diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index d96e4d0dd..b4f986b2a 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -349,7 +349,7 @@ sub initialize( $$ ) {
rpfilter => SIMPLE_IF_OPTION,
sfilter => IPLIST_IF_OPTION,
sourceroute => BINARY_IF_OPTION,
- tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
+ tcpflags => BINARY_IF_OPTION + IF_OPTION_HOST,
upnp => SIMPLE_IF_OPTION,
upnpclient => SIMPLE_IF_OPTION,
mss => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -387,13 +387,14 @@ sub initialize( $$ ) {
nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST,
optional => SIMPLE_IF_OPTION,
+ optional => SIMPLE_IF_OPTION,
proxyndp => BINARY_IF_OPTION,
required => SIMPLE_IF_OPTION,
routeback => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
rpfilter => SIMPLE_IF_OPTION,
sfilter => IPLIST_IF_OPTION,
sourceroute => BINARY_IF_OPTION,
- tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST,
+ tcpflags => BINARY_IF_OPTION + IF_OPTION_HOST,
mss => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
forward => BINARY_IF_OPTION,
physical => STRING_IF_OPTION + IF_OPTION_HOST,
@@ -1353,6 +1354,8 @@ sub process_interface( $$ ) {
while ( my ( $option, $value ) = each( %options ) ) {
fatal_error "The $option option may not be specified with 'unmanaged'" if $prohibitunmanaged{$option};
}
+ } else {
+ $options{tcpflags} = $hostoptionsref->{tcpflags} = 1 unless exists $options{tcpflags};
}
$physical{$physical} = $interfaces{$interface} = { name => $interface ,
diff --git a/Shorewall/manpages/shorewall-interfaces.xml b/Shorewall/manpages/shorewall-interfaces.xml
index 67784e0f2..abe27c1f5 100644
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -731,7 +731,7 @@ loc eth2 -
- tcpflags
+ tcpflags[={0|1}]
Packets arriving on this interface are checked for
@@ -739,6 +739,9 @@ loc eth2 -
have such a combination of flags are handled according to the
setting of TCP_FLAGS_DISPOSITION after having been logged
according to the setting of TCP_FLAGS_LOG_LEVEL.
+
+ Beginning with Shorewall 4.6.0, tcpflags=1 is the
+ default. To disable this option, specify tcpflags=0.
diff --git a/Shorewall6/manpages/shorewall6-interfaces.xml b/Shorewall6/manpages/shorewall6-interfaces.xml
index a9940a0c1..288614528 100644
--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@@ -491,7 +491,7 @@ loc eth2 -
- tcpflags
+ tcpflags[={0|1}]
Packets arriving on this interface are checked for
@@ -499,6 +499,9 @@ loc eth2 -
have such a combination of flags are handled according to the
setting of TCP_FLAGS_DISPOSITION after having been logged
according to the setting of TCP_FLAGS_LOG_LEVEL.
+
+ Beginning with Shorewall 4.6.0, tcpflags=1 is the
+ default. To disable this option, specify tcpflags=0.