts $host) -j $chain
 	    else
 		eval source_hosts=\"\$${z1}_hosts\"
 
@@ -5792,7 +5803,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    hosts=${h#*:}
 
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface -d $host -j $chain
+			do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) -j $chain
 		    fi
 		done
 	    fi
@@ -5838,7 +5849,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
     #
     # Isolate interface and host parts
     #
-    interface=${1%:*}
+    interface=${1%%:*}
     host=${1#*:}
 
     [ -z "$host" ] && host="0.0.0.0/0"
@@ -5887,14 +5898,14 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
     #
     # Delete any nat table entries for the host(s)
     #
-    qt iptables -t nat -D $(dynamic_in $interface) -s $host -j ${zone}_dnat
+    qt_iptables -t nat -D $(dynamic_in $interface) $(match_source_hosts $host) -j ${zone}_dnat
     #
     # Delete rules rules the input chains for the passed interface
     #
     while read z1 z2 chain; do
 	if [ "$z1" = "$zone" ]; then
 	    if [ "$z2" = "$FW" ]; then
-		qt iptables -D $(dynamic_in $interface) -s $host -j $chain
+		qt_iptables -D $(dynamic_in $interface) $(match_source_hosts $host) -j $chain
 	    else
 		source_chain=$(dynamic_fwd $interface)
 		eval dest_hosts=\"\$${z2}_hosts\"
@@ -5904,13 +5915,13 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    hosts=${h#*:}
 
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			qt iptables -D $source_chain -s $host -o $iface $(match_dest_hosts $hosts) -j $chain
+			qt_iptables -D $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) -j $chain
 		    fi
 		done
 	    fi
 	elif [ "$z2" = "$zone" ]; then
 	    if [ "$z1" = "$FW" ]; then
-		qt iptables -D $(dynamic_out $interface) -d $host -j $chain
+		qt_iptables -D $(dynamic_out $interface) $(match_dest_hosts $host) -j $chain
 	    else
 		eval source_hosts=\"\$${z1}_hosts\"
 		
@@ -5919,7 +5930,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    hosts=${h#*:}
 
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface -d $host -j $chain
+			qt_iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) -j $chain
 		    fi
 		done
 	    fi
diff --git a/STABLE2/help b/STABLE2/help
index 09e61e179..7343d2f43 100644
--- a/STABLE2/help
+++ b/STABLE2/help
@@ -29,11 +29,11 @@
 case $1 in
 
 add)
-	echo "add: add <interface>[:<host>] <zone>
+	echo "add: add <interface>[:<bridge-port>][:<host>] <zone>
     Adds a host or subnet to a dynamic zone usually used with VPN's.
 
-    shorewall add interface[:host] zone - Adds the specified interface
-    (and host if included) to the specified zone.
+    shorewall add interface[:port][:host] zone - Adds the specified interface
+    (and bridge port/host if included) to the specified zone.
 
     Example:
 
@@ -93,11 +93,11 @@ debug)
 	;;
 
 delete)
-	echo "delete: delete <interface>[:<host>] <zone>
+	echo "delete: delete <interface>[:<bridge-port>][:<host>] <zone>
     Deletes a host or subnet from a dynamic zone usually used with VPN's.
 
-    shorewall delete interface[:host] zone - Deletes the specified
-    interface (and host if included) from the specified zone.
+    shorewall delete interface[:port][:host] zone - Deletes the specified
+    interface (and bridge port/host if included) from the specified zone.
 
     Example:
 
diff --git a/STABLE2/releasenotes.txt b/STABLE2/releasenotes.txt
index f9a0d452f..513430141 100644
--- a/STABLE2/releasenotes.txt
+++ b/STABLE2/releasenotes.txt
@@ -1,4 +1,4 @@
-Shorewall 2.0.11
+Shorewall 2.0.12
 
 ----------------------------------------------------------------------
 Problems Corrected in version 2.0.4
@@ -188,7 +188,19 @@ install has been corrected.
 New Features in 2.0.11
 
 1) The AllowNNTP action now allows NNTP over SSL/TLS (NTTPS).
+
 -----------------------------------------------------------------------
 Problems corrected in 2.0.12
 
 1) A typo in shorewall.conf (NETNOTSYN) has been corrected.
+
+2) The "shorewall add" and "shorewall delete" commands now work in a
+   bridged environment. The syntax is:
+
+	   shorewall add <interface>[:<port>]:<address> <zone>
+	   shorewall delete <interface>[:<port>]:<address> <zone>
+
+   Examples:
+
+	   shorewall add br0:eth2:192.168.1.3 OK
+	   shorewall delete br0:eth2:192.168.1.3 OK