Fix minor bug in bridge interface handling.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Compiler.pm

@@ -823,7 +823,7 @@ sub compiler {
 	#
 	generate_matrix;
 
-	if ( $config{OPTIMIZE} > 0 && $config{OPTIMIZE} & 6 ) {
+	if ( $config{OPTIMIZE} & 6 ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains

Shorewall/Perl/Shorewall/Rules.pm

@@ -223,9 +223,12 @@ sub setup_blacklist() {
     my $chainref;
     my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
     my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
-
+    #
+    # We go ahead and generate the blacklist chain and jump to it, even if it turns out to be empty. That is necessary
+    # for 'refresh' to work properly.
+    #
     if ( @$hosts ) {
-	$chainref = new_standard_chain 'blacklst';
+	$chainref = dont_delete new_standard_chain 'blacklst';
 
 	if ( defined $level && $level ne '' ) {
 	    my $logchainref = new_standard_chain 'blacklog';

Shorewall/Perl/Shorewall/Zones.pm

@@ -76,7 +76,7 @@ our @EXPORT = qw( NOTHING
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_7';
+our $VERSION = '4.4_8';
 
 #
 # IPSEC Option types
@@ -926,7 +926,7 @@ sub process_interface( $ ) {
 	if ( $options{bridge} ) {
 	    require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's');
 	    fatal_error "Bridges may not have wildcard names" if $wildcard;
-	    $options{routeback} = 1;
+	    $hostoptions{routeback} = $options{routeback} = 1;
 	}
 
 	$zoneref->{options}{in_out}{routeback} = 1 if $zoneref && $options{routeback};

Shorewall/Perl/prog.footer

@@ -71,11 +71,11 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    v*)
-			VERBOSITY=$(($VERBOSITY + 1 ))
+			[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
 			option=${option#v}
 			;;
 		    q*)
-			VERBOSITY=$(($VERBOSITY - 1 ))
+			[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
 			option=${option#q}
 			;;
 		    n*)
@@ -260,7 +260,7 @@ case "$COMMAND" in
 	;;
     status)
 	[ $# -ne 1 ] && usage 2
-	echo "$g_product-$SHORWEALL_VERSION Status at $(hostname) - $(date)"
+	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
 	echo
 	if shorewall_is_started; then
 	    echo "$g_product is running"

Shorewall/Perl/prog.footer6

@@ -71,11 +71,11 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    v*)
-			VERBOSITY=$(($VERBOSITY + 1 ))
+			[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
 			option=${option#v}
 			;;
 		    q*)
-			VERBOSITY=$(($VERBOSITY - 1 ))
+			[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
 			option=${option#q}
 			;;
 		    n*)

Shorewall/changelog.txt

@@ -35,6 +35,8 @@ Changes in Shorewall 4.4.8
 
 17) Issue warnings when 'blacklist' but no blacklist file entries.
 
+18) Don't optimize 'blacklst'.
+
 Changes in Shorewall 4.4.7
 
 1)  Backport optimization changes from 4.5.

Shorewall/releasenotes.txt

@@ -281,6 +281,11 @@ I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
     	ERROR: iptables-restore Failed. Input is in
                /var/lib/shorewall/.iptables-restore-input
 
+11) Previously, with optimization 4, the 'blacklst' chain could be
+    optimized away. If the blacklist file was then changed and a
+    'shorewall refresh' executed, those new changes would not be included
+    in the active ruleset.
+
 ----------------------------------------------------------------------------
            I V. K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------

docs/SplitDNS.xml

@@ -86,6 +86,46 @@
 
 127.0.0.1       localhost
 
+<emphasis role="bold">172.20.0.1      openvpn.shorewall.net   openvpn
+172.20.0.2      vpn02.shorewall.net     vpn02
+172.20.0.3      vpn03.shorewall.net     vpn03
+172.20.0.4      vpn04.shorewall.net     vpn04
+172.20.0.5      vpn05.shorewall.net     vpn05
+172.20.0.6      vpn06.shorewall.net     vpn06
+172.20.0.7      vpn07.shorewall.net     vpn07
+172.20.0.8      vpn08.shorewall.net     vpn08
+172.20.0.9      vpn09.shorewall.net     vpn09
+172.20.0.10     vpn10.shorewall.net     vpn10
+172.20.0.11     vpn11.shorewall.net     vpn11
+172.20.0.12     vpn12.shorewall.net     vpn12
+172.20.0.13     vpn13.shorewall.net     vpn13
+172.20.0.14     vpn14.shorewall.net     vpn14
+172.20.0.15     vpn15.shorewall.net     vpn15
+172.20.0.16     vpn16.shorewall.net     vpn16
+
+172.20.1.1      linksys.shorewall.net   linksys
+172.20.1.100    hp8500.shorewall.net    hp8500
+172.20.1.102    ursa.shorewall.net      ursa
+172.20.1.105    tarry.shorewall.net     tarry
+172.20.1.107    teastep.shorewall.net   teastep
+172.20.1.109    hpmini.shorewall.net    hpmini
+
+172.20.1.130    lanursa.shorewall.net   lanursa
+172.20.1.131    wookie.shorewall.net    wookie
+172.20.1.132    tipper.shorewall.net    tipper
+172.20.1.133    nasty.shorewall.net     nasty
+172.20.1.134    ursadog.shorewall.net   ursadog
+172.20.1.135    opensuse.shorewall.net  opensuse
+172.20.1.136    centos.shorewall.net    centos
+172.20.1.137    fedora.shorewall.net    fedora
+172.20.1.138    debian.shorewall.net    debian
+172.20.1.139    archlinux.shorewall.net archlinux
+172.20.1.140    foobar.shorewall.net    foobar
+172.20.1.141    deblap.shorewall.net    deblap
+172.20.1.254    firewall.shorewall.net  firewall
+
+206.124.146.254 blarg.shorewall.net     blarg
+</emphasis>
 # special IPv6 addresses
 ::1             localhost ipv6-localhost ipv6-loopback
 
@@ -95,24 +135,18 @@ ff00::0         ipv6-mcastprefix
 ff02::1         ipv6-allnodes
 ff02::2         ipv6-allrouters
 ff02::3         ipv6-allhosts
-127.0.0.2       ursa.shorewall.net ursa
+
-<emphasis role="bold">172.20.1.1      linksys.shorewall.net     linksys
+<emphasis role="bold">2002:ce7c:92b4::1       gateway6.shorewall.net  gateway6
-192.168.0.1     opensuse.shorewall.net    opensuse
+2002:ce7c:92b4:1::2     mail6.shorewall.net     mail6
-192.168.0.2     debian.shorewall.net      debian
+2002:ce7c:92b4:1::2     lists6.shorewall.net    lists6
-192.168.0.3     ubuntu.shorewall.net      ubuntu
+2002:ce7c:92b4:2::2     server6.shorewall.net   server6</emphasis>
-192.168.0.4     fedora.shoreawll.net      fedora
+
-192.168.0.5     opensuse11.shorewall.net  opensuse11
-192.168.0.6     centos.shorewall.net      centos
-192.168.0.7     debian32.shorewall.net    debian32
-192.168.0.8     fedora9.shorewall.net     fedora9</emphasis>
-206.124.146.254 blarg.shorewall.net       blarg
 </programlisting></para>
       </listitem>
 
       <listitem>
-        <para>Configure your local network hosts to use the firewall/router as
+        <para> If your local hosts are configured using DHCP, that is a simple
-        their DNS server. If your local hosts are configured using DHCP, that
+        one-line change to the DHCP configuration.</para>
-        is a simple one-line change to the DHCP configuration.</para>
       </listitem>
     </orderedlist>
 
@@ -128,8 +162,45 @@ ff02::3         ipv6-allhosts
 linksys.shorewall.net has address 206.124.146.180
 gateway:~ # </programlisting></para>
 
-    <para>From ubuntu (192.168.0.3):<programlisting>teastep@ubuntu:~$ host linksys
+    <para>From Tipper (192.168.1.132):<programlisting>teastep@tipper:~$ host linksys
 linksys.shorewall.net has address 172.20.1.1
-teastep@ubuntu:~$ </programlisting></para>
+teastep@tipper:~$ </programlisting></para>
+
+    <para>As a bonus, dnsmasq can also act as a DHCP server. Here are some
+    exerpts from the corresponding /etc/dnsmasq.conf:</para>
+
+    <programlisting>interface=eth1
+
+dhcp-range=172.20.1.210,172.20.1.219,24h
+
+dhcp-host=00:11:85:89:da:9b,172.20.1.220
+
+dhcp-host=00:1A:73:DB:8C:35,172.20.1.102
+dhcp-host=00:25:B3:9F:5B:FD,172.20.1.100
+dhcp-host=00:1F:E1:07:53:CA,172.20.1.105
+dhcp-host=00:1F:29:7B:04:04,172.20.1.107
+dhcp-host=00:24:2b:59:96:e2,172.20.1.109
+
+dhcp-host=00:1B:24:CB:2B:CC,172.20.1.130
+dhcp-host=00:21:5a:22:ac:e0,172.20.1.131
+dhcp-host=08:00:27:B1:46:a9,172.20.1.132
+dhcp-host=08:00:27:31:45:83,172.20.1.133
+dhcp-host=08:00:27:28:64:50,172.20.1.134
+dhcp-host=08:00:27:4b:38:88,172.20.1.135
+dhcp-host=08:00:27:f6:4d:65,172.20.1.136
+dhcp-host=08:00:27:dc:cd:94,172.20.1.137
+dhcp-host=08:00:27:0f:d3:8f,172.20.1.138
+dhcp-host=08:00:27:42:9c:01,172.20.1.139
+dhcp-host=08:00:27:5a:6c:d8,172.20.1.140
+dhcp-host=08:00:27:da:96:78,172.20.1.141
+
+dhcp-option=19,0           # option ip-forwarding off
+dhcp-option=44,0.0.0.0     # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
+dhcp-option=45,0.0.0.0     # netbios datagram distribution server
+dhcp-option=46,8           # netbios node type
+dhcp-option=47             # empty netbios scope.
+
+dhcp-option=option:domain-search,shorewall.net
+</programlisting>
   </section>
-</article>
+</article>

manpages/shorewall.conf.xml

@@ -935,7 +935,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
           logged packets. Please see iptables(8) for a description of the
           behavior of these parameters (the iptables option --limit is set by
           LOGRATE and --limit-burst is set by LOGBURST). If both parameters
-          are set empty, no rate-limiting will occur.</para>
+          are set empty, no rate-limiting will occur. If you supply one of
+          these, then you should also supply the other.</para>
 
           <para>Example:</para>
 
@@ -1222,6 +1223,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
                   <para>action chains (user-defined)</para>
                 </listitem>
 
+                <listitem>
+                  <para>'blacklst' chain</para>
+                </listitem>
+
                 <listitem>
                   <para>dynamic</para>
                 </listitem>

manpages6/shorewall6.conf.xml

@@ -812,7 +812,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
           logged packets. Please see ip6tables(8) for a description of the
           behavior of these parameters (the ip6tables option --limit is set by
           LOGRATE and --limit-burst is set by LOGBURST). If both parameters
-          are set empty, no rate-limiting will occur.</para>
+          are set empty, no rate-limiting will occur. If you supply one of
+          these, then you should also supply the other.</para>
 
           <para>Example:</para>
 
@@ -1010,6 +1011,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
                   <para>action chains (user-defined)</para>
                 </listitem>
 
+                <listitem>
+                  <para>'blacklst' chain</para>
+                </listitem>
+
                 <listitem>
                   <para>dynamic</para>
                 </listitem>