diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index d2aa9a1b5..af588d8fb 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1689,9 +1689,12 @@ sub add_interface_jumps { # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT # for my $interface ( @_ ) { - my $forwardref = $filter_table->{forward_chain $interface}; - my $inputref = $filter_table->{input_chain $interface}; - my $outputref = $filter_table->{output_chain $interface}; + my $forwardref = $filter_table->{forward_chain $interface}; + my $inputref = $filter_table->{input_chain $interface}; + my $outputref = $filter_table->{output_chain $interface}; + my $interfaceref = find_interface($interface); + + add_rule ( $filter_table->{FORWARD}, match_source_dev( $interface) . match_dest_dev( $interface) . '-j ACCEPT' ) unless $interfaceref->{nets} || ! $interfaceref->{options}{routeback}; add_jump( $filter_table->{FORWARD} , $forwardref , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref; add_jump( $filter_table->{INPUT} , $inputref , 0, match_source_dev( $interface ) ) unless $input_jump_added{$interface} || ! use_input_chain $interface, $inputref; diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index c5265bac3..7f7f198e9 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -223,7 +223,7 @@ sub initialize( $ ) { nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST, optional => SIMPLE_IF_OPTION, proxyarp => BINARY_IF_OPTION, - routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST, + routeback => SIMPLE_IF_OPTION + IF_OPTION_HOST, routefilter => NUMERIC_IF_OPTION , sourceroute => BINARY_IF_OPTION, tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST, @@ -251,7 +251,7 @@ sub initialize( $ ) { nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST, optional => SIMPLE_IF_OPTION, proxyndp => BINARY_IF_OPTION, - routeback => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST, + routeback => SIMPLE_IF_OPTION + IF_OPTION_HOST, sourceroute => BINARY_IF_OPTION, tcpflags => SIMPLE_IF_OPTION + IF_OPTION_HOST, mss => NUMERIC_IF_OPTION, @@ -663,7 +663,7 @@ sub add_group_to_zone($$$$$) push @$new, $host; } - $zoneref->{options}{in_out}{routeback} = 1 if $options->{routeback}; + $zoneref->{options}{in_out}{routeback} = 1 if $options->{routeback} || $interfaces{$interface}{options}{routeback}; my $gtype = $type == IPSEC ? 'ipsec' : 'ip'; diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 841b6285a..4246337df 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -38,6 +38,8 @@ Changes in Shorewall 4.4.9 18) Fix rare optimization bug. +19) Allow definition of an addressless bridge without a zone. + Changes in Shorewall 4.4.8 1) Correct handling of RATE LIMIT on NAT rules. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 2d5133ada..b85d8b72d 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -367,6 +367,25 @@ None. searches the current LOGFILE for Netfilter messages matching the supplied regex. +6) There are some instances where a bridge with no IP address is + configured. Prior to Shorewall 4.4.9, this required the following: + + /etc/shorewall/interfaces: + #ZONE INTERFACE BROADCAST OPTIONS + dummy br0 - routeback + + /etc/shorewall/policy: + #SOURCE DEST POLICY + dummy all NONE + all dummy NONE + + Beginning in this release, a single entry will suffice: + + /etc/shorewall/interfaces: + #ZONE INTERFACE BROADCAST OPTIONS + - br0 - routeback + + ---------------------------------------------------------------------------- V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S I N P R I O R R E L E A S E S