Implemented 'newnotsyn' interface option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@596 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -1,3 +1,5 @@
 Changes since 1.4.5
 
 1) Worked around RH7.3 "service" anomaly.
+
+2) Implemented 'newnotsyn' interface option.

Shorewall/firewall

@@ -607,7 +607,7 @@ validate_interfaces_file() {
 
 	for option in $options; do
 	    case $option in
-		dhcp|norfc1918|tcpflags)
+		dhcp|norfc1918|tcpflags|newnotsyn)
 		    ;;
 		routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
 		    ;;
@@ -3306,7 +3306,13 @@ initialize_netfilter () {
 
     if [ -z "$NEWNOTSYN" ]; then
 	createchain newnotsyn no
+
+	for interface in `find_interfaces_by_option newnotsyn`; do
+	    run_iptables -A newnotsyn -i $interface -j RETURN
+	done
+
 	run_user_exit newnotsyn
+
 	if [ -n "$LOGNEWNOTSYN" ]; then
 	    log_rule $LOGNEWNOTSYN newnotsyn DROP
 	fi

Shorewall/interfaces

@@ -89,6 +89,13 @@
 #				sub-networking as described at:
 #				http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
 #
+#			newnotsyn    - TCP packets that don't have the SYN 
+#				       flag set and which are not part of an
+#				       established connection will be accepted
+#				       from this interface, even if 
+#				       NEWNOTSYN=No has been specified in
+#				       /etc/shorewall/shorewall.conf.
+#
 #			The order in which you list the options is not
 #			significant but the list should have no embedded white
 #			space.

Shorewall/releasenotes.txt

@@ -8,3 +8,6 @@ Problems Corrected:
 
 New Features:
 
+1) A 'newnotsyn' interface option has been added. This option may be
+   specified in /etc/shorewall/interfaces and overrides the setting
+   NEWNOTSYN=No for packets arriving on the associated interface.