Re-enable 'blacklist' on bridge ports

Shorewall/Perl/Shorewall/Tc.pm

@@ -1397,7 +1397,7 @@ sub process_secmark_rule() {
     my $chain1= $chns{$chain};
     
     fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
-    fatal_error "USER/GROUP may only be used in the OUTPUT chain" if $user ne '-' && chain1 ne 'tcout';
+    fatal_error "USER/GROUP may only be used in the OUTPUT chain" if $user ne '-' && $chain1 ne 'tcout';
 
     if ( ( $state ||= '' ) ne '' ) {
 	my $state1;

Shorewall/Perl/Shorewall/Zones.pm

@@ -239,7 +239,7 @@ sub initialize( $ ) {
     if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
 				  arp_ignore  => ENUM_IF_OPTION,
-				  blacklist   => ENUM_IF_OPTION,
+				  blacklist   => ENUM_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -272,7 +272,7 @@ sub initialize( $ ) {
 			     sourceonly => 1,
 			    );
     } else {
-	%validinterfaceoptions = (  blacklist   => ENUM_IF_OPTION,
+	%validinterfaceoptions = (  blacklist   => ENUM_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,