From d116d04fb8588bddb8ba09cd724e7a78aa74dc9b Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 28 Jan 2004 00:52:03 +0000
Subject: [PATCH] Don't add broadcasts to /0 groups

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1095 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/changelog.txt | 4 ++++
 Shorewall/firewall      | 9 ++++++---
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 5f01a4eae..f5ca17350 100755
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -15,3 +15,7 @@ Changes since 1.4.9
    limiting (with an assist from Steven Jan Springl).
 
 7) Silently drop smurfs and broadcasts in the 'reject' chain.
+
+8) Add multicast to 'detectnets' zones.
+
+9) Don't add broadcasts to /0 groups.
diff --git a/Shorewall/firewall b/Shorewall/firewall
index 577814482..746c1026c 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -4888,14 +4888,17 @@ activate_rules()
 	    [ -n "$complex" ] && \
 		run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
 
-	    if ! list_search $interface $need_broadcast ; then
-		eval options=\$`chain_base ${interface}`_options
-		list_search detectnets $options && need_broadcast="$need_broadcast $interface"
+	    if [ "$subnet" != 0.0.0.0/0 ]; then
+		if ! list_search $interface $need_broadcast ; then
+		    eval options=\$`chain_base ${interface}`_options
+		    list_search detectnets $options && need_broadcast="$need_broadcast $interface"
+		fi
 	    fi
 	done
 
 	for interface in $need_broadcast ; do
 	    run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1
+	    run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4     -j $chain1
 	done
    
 	for zone1 in $zones; do