Add 'routeback' option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@530 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -11,3 +11,5 @@ Changes since 1.4.1
 4. Added support for INCLUDE directive in all files.
 
 5. Made traceroute -I work.
+
+6. Add 'routeback' interface and host attribute.

Shorewall/firewall

@@ -608,6 +608,10 @@ validate_interfaces_file() {
 		    ;;
 		routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
 		    ;;
+		routeback)
+		    [ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
+		    eval ${z}_routeback=\"$interface:0.0.0.0/0 \$${z}_routeback\"
+		    ;;
 		*)
 		    error_message "Warning: Invalid option ($option) in record \"$r\""
 		    ;;
@@ -638,6 +642,9 @@ validate_hosts_file() {
 		case $option in
 		    maclist|-)
 			;;
+		    routeback)
+			eval ${z}_routeback=\"$host \$${z}_routeback\"
+			;;
 		    *)
 			error_message "Warning: Invalid option ($option) in record \"$r\""
 			;;
@@ -3710,6 +3717,12 @@ activate_rules()
 
 	    echo "$zone $zone1 $chain" >> ${STATEDIR}/chains
 
+	    if [ $zone = $zone1 ]; then
+		eval routeback=\"\$${zone}_routeback\"
+	    else
+		routeback=
+	    fi
+	    
 	    for host in $source_hosts; do
 		interface=${host%:*}
 
@@ -3723,7 +3736,7 @@ activate_rules()
 		    interface1=${host1%:*}
 		    subnet1=${host1#*:}
 
-		    if [ "$host" != "$host1" ]; then
+		    if [ "$host" != "$host1" ] || list_search $host $routeback; then
 			run_iptables -A $chain1 -o $interface1 -d $subnet1 -j $chain
 		    fi
 		done

Shorewall/hosts

@@ -44,6 +44,15 @@
 #				       an ethernet NIC and must be up before
 #				       Shorewall is started.
 #
+#			routeback    - Shorewall show set up the infrastructure
+#				       to pass packets from this/these
+#				       address(es) back to themselves. This is
+#				       necessary of hosts in this group use the
+#				       services of a transparent proxy that is
+#				       a member of the group or if DNAT is used
+#				       to send requests originating from this 
+#				       group to a server in the group.
+#
 #
 #ZONE		HOST(S)				OPTIONS
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

Shorewall/releasenotes.txt

@@ -64,5 +64,27 @@ New Features:
    INCLUDE's may be nested to a level of 3 -- further nested INCLUDE
    directives are ignored.
 
+3) Routing traffic from an interface back out that interface continues
+   to be a problem. While I firmly believe that this should never
+   happen, people continue to want to do it. To limit the damage that
+   such nonsense produces, I have added a new 'routeback' option in
+   /etc/shorewall/interfaces and /etc/shorewall/hosts. When used in
+   /etc/shorewall/interfaces, the 'ZONE' column may not contain '-'; in
+   other words, 'routeback' can't be used as an option for a multi-zone
+   interface. The 'routeback' option CAN be specified however on
+   individual group entries in /etc/shorewall/hosts.
+
+   The 'routeback' option is similar to the old 'multi' option with two
+   exceptions:
+
+   a) The option pertains to a particular zone,interface,address tuple.
+
+   b) The option only created infrastructure to pass traffic from
+   (zone,interface,address) tuples back to themselves (the 'multi'
+   option affected all (zone,interface,address) tuples associated with
+   the given 'interface').
+
+   See the 'Upgrade Issues' for information about how this new option
+   may affect your configuration.