diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 5f01a4eae..f5ca17350 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -15,3 +15,7 @@ Changes since 1.4.9 limiting (with an assist from Steven Jan Springl). 7) Silently drop smurfs and broadcasts in the 'reject' chain. + +8) Add multicast to 'detectnets' zones. + +9) Don't add broadcasts to /0 groups. diff --git a/Shorewall/firewall b/Shorewall/firewall index 577814482..746c1026c 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -4888,14 +4888,17 @@ activate_rules() [ -n "$complex" ] && \ run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain - if ! list_search $interface $need_broadcast ; then - eval options=\$`chain_base ${interface}`_options - list_search detectnets $options && need_broadcast="$need_broadcast $interface" + if [ "$subnet" != 0.0.0.0/0 ]; then + if ! list_search $interface $need_broadcast ; then + eval options=\$`chain_base ${interface}`_options + list_search detectnets $options && need_broadcast="$need_broadcast $interface" + fi fi done for interface in $need_broadcast ; do run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1 + run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4 -j $chain1 done for zone1 in $zones; do