Make tcpflags the default.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2014-01-01 15:10:38 -08:00 · 2014-01-01 15:10:38 -08:00 · 48ceed9ecb
commit 48ceed9ecb
parent 1083dd8c26
3 changed files with 13 additions and 4 deletions
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@ -349,7 +349,7 @@ sub initialize( $$ ) {
 				  rpfilter    => SIMPLE_IF_OPTION,
 				  sfilter     => IPLIST_IF_OPTION,
 				  sourceroute => BINARY_IF_OPTION,
-				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
+				  tcpflags    => BINARY_IF_OPTION + IF_OPTION_HOST,
 				  upnp        => SIMPLE_IF_OPTION,
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@ -387,13 +387,14 @@ sub initialize( $$ ) {
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
+				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
 				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				    rpfilter    => SIMPLE_IF_OPTION,
 				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
-				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
+				    tcpflags    => BINARY_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    forward     => BINARY_IF_OPTION,
 				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
@ -1353,6 +1354,8 @@ sub process_interface( $$ ) {
 	while ( my ( $option, $value ) = each( %options ) ) {
 	    fatal_error "The $option option may not be specified with 'unmanaged'" if $prohibitunmanaged{$option};
 	}
+    } else {
+	$options{tcpflags} = $hostoptionsref->{tcpflags} = 1 unless exists $options{tcpflags};
    }

    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@ -731,7 +731,7 @@ loc     eth2            -</programlisting>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">tcpflags</emphasis></term>
+              <term><emphasis role="bold">tcpflags[={0|1}]</emphasis></term>

              <listitem>
                <para>Packets arriving on this interface are checked for
@ -739,6 +739,9 @@ loc     eth2            -</programlisting>
                have such a combination of flags are handled according to the
                setting of TCP_FLAGS_DISPOSITION after having been logged
                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
+
+                <para>Beginning with Shorewall 4.6.0, tcpflags=1 is the
+                default. To disable this option, specify tcpflags=0.</para>
              </listitem>
            </varlistentry>

--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@ -491,7 +491,7 @@ loc     eth2            -</programlisting>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">tcpflags</emphasis></term>
+              <term><emphasis role="bold">tcpflags[={0|1}]</emphasis></term>

              <listitem>
                <para>Packets arriving on this interface are checked for
@ -499,6 +499,9 @@ loc     eth2            -</programlisting>
                have such a combination of flags are handled according to the
                setting of TCP_FLAGS_DISPOSITION after having been logged
                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
+
+                <para>Beginning with Shorewall 4.6.0, tcpflags=1 is the
+                default. To disable this option, specify tcpflags=0. </para>
              </listitem>
            </varlistentry>