Assume 'routeback' in routestopped based on interface config.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Rules.pm

@@ -317,13 +317,15 @@ sub process_routestopped() {
 
     while ( read_a_line ) {
 
-	my $routeback = 0;
-
 	my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
 
-	fatal_error "Unknown interface ($interface)" unless known_interface $interface;
+	my $interfaceref;
+
+	fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
 	$hosts = ALLIP unless $hosts && $hosts ne '-';
 
+	my $routeback = 0;
+
 	my @hosts;
 
 	$seq++;
@@ -338,24 +340,12 @@ sub process_routestopped() {
 	}
 
 	unless ( $options eq '-' ) {
-
 	    for my $option (split /,/, $options ) {
 		if ( $option eq 'routeback' ) {
 		    if ( $routeback ) {
 			warning_message "Duplicate 'routeback' option ignored";
 		    } else {
-			my $chainref = $filter_table->{FORWARD};
-
 			$routeback = 1;
-
-			for my $host ( split /,/, $hosts ) {
-			    add_rule( $chainref , 
-				      match_source_dev( $interface ) . 
-				      match_dest_dev( $interface ) .
-				      match_source_net( $host ) .
-				      match_dest_net( $host ) );
-			    clearrule;
-			}
 		    }
 		} elsif ( $option eq 'source' ) {
 		    for my $host ( split /,/, $hosts ) {
@@ -376,6 +366,19 @@ sub process_routestopped() {
 	    }
 	}
 
+	if ( $routeback || $interfaceref->{options}{routeback} ) {
+	    my $chainref = $filter_table->{FORWARD};
+
+	    for my $host ( split /,/, $hosts ) {
+		add_rule( $chainref , 
+			  match_source_dev( $interface ) . 
+			  match_dest_dev( $interface ) .
+			  match_source_net( $host ) .
+			  match_dest_net( $host ) );
+		clearrule;
+	    }
+	}
+
 	push @allhosts, @hosts;
     }
 

Shorewall/changelog.txt

@@ -40,6 +40,9 @@ Changes in Shorewall 4.4.9
 
 19) Allow definition of an addressless bridge without a zone.
 
+20) In the routestopped file, assume 'routeback' if the interface has
+    'routeback'.
+
 Changes in Shorewall 4.4.8
 
 1)  Correct handling of RATE LIMIT on NAT rules.

Shorewall/releasenotes.txt

@@ -393,6 +393,10 @@ None.
 7)  The generated ruleset now uses conntrack match for state matching,
     if it is available.
 
+8)  In /etc/shorewall/routestopped, the 'routeback' option is assumed
+    if the interface has 'routeback' specified (either explicitly or
+    detected).
+
 ----------------------------------------------------------------------------
 V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
       I N   P R I O R  R E L E A S E S

manpages/shorewall-routestopped.xml

@@ -75,7 +75,12 @@
 
               <listitem>
                 <para>Set up a rule to ACCEPT traffic from these hosts back to
-                themselves.</para>
+                themselves. Beginning with Shorewall 4.4.9, this option is
+                automatically set if <emphasis
+                role="bold">routeback</emphasis> is specified in <ulink
+                url="shorewall-interfaces.html">shorewall-interfaces</ulink>
+                (5) or if the rules compiler detects that the interface is a
+                bridge.</para>
               </listitem>
             </varlistentry>
 

manpages6/shorewall6-routestopped.xml

@@ -71,7 +71,12 @@
 
               <listitem>
                 <para>Set up a rule to ACCEPT traffic from these hosts back to
-                themselves.</para>
+                themselves. Beginning with Shorewall 4.4.9, this option is
+                automatically set if <emphasis
+                role="bold">routeback</emphasis> is specified in <ulink
+                url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>
+                (5) or if the rules compiler detects that the interface is a
+                bridge.</para>
               </listitem>
             </varlistentry>