Bridging Changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1194 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2004-03-15 18:55:13 +00:00 · 2004-03-15 18:55:13 +00:00 · 74219e2e3a
commit 74219e2e3a
parent 8925f25168
6 changed files with 276 additions and 74 deletions
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -99,6 +99,8 @@ report () { # $* = message
 #
 run_iptables() {
    [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
    if ! iptables $@ ; then
 	[ -z "$stopping" ] && { stop_firewall; exit 2; }
    fi
@ -423,6 +425,84 @@ first_chains() #$1 = interface
   echo ${c}_fwd ${c}_in
 }
 #
 # Horrible hack to work around an iptables bug
 #
 physdev_echo() 
 {
    if [ -f $TMP_DIR/physdev ]; then
 	echo $@
    else
 	echo -m physdev $@
 	> $TMP_DIR/physdev
    fi
 }
 #
 # We allow hosts to be specified by IP address or by physdev. These two functions
 # are used to produce the proper match in a netfilter rule.
 #
 match_source_hosts()
 {
    if [ -n "$BRIDGING" ]; then
 	case $1 in
 	    *:*)
 		physdev_echo "--physdev-in ${1%:*} -s ${1#*:}"
 		;;
 	    *.*.*.*)
 		echo -s $1
 		;;
 	    *)
 		physdev_echo "--physdev-in $1"
 		;;
 	esac
    else
 	echo -s $1
    fi
 }
 match_dest_hosts()
 {
    if [ -n "$BRIDGING" ]; then
 	case $1 in
 	    *:*)
 		physdev_echo "--physdev-out ${1%:*} -d ${1#*:}"
 		;;
 	    *.*.*.*)
 		echo -d $1
 		;;
 	    *)
 		physdev_echo "--physdev-out $1"
 		;;
 	esac
    else
 	echo -d $1
    fi
 }
 #
 # Similarly, the source or destination in a rule can be qualified by a device name. If 
 # the device is defined in /etc/shorewall/interfaces then a normal interface match is
 # generated (-i or -o); otherwise, a physdev match is generated.
 #
 match_source_dev()
 {
    if [ -n "$BRIDGING" ]; then
 	list_search $1 $all_interfaces && echo -i $1 || physdev_echo "--physdev-in $1"
    else
 	echo -i $1
    fi
 }
 match_dest_dev()
 {
    if [ -n "$BRIDGING" ]; then
 	list_search $1 $all_interfaces && echo -o $1 || physdev_echo "--physdev-out $1"
    else
 	echo -o $1
    fi
 }
 #
 #
 # Find hosts in a given zone
 #
@ -436,7 +516,7 @@ find_hosts() # $1 = host zone
    while read z hosts options; do
 	if [ "x$(expand $z)" = "x$1" ]; then
 	    expandv hosts
-	    interface=${hosts%:*}
+	    interface=${hosts%%:*}
 	    addresses=${hosts#*:}
 	    for address in $(separate_list $addresses); do 
 		echo $interface:$address
@ -459,6 +539,18 @@ determine_interfaces() {
    done
 }
 #
 # Determine if an interface has a given option
 #
 interface_has_option() # $1 = interface, #2 = option
 {
    local options
    eval options=\$$(chain_base $1)_options
    list_search $2 $options
 }
 #
 # Determine the defined hosts in each zone and generate report
 #
@ -471,8 +563,7 @@ determine_hosts() {
 	eval interfaces=\$${zone}_interfaces
 	for interface in $interfaces; do
-	    eval options=\$$(chain_base $interface)_options
+	    if interface_has_option $interface detectnets; then
 	    if list_search detectnets $options; then
 		subnets=$(get_routed_subnets $interface)
 	    else
 		subnets=0.0.0.0/0
@ -612,7 +703,8 @@ validate_hosts_file() {
 	r="$z $hosts $options"
 	validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
-	interface=${hosts%:*}
+	interface=${hosts%%:*}
 	iface=$(chain_base $interface)
 	list_search  $interface $all_interfaces || \
 	    startup_error "Unknown interface ($interface) in record \"$r\""
@ -620,6 +712,21 @@ validate_hosts_file() {
 	hosts=${hosts#*:}
 	for host in $(separate_list $hosts); do
 	    [ -n "$BRIDGING" ] && case $host in
 		*:*)
 		    eval ${iface}_is_bridge=Yes
 		    list_search ${host%:*} $all_interfaces && \
 			startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
 		    ;;
 		*.*.*.*)
 		    ;;
 		*)
 		    eval ${iface}_is_bridge=Yes
 		    list_search $host $all_interfaces && \
 			startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
 		    ;;
 	    esac
 	    for option in $(separate_list $options); do
 		case $option in
 		    maclist|-)
@ -838,7 +945,7 @@ find_hosts_by_option() # $1 = option
 	expandv options
 	if list_search $1 $(separate_list $options); then
 	    expandv hosts
-	    interface=${hosts%:*}
+	    interface=${hosts%%:*}
 	    addresses=${hosts#*:}
 	    for address in $(separate_list $addresses); do 
 		echo $interface:$address
@ -847,8 +954,7 @@ find_hosts_by_option() # $1 = option
    done < $TMP_DIR/hosts
    for interface in $all_interfaces; do
-	eval options=\$$(chain_base $interface)_options
+	interface_has_option $interface $option && \
 	list_search $1 $options && \
 	    echo ${interface}:0.0.0.0/0
    done
 }
@ -984,7 +1090,7 @@ disable_ipv6() {
 	ip6tables -P INPUT DROP
 	ip6tables -P OUTPUT DROP
    else
-	error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system has no ip6tables"
+	error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
    fi
 }
@ -1049,12 +1155,35 @@ stop_firewall() {
    strip_file routestopped
-    while read interface host; do
+    while read interface host options; do
-	expandv interface host
+	expandv interface host options
 	[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
 	for h in $(separate_list $host); do
 	    hosts="$hosts $interface:$h"
 	done
 	routeback=
 	if [ -n $options ]; then
 	    for option in $(separate_list $options); do
 		case $option in
 		    routeback)
 			if [ -n "$routeback" ]; then
 			    error_message "Warning: Duplicate option ignored: routeback"
 			else
 			    routeback=Yes
 			    for h in $(separate_list $host); do
 				iptables -A FORWARD -i $interface -s $h -o $interface -d $h -j ACCEPT
 			    done
 			fi
 			;;
 		    *)
 			error_message "Warning: Unknown option ignored: $option"
 			;;
 		esac
 	    done
 	fi
    done < $TMP_DIR/routestopped
    for host in $hosts; do
@ -1065,7 +1194,7 @@ stop_firewall() {
 	    iptables -A OUTPUT -o $interface -d $subnet -j ACCEPT
 	for host1 in $hosts; do
-	    iptables -A FORWARD -i $interface -s $subnet -o ${host1%:*} -d ${host1#*:} -j ACCEPT
+	    [ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -s $subnet -o ${host1%:*} -d ${host1#*:} -j ACCEPT
 	done
    done
@ -1077,6 +1206,10 @@ stop_firewall() {
 	iptables -A INPUT  -p udp -i $interface --dport 67:68 -j ACCEPT
 	[ -z "$ADMINISABSENTMINDED" ] && \
 	    iptables -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT
 	#
 	# This might be a bridge
 	#
 	iptables -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT
    done
    setup_forwarding
@ -1415,7 +1548,7 @@ setup_mac_lists() {
    maclist_interfaces=
    for hosts in $maclist_hosts; do
-	interface=${hosts%:*}
+	interface=${hosts%%:*}
 	if ! list_search $interface $maclist_interfaces; then\
 	    if [ -z "$maclist_interfaces" ]; then
 		maclist_interfaces=$interface
@ -1447,6 +1580,17 @@ setup_mac_lists() {
    while read interface mac addresses; do
 	expandv interface mac addresses
 	physdev_part=
 	if [ -n "$BRIDGING" ]; then
 	    case $interface in
 		*:*)
 		    physdev_part="-m physdev --physdev-in ${interface#*:}"
 		    interface=${interface%:*}
 		    ;;
 	    esac
 	fi
 	chain=$(mac_chain $interface)
 	if ! havechain $chain ; then
@ -1456,10 +1600,10 @@ setup_mac_lists() {
 	macpart=$(mac_match $mac)
 	if [ -z "$addresses" ]; then
-	    run_iptables -A $chain $macpart -j RETURN
+	    run_iptables -A $chain $macpart $physdev_part -j RETURN
 	else
 	    for address in $(separate_list $addresses) ; do
-		run_iptables2 -A $chain $macpart -s $address -j RETURN
+		run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN
 	    done
 	fi
    done < $TMP_DIR/maclist
@ -1494,10 +1638,10 @@ setup_mac_lists() {
    # Generate jumps from the input and forward chains
    #
    for hosts in $maclist_hosts; do
-	interface=${hosts%:*}
+	interface=${hosts%%:*}
 	hosts=${hosts#*:}
 	for chain in $(first_chains $interface) ; do
-	    run_iptables -A $chain -s $hosts -m state --state NEW \
+	    run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \
 		-j $(mac_chain $interface)
 	done
    done
@ -1692,11 +1836,11 @@ process_tc_rule()
 		    chain=tcout
 		    ;;
 		*)
-		    if ! list_search $source $all_interfaces; then
+		    if [ -z "$BRIDGING" ] && ! list_search $source $all_interfaces; then
 			fatal_error "Unknown interface $source in rule \"$rule\""
 		    fi
-		    r="-i $source "
+		    r="$(select_source_dev) $source "
 		    ;;
 	    esac
 	fi
@ -1852,7 +1996,7 @@ process_accounting_rule() {
    case $source in
 	*:*)
-	    rule="-s ${source#*:} -i ${source%:*}"
+	    rule="-s ${source#*:} $(match_source_dev ${source%:*})"
 	    ;;
 	*.*.*.*)
 	    rule="-s $source"
@ -1860,13 +2004,13 @@ process_accounting_rule() {
 	-|all|any)
 	    ;;
 	*)
-	    [ -n "$source" ] && rule="-i $source"
+	    [ -n "$source" ] && rule="$(match_source_dev $source)"
 	    ;;
    esac
    [ -n "$dest" ] && case $dest in
 	*:*)
-	    rule="$rule -d ${dest#*:} -o ${dest%:*}"
+	    rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})"
 	    ;;
 	*.*.*.*)
 	    rule="$rule -d $dest"
@ -1874,7 +2018,7 @@ process_accounting_rule() {
 	-|all|any)
 	    ;;
 	*)
-	    rule="$rule -o $dest"
+	    rule="$rule $(match_dest_dev $dest)"
 	    ;;
    esac
@ -1959,7 +2103,6 @@ setup_accounting() # $1 = Name of accounting file
 }
 #      
 # Check the configuration
 #
@ -2113,7 +2256,7 @@ add_an_action()
    -)
 	;;
    *:*)
-	cli="-i ${client%:*} -s ${client#*:}"
+	cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
 	;;
    *.*.*)
 	cli="-s $client"
@ -2122,7 +2265,7 @@ add_an_action()
 	cli=$(mac_match $client)
 	;;
    *)
-	[ -n "$client" ] && cli="-i $client"
+	[ -n "$client" ] && cli="$(match_source_dev $client)"
 	;;
    esac
@ -2141,7 +2284,7 @@ add_an_action()
 	fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
 	;;
    *)
-	[ -n "$server" ] && dest_interface="-o $server"
+	[ -n "$server" ] && dest_interface="$(match_dest_dev $server)"
 	;;
    esac
@ -2321,7 +2464,7 @@ process_action() # $1 = action
 	for client in $(separate_list ${clients:=-}); do
 	    for server in $(separate_list ${servers:=-}); do
 		#
-		# add_a_rule() modifies these so we must set their values each time
+		# add_an_action() modifies these so we must set their values each time
 		#
 		port=${ports:=-}
 		cport=${cports:=-}
@ -2673,7 +2816,7 @@ add_nat_rule() {
 		for z in $(separate_list $excludezones); do
 		    eval hosts=\$${z}_hosts
 		    for host in $hosts; do
-			addnatrule $chain -s ${host#*:} -j RETURN
+			addnatrule $chain $(match_source_hosts ${host#*:}) -j RETURN
 		    done
 		done
@ -2723,7 +2866,7 @@ add_nat_rule() {
 		    error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\""
 		[ $COMMAND = check ] || addnatrule $(snat_chain $dest) \
-		    -s ${source_host#*:} $proto $sports $multiport \
+		    $(match_source_hosts ${source_host#*:}) $proto $sports $multiport \
 		    -d $serv $dports -j SNAT --to-source $snat
 	    done
 	fi
@ -2784,7 +2927,7 @@ add_a_rule()
    -)
 	;;
    *:*)
-	cli="-i ${client%:*} -s ${client#*:}"
+	cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
 	;;
    *.*.*)
 	cli="-s $client"
@ -2793,7 +2936,7 @@ add_a_rule()
 	cli=$(mac_match $client)
 	;;
    *)
-	[ -n "$client" ] && cli="-i $client"
+	[ -n "$client" ] && cli="$(match_source_dev $client)"
 	;;
    esac
@ -2812,7 +2955,7 @@ add_a_rule()
 	fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
 	;;
    *)
-	[ -n "$server" ] && dest_interface="-o $server"
+	[ -n "$server" ] && dest_interface="$(match_dest_dev $server)"
 	;;
    esac
@ -2879,7 +3022,7 @@ add_a_rule()
    # Complain if the rule is really a policy
    case $logtarget in
-	ACCEPT|DROP|REJECT)	
+	ACCEPT|DROP|REJECT|CONTINUE)	
 	    if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userspec" ] ; then
 		error_message "Warning -- Rule \"$rule\" is a POLICY"
 		error_message "	       -- and should be moved to the policy file"
@ -3371,7 +3514,7 @@ process_tos_rule() {
 	    #
 	    # Assume that this is a device name
 	    #
-	    src="-i $src"
+	    src="$(match_source_dev $src)"
 	    ;;
    esac
@ -4441,6 +4584,11 @@ add_common_rules() {
 	echo "Adding rules for DHCP"
 	for interface in $interfaces; do
 	    if [ -n "$BRIDGING" ]; then
 		eval is_bridge=\$$(chain_base $interface)_is_bridge
 		[ -n "$is_bridge" ] && \
 		    iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 -j ACCEPT
            fi
 	    run_iptables -A $(input_chain $interface) -p udp --dport 67:68 -j ACCEPT
 	    run_iptables -A OUTPUT    -o $interface  -p udp --dport 67:68 -j ACCEPT
 	done
@ -4698,8 +4846,11 @@ activate_rules()
 	shift
 	shift
-	havenatchain $destchain && \
+	if havenatchain $destchain ; then
 	    run_iptables -t nat -A $sourcechain $@ -j $destchain
 	elif [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]; then
 	    rm -f #TMP_DIR/physdev
 	fi
    }
    #
@ -4716,6 +4867,8 @@ activate_rules()
 	    eval run_iptables -t nat -I $sourcechain \
 		\$${sourcechain}_rule $@ -j $destchain
 	    eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
 	elif [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]; then
 	    rm -f $TMP_DIR/physdev        
 	fi
    }
@ -4726,7 +4879,7 @@ activate_rules()
    addnatjump POSTROUTING nat_out
    for interface in $all_interfaces; do
-	addnatjump PREROUTING  $(input_chain $interface)	 -i $interface
+	addnatjump PREROUTING  $(input_chain $interface)  -i $interface
 	addnatjump POSTROUTING $(output_chain $interface) -o $interface
    done
@ -4754,28 +4907,31 @@ activate_rules()
 	need_broadcast=
 	for host in $source_hosts; do
-	    interface=${host%:*}
+	    interface=${host%%:*}
 	    subnet=${host#*:}
-	    run_iptables -A OUTPUT -o $interface -d $subnet -j $chain1
+	    run_iptables -A OUTPUT -o $interface $(match_dest_hosts $subnet) -j $chain1
 	    #
 	    # Add jumps from the builtin chains for DNAT and SNAT rules
 	    #
-	    addrulejump PREROUTING  $(dnat_chain $zone) -i $interface -s $subnet
+	    addrulejump PREROUTING  $(dnat_chain $zone) -i $interface $(match_source_hosts $subnet)
-	    addrulejump POSTROUTING $(snat_chain $zone) -o $interface -d $subnet
+	    addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $subnet)
-	    run_iptables -A $(input_chain $interface) -s $subnet -j $chain2
+	    run_iptables -A $(input_chain $interface) $(match_source_hosts $subnet) -j $chain2
 	    [ -n "$complex" ] && \
-		run_iptables -A $(forward_chain $interface) -s $subnet -j $frwd_chain
+		run_iptables -A $(forward_chain $interface) $(match_source_hosts $subnet) -j $frwd_chain
-	    if [ "$subnet" != 0.0.0.0/0 ]; then
+	    case $subnet in
-		if ! list_search $interface $need_broadcast ; then
+		*.*.*.*)
-		    eval options=\$$(chain_base $interface)_options
+		    if [ "$subnet" != 0.0.0.0/0 ]; then
-		    list_search detectnets $options && need_broadcast="$need_broadcast $interface"
+			if ! list_search $interface $need_broadcast ; then
-		fi
+			    interface_has_option $interface detectnets && need_broadcast="$need_broadcast $interface"
-	    fi
+			fi
 		    fi
 		    ;;
 	    esac
 	done
@ -4804,29 +4960,29 @@ activate_rules()
 	    if [ -n "$complex" ]; then
 		for host1 in $dest_hosts; do
-		    interface1=${host1%:*}
+		    interface1=${host1%%:*}
 		    subnet1=${host1#*:}
 		    if [ $(list_count1 $source_hosts) -eq 1 -a "$source_hosts" = "$host1" ]; then
 			if list_search $host1 $routeback; then
-			    run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain
+			    run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $subnet1) -j $chain
 			fi
 		    else
-			run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain
+			run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $subnet1) -j $chain
 		    fi
 		done
 	    else
 		for host in $source_hosts; do
-		    interface=${host%:*}
+		    interface=${host%%:*}
 		    subnet=${host#*:}
 		    chain1=$(forward_chain $interface)
 		    for host1 in $dest_hosts; do
-			interface1=${host1%:*}
+			interface1=${host1%%:*}
 			subnet1=${host1#*:}
 			if [ "$host" != "$host1" ] || list_search $host $routeback; then
-			    run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
+			    run_iptables -A $chain1 $(match_source_hosts $subnet) -o $interface1 $(match_dest_hosts $subnet1) -j $chain
 			fi
 		    done
 		done
@ -5178,11 +5334,11 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		fi
 		for h in $dest_hosts; do
-		    iface=${h%:*}
+		    iface=${h%%:*}
 		    hosts=${h#*:}
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			do_iptables -I $source_chain $rulenum -s $host -o $iface -d $hosts -j $chain
+			do_iptables -I $source_chain $rulenum -s $host -o $iface $(match_dest_hosts $hosts) -j $chain
 			rulenum=$(($rulenum + 1))
 		    fi
 		done
@ -5205,7 +5361,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		eval source_hosts=\"\$${z1}_hosts\"
 		for h in $source_hosts; do
-		    iface=${h%:*}
+		    iface=${h%%:*}
 		    hosts=${h#*:}
 		    base=$(chain_base $iface)
@ -5221,7 +5377,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    fi
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			do_iptables -I $(forward_chain $iface) $rulenum -s $hosts -o $interface -d $host -j $chain
+			do_iptables -I $(forward_chain $iface) $rulenum $(match_source_hosts $hosts) -o $interface -d $host -j $chain
 			rulenum=$(($rulenum + 1))
 		    fi
@ -5328,11 +5484,11 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		eval dest_hosts=\"\$${z2}_hosts\"
 		for h in $dest_hosts $delhost; do
-		    iface=${h%:*}
+		    iface=${h%%:*}
 		    hosts=${h#*:}
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			qt iptables -D $source_chain -s $host -o $iface -d $hosts -j $chain
+			qt iptables -D $source_chain -s $host -o $iface $(match_source_hosts $hosts) -j $chain
 		    fi
 		done
 	    fi
@ -5343,11 +5499,11 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		eval source_hosts=\"\$${z1}_hosts\"
 		for h in $source_hosts; do
-		    iface=${h%:*}
+		    iface=${h%%:*}
 		    hosts=${h#*:}
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			qt iptables -D $(forward_chain $iface) -s $hosts -o $interface -d $host -j $chain
+			qt iptables -D $(forward_chain $iface) $(match_source_hosts $hosts) -o $interface -d $host -j $chain
 		    fi
 		done
 	    fi
@ -5463,6 +5619,7 @@ do_initialize() {
    USEDACTIONS=
    SMURF_LOG_LEVEL=
    DISABLE_IPV6=
    BRIDGING=
    stopping=
    have_mutex=
@ -5613,6 +5770,7 @@ do_initialize() {
    ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED)
    BLACKLISTNEWONLY=$(added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY)
    DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
    BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
    [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz"
    #
@ -5629,6 +5787,8 @@ do_initialize() {
    if [ $(encodeaddr $temp) != 192.168.1.1 ]; then
 	startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
    fi
    rm -f $TMP_DIR/physdev
 }
 #
--- a/Shorewall2/hosts
+++ b/Shorewall2/hosts
@ -12,21 +12,28 @@
 #
 #	ZONE	- The name of a zone defined in /etc/shorewall/zones
 #
-#	HOST(S)	- The name of an interface followed by a colon (":") and
+#	HOST(S)	- The name of an interface  defined in the
 #		  /etc/shorewall/interfaces file followed by a colon (":") and
 #		  a comma-separated list whose elements are either:
 #
 #			a) The IP address of a host
 #			b) A subnetwork in the form
 #			   <subnet-address>/<mask width>
-#
+#			c) A physical port name; only allowed when the
-#		  The interface must be defined in the
+#			   interface names a bridge created by the
-#		  /etc/shorewall/interfaces file.
+#			   brctl addbr command. This port must not
 #			   be defined in /etc/shorewall/interfaces and may
 #			   optionally followed by a colon (":") and a
 #			   host or network IP.
 #			   See http://www.shorewall.net/Bridge.html for details.
 #
 #		  Examples:
 #
 #			eth1:192.168.1.3
 #			eth2:192.168.2.0/24
 #			eth3:192.168.2.0/24,192.168.3.1
 #			br0:eth4
 #			br0:eth0:192.168.1.16/28
 #
 #	OPTIONS - A comma-separated list of options. Currently-defined
 #		  options are:
--- a/Shorewall2/interfaces
+++ b/Shorewall2/interfaces
@ -46,10 +46,19 @@
 #	OPTIONS		A comma-separated list of options including the
 #			following:
 #
-#			dhcp	     - interface is managed by DHCP or used by
+#			dhcp	     - Specify this option when any of
-#                                      a DHCP server running on the firewall or
+#				       the following are true:
-#				       you have a static IP but are on a LAN
+#				       1. the interface gets its IP address
-#				       segment with lots of Laptop DHCP clients.
+#				          via DHCP 
 #				       2. the interface is used by
 #                                         a DHCP server running on the firewall
 #				       3. you have a static IP but are on a LAN
 #				          segment with lots of Laptop DHCP
 #					  clients.
 #				       4. the interface is a bridge with
 #				          a DHCP server on one port and DHCP
 #					  clients on another port.
 #
 #			norfc1918    - This interface should not receive
 #				       any packets whose source is in one
 #				       of the ranges reserved by RFC 1918
@ -58,6 +67,7 @@
 #				       enabled in shorewall.conf, packets
 #				       whose destination addresses are
 #				       reserved by RFC 1918 are also rejected.
 #
 #			routefilter  - turn on kernel route filtering for this
 #				       interface (anti-spoofing measure). This
 #                                      option can also be enabled globally in
@ -65,12 +75,14 @@
 #	.	.	blacklist    - Check packets arriving on this interface
 #				       against the /etc/shorewall/blacklist
 #				       file.
 #
 #			maclist	     - Connection requests from this interface
 #				       are compared against the contents of
 #				       /etc/shorewall/maclist. If this option
 #				       is specified, the interface must be
 #				       an ethernet NIC and must be up before
 #				       Shorewall is started.
 #
 #			tcpflags     - Packets arriving on this interface are
 #				       checked for certain illegal combinations
 #				       of TCP flags. Packets found to have
@ -79,6 +91,7 @@
 #				       TCP_FLAGS_DISPOSITION after having been
 #				       logged according to the setting of
 #				       TCP_FLAGS_LOG_LEVEL.
 #
 #			proxyarp     -
 #				Sets
 #				/proc/sys/net/ipv4/conf/<interface>/proxy_arp.
@ -127,7 +140,7 @@
 #				       hosts routed through the interface.
 #
 #		        WARNING: DO NOT SET THE detectnets OPTION ON YOUR
-#			         INTERNET INTERFACE!
+#			         INTERNET INTERFACE.
 #
 #			The order in which you list the options is not
 #			significant but the list should have no embedded white
--- a/Shorewall2/maclist
+++ b/Shorewall2/maclist
@ -5,7 +5,10 @@
 #
 # Columns are:
 #
-#	INTERFACE	Network interface to a host
+#	INTERFACE	Network interface to a host. If the interface
 #			names a bridge, it may be optionally followed by
 #			a colon (":") and a physical port name (e.g.,
 #			br0:eth4).
 #
 #	MAC		MAC address of the host -- you do not need to use
 #			the Shorewall format for MAC addresses here
--- a/Shorewall2/routestopped
+++ b/Shorewall2/routestopped
@ -14,12 +14,18 @@
 #	HOST(S)		- (Optional) Comma-separated list of IP/subnet
 #			  If left empty or supplied as "-",
 #			  0.0.0.0/0 is assumed.
 #	OPTIONS         - (Optional) A comma-separated list of
 #			  options. The currently-supported options are:
 #
 #			  routeback - Set up a rule to ACCEPT traffic from
 #			  these hosts back to themselves. 
 #
 # Example:
 #
-#	INTERFACE	HOST(S)
+#	INTERFACE	HOST(S)			OPTIONS
 #	eth2		192.168.1.0/24
 #	eth0		192.0.2.44
 #	br0		-			routeback
 ##############################################################################
-#INTERFACE	HOST(S)
+#INTERFACE	HOST(S)		OPTIONS
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Shorewall2/shorewall.conf
+++ b/Shorewall2/shorewall.conf
@ -524,6 +524,18 @@ MODULE_SUFFIX=
 # firewall system. This requires that you have ip6tables installed.
 DISABLE_IPV6=Yes
 #
 # BRIDGING
 #
 # If you wish to control traffic through a bridge (see http://bridge.sf.net),
 # then set BRIDGING=Yes. Your kernel must have the physdev match option 
 # enabled; that option is available through Patch-O-Matic for 2.4 kernels and
 # is included as a standard part of the 2.6 series kernels. If not
 # specified or specified as empty (BRIDGING="") then "No" is assumed.
 #
 BRIDGING=No
 ################################################################################
 #                       P A C K E T   D I S P O S I T I O N
 ################################################################################
@ -534,6 +546,7 @@ DISABLE_IPV6=Yes
 # Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
 # DROP is assumed.
 #
 BLACKLIST_DISPOSITION=DROP
 #