diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index ee27e491d..baf7605be 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -11,3 +11,5 @@ Changes since 1.4.1 4. Added support for INCLUDE directive in all files. 5. Made traceroute -I work. + +6. Add 'routeback' interface and host attribute. diff --git a/Shorewall/firewall b/Shorewall/firewall index b4611d591..c67cc1290 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -608,6 +608,10 @@ validate_interfaces_file() { ;; routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-) ;; + routeback) + [ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface" + eval ${z}_routeback=\"$interface:0.0.0.0/0 \$${z}_routeback\" + ;; *) error_message "Warning: Invalid option ($option) in record \"$r\"" ;; @@ -638,6 +642,9 @@ validate_hosts_file() { case $option in maclist|-) ;; + routeback) + eval ${z}_routeback=\"$host \$${z}_routeback\" + ;; *) error_message "Warning: Invalid option ($option) in record \"$r\"" ;; @@ -3710,6 +3717,12 @@ activate_rules() echo "$zone $zone1 $chain" >> ${STATEDIR}/chains + if [ $zone = $zone1 ]; then + eval routeback=\"\$${zone}_routeback\" + else + routeback= + fi + for host in $source_hosts; do interface=${host%:*} @@ -3723,7 +3736,7 @@ activate_rules() interface1=${host1%:*} subnet1=${host1#*:} - if [ "$host" != "$host1" ]; then + if [ "$host" != "$host1" ] || list_search $host $routeback; then run_iptables -A $chain1 -o $interface1 -d $subnet1 -j $chain fi done diff --git a/Shorewall/hosts b/Shorewall/hosts index 24bb53a9d..c38ae4a2e 100644 --- a/Shorewall/hosts +++ b/Shorewall/hosts @@ -44,6 +44,15 @@ # an ethernet NIC and must be up before # Shorewall is started. # +# routeback - Shorewall show set up the infrastructure +# to pass packets from this/these +# address(es) back to themselves. This is +# necessary of hosts in this group use the +# services of a transparent proxy that is +# a member of the group or if DNAT is used +# to send requests originating from this +# group to a server in the group. +# # #ZONE HOST(S) OPTIONS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 03f09a940..533fddedf 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -64,5 +64,27 @@ New Features: INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives are ignored. +3) Routing traffic from an interface back out that interface continues + to be a problem. While I firmly believe that this should never + happen, people continue to want to do it. To limit the damage that + such nonsense produces, I have added a new 'routeback' option in + /etc/shorewall/interfaces and /etc/shorewall/hosts. When used in + /etc/shorewall/interfaces, the 'ZONE' column may not contain '-'; in + other words, 'routeback' can't be used as an option for a multi-zone + interface. The 'routeback' option CAN be specified however on + individual group entries in /etc/shorewall/hosts. + + The 'routeback' option is similar to the old 'multi' option with two + exceptions: + + a) The option pertains to a particular zone,interface,address tuple. + + b) The option only created infrastructure to pass traffic from + (zone,interface,address) tuples back to themselves (the 'multi' + option affected all (zone,interface,address) tuples associated with + the given 'interface'). + + See the 'Upgrade Issues' for information about how this new option + may affect your configuration.