diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 59405c08b..09edd54dd 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -48,3 +48,5 @@ Changes since 1.4.10 23) Allow rate limiting on CONTINUE and REJECT. 24) Move rfc1918 to /usr/share/shorewall + +25) Make detectnets and routeback play nice together. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index f2fd9da5f..6274cc1b6 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -475,7 +475,6 @@ determine_hosts() { for interface in $interfaces; do eval options=\$$(chain_base $interface)_options - if list_search detectnets $options; then subnets=$(get_routed_subnets $interface) else @@ -488,6 +487,10 @@ determine_hosts() { else hosts="$hosts $interface:$subnet" fi + + if list_search routeback $options; then + eval ${zone}_routeback=\"$interface:$subnet \$${zone}_routeback\" + fi done done @@ -495,16 +498,15 @@ determine_hosts() { for host in $hosts; do interface=${host%:*} - if ! list_search $interface $interfaces; then + if list_search $interface $interfaces; then + eval ${zone}_is_complex=Yes + else if [ -z "$interfaces" ]; then interfaces=$interface else interfaces="$interfaces $interface" fi fi - - [ "${host#*:}" = "0.0.0.0/0" ] || \ - eval ${zone}_is_complex=Yes done eval ${zone}_interfaces="\$interfaces" @@ -587,10 +589,9 @@ validate_interfaces_file() { detectnets) [ -n "$wildcard" ] && \ startup_error "The \"detectnets\" option may not be used with a wild-card interface" - ;; + ;; routeback) [ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface" - eval ${z}_routeback=\"$interface:0.0.0.0/0 \$${z}_routeback\" ;; *) error_message "Warning: Invalid option ($option) in record \"$r\"" @@ -4835,6 +4836,7 @@ activate_rules() else for host in $source_hosts; do interface=${host%:*} + subnet=${host#*:} chain1=$(forward_chain $interface) @@ -4843,7 +4845,7 @@ activate_rules() subnet1=${host1#*:} if [ "$host" != "$host1" ] || list_search $host $routeback; then - run_iptables -A $chain1 -o $interface1 -d $subnet1 -j $chain + run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain fi done done diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 0a4a15d13..7e29bc9c5 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -1,7 +1,7 @@ Shorewall 2.0.0-Beta3 ---------------------------------------------------------------------- -Problems Corrected since prior version. +Problems Corrected since 1.4.10 1) A blank USER/GROUP column in /etc/shorewall/tcrules no longer causes a [re]start error. @@ -11,6 +11,9 @@ Problems Corrected since prior version. 3) The "shorewall add" command no longer inserts rules before checking of the blacklist. + +4) The 'detectnets' and 'routeback' options may now be used together + with the intended effect. ----------------------------------------------------------------------- Issues when migrating from Shorewall 1.4.x to Shorewall 2.0.0: