From 4614fd053652083d6475c4f0e25c3316242414d2 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Tue, 20 Jul 2004 18:01:45 +0000
Subject: [PATCH] Consult PKTTYPE when generating REJECT rules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1487 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 STABLE2/changelog.txt    |  2 ++
 STABLE2/firewall         | 25 +++++++++++++++++--------
 STABLE2/releasenotes.txt |  7 +++++++
 3 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/STABLE2/changelog.txt b/STABLE2/changelog.txt
index a4284c713..421a0e3f0 100644
--- a/STABLE2/changelog.txt
+++ b/STABLE2/changelog.txt
@@ -36,3 +36,5 @@ Changes in 2.0.7
 
 1) Include output of "ip rule ls" and "ip route ls" in "shorewall
    status".
+
+2) Consult PKTTYPE when generating 'REJECT' rules.
diff --git a/STABLE2/firewall b/STABLE2/firewall
index b3e1116a8..8847a00c0 100755
--- a/STABLE2/firewall
+++ b/STABLE2/firewall
@@ -4922,6 +4922,13 @@ initialize_netfilter () {
 add_common_rules() {
     local savelogparms="$LOGPARMS"
     local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
+
+    drop_broadcasts() {
+	for address in $broadcasts ; do
+	    run_iptables -A reject -d $address -j DROP
+	done
+    }
+
     #
     # Populate the smurf chain
     #
@@ -4932,14 +4939,16 @@ add_common_rules() {
     #
     # Reject Rules -- Don't respond to broadcasts with an ICMP
     #
-    qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
-    if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
-	#
-	# No pkttype support -- do it the hard way
-	#
-	for address in $broadcasts ; do
-	    run_iptables -A reject -d $address -j DROP
-	done
+    if [ -n "$PKTTYPE" ]; then
+	qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
+	if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
+            #
+	    # No pkttype support -- do it the hard way
+	    #
+	    drop_broadcasts
+	fi
+    else
+	drop_broadcasts
     fi
     #
     # Don't feed the smurfs
diff --git a/STABLE2/releasenotes.txt b/STABLE2/releasenotes.txt
index 15cdc806c..1efd89f6f 100644
--- a/STABLE2/releasenotes.txt
+++ b/STABLE2/releasenotes.txt
@@ -44,5 +44,12 @@ Problems Corrected in version 2.0.7
 1) To improve supportability, the "shorewall status" command now
    includes the output from "ip rule ls" and "ip addr ls".
 
+2) The PKTTYPE option introduced in version 2.0.6 is now used when
+   generating rules to REJECT packets. Broadcast packets are silently
+   dropped rather than being rejected with an ICMP (which is a protocol
+   violation) and users whose kernels have broken packet type match
+   support are likely to see messages reporting this violation.
+   Setting PKTTYPE=No should cause these messages to cease. 
+