Consult PKTTYPE when generating REJECT rules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1487 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

STABLE2/changelog.txt

@@ -36,3 +36,5 @@ Changes in 2.0.7
 
 1) Include output of "ip rule ls" and "ip route ls" in "shorewall
    status".
+
+2) Consult PKTTYPE when generating 'REJECT' rules.

STABLE2/firewall

@@ -4922,6 +4922,13 @@ initialize_netfilter () {
 add_common_rules() {
     local savelogparms="$LOGPARMS"
     local broadcasts="$(find_broadcasts) 255.255.255.255 224.0.0.0/4"
+
+    drop_broadcasts() {
+	for address in $broadcasts ; do
+	    run_iptables -A reject -d $address -j DROP
+	done
+    }
+
     #
     # Populate the smurf chain
     #
@@ -4932,14 +4939,16 @@ add_common_rules() {
     #
     # Reject Rules -- Don't respond to broadcasts with an ICMP
     #
+    if [ -n "$PKTTYPE" ]; then
 	qt iptables -A reject -m pkttype --pkt-type broadcast -j DROP
 	if ! qt iptables -A reject -m pkttype --pkt-type multicast -j DROP; then
             #
 	    # No pkttype support -- do it the hard way
 	    #
-	for address in $broadcasts ; do
-	    run_iptables -A reject -d $address -j DROP
-	done
+	    drop_broadcasts
+	fi
+    else
+	drop_broadcasts
     fi
     #
     # Don't feed the smurfs

STABLE2/releasenotes.txt

@@ -44,5 +44,12 @@ Problems Corrected in version 2.0.7
 1) To improve supportability, the "shorewall status" command now
    includes the output from "ip rule ls" and "ip addr ls".
 
+2) The PKTTYPE option introduced in version 2.0.6 is now used when
+   generating rules to REJECT packets. Broadcast packets are silently
+   dropped rather than being rejected with an ICMP (which is a protocol
+   violation) and users whose kernels have broken packet type match
+   support are likely to see messages reporting this violation.
+   Setting PKTTYPE=No should cause these messages to cease. 
+