Make detectnets and routeback play nice together

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1155 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2004-02-19 23:05:17 +00:00 · 2004-02-19 23:05:17 +00:00 · 321488cc24
commit 321488cc24
parent 080bdfa9e2
3 changed files with 16 additions and 9 deletions
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -48,3 +48,5 @@ Changes since 1.4.10
 23) Allow rate limiting on CONTINUE and REJECT.

 24) Move rfc1918 to /usr/share/shorewall
+
+25) Make detectnets and routeback play nice together.
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -475,7 +475,6 @@ determine_hosts() {

 	for interface in $interfaces; do
 	    eval options=\$$(chain_base $interface)_options
-
 	    if list_search detectnets $options; then
 		subnets=$(get_routed_subnets $interface)
 	    else
@ -488,6 +487,10 @@ determine_hosts() {
 		else
 		    hosts="$hosts $interface:$subnet"
 		fi
+
+		if list_search routeback $options; then
+		    eval ${zone}_routeback=\"$interface:$subnet \$${zone}_routeback\"
+		fi
 	    done
 	done

@ -495,16 +498,15 @@ determine_hosts() {

 	for host in $hosts; do
 	    interface=${host%:*}
-	    if ! list_search $interface $interfaces; then
+	    if list_search $interface $interfaces; then
+		eval ${zone}_is_complex=Yes
+	    else
 		if [ -z "$interfaces" ]; then
 		    interfaces=$interface
 		else
 		    interfaces="$interfaces $interface"
 		fi
 	    fi
-
-	    [ "${host#*:}" = "0.0.0.0/0" ] || \
-		eval ${zone}_is_complex=Yes
 	done

 	eval ${zone}_interfaces="\$interfaces"
@ -587,10 +589,9 @@ validate_interfaces_file() {
 		detectnets)
 		    [ -n "$wildcard" ] && \
 			startup_error "The \"detectnets\" option may not be used with a wild-card interface"
-		    ;;
+	    ;;
 		routeback)
 		    [ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
-		    eval ${z}_routeback=\"$interface:0.0.0.0/0 \$${z}_routeback\"
 		    ;;
 		*)
 		    error_message "Warning: Invalid option ($option) in record \"$r\""
@ -4835,6 +4836,7 @@ activate_rules()
 	    else
 		for host in $source_hosts; do
 		    interface=${host%:*}
+		    subnet=${host#*:}

 		    chain1=$(forward_chain $interface)

@ -4843,7 +4845,7 @@ activate_rules()
 			subnet1=${host1#*:}

 			if [ "$host" != "$host1" ] || list_search $host $routeback; then
-			    run_iptables -A $chain1 -o $interface1 -d $subnet1 -j $chain
+			    run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
 			fi
 		    done
 		done
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -1,7 +1,7 @@
 Shorewall 2.0.0-Beta3

 ----------------------------------------------------------------------
-Problems Corrected since prior version.
+Problems Corrected since 1.4.10

 1) A blank USER/GROUP column in /etc/shorewall/tcrules no longer causes
   a [re]start error.
@ -11,6 +11,9 @@ Problems Corrected since prior version.

 3) The "shorewall add" command no longer inserts rules before checking
   of the blacklist.
+
+4) The 'detectnets' and 'routeback' options may now be used together
+   with the intended effect.
 -----------------------------------------------------------------------
 Issues when migrating from Shorewall 1.4.x to Shorewall 2.0.0: