[Shorewall-devel] remove broadcast/multicast rules

[Dash Four]

Simple question: If I want to prevent shorewall from spamming my chains 
with multicast (224.0.0./4) and broadcast (255.255.255.255) rules 
generation (I wish such packets to be DROPped which is the default 
policy for all my chains), will the 2 patches I am attaching here do the 
job and if so, are there any "side-effects"?

I ran a quick diff between "old" and "new" and couldn't find anything 
alarming, but thought to post on here just to be on the safe side. Thanks.
--- a/usr/share/perl5/Shorewall/Misc.pm 2014-02-16 12:26:09.000000000 +0000
+++ b/usr/share/perl5/Shorewall/Misc.pm 2014-02-16 12:26:40.000000000 +0000
@@ -1818,8 +1818,8 @@
     #
     #  Add jump for broadcast
     #
-    add_ijump( $outputref , j => $nextchain, @interfacematch, d => 
'255.255.255.255' , @ipsec_out_match )
-       if $family == F_IPV4 && $hostref->{options}{broadcast};
+    #add_ijump( $outputref , j => $nextchain, @interfacematch, d => 
'255.255.255.255' , @ipsec_out_match )
+       #if $family == F_IPV4 && $hostref->{options}{broadcast};
     #
     # Move the rules from the interface output chain if we didn't use it
     #
--- a/usr/share/perl5/Shorewall/Zones.pm        2014-02-16 12:29:24.000000000 
+0000
+++ b/usr/share/perl5/Shorewall/Zones.pm        2014-02-16 12:29:46.000000000 
+0000
@@ -1289,11 +1289,11 @@
     if ( $zone ) {
        $netsref ||= [ allip ];
        add_group_to_zone( $zone, $zoneref->{type}, $interface, $netsref, 
$hostoptionsref );
-       add_group_to_zone( $zone,
-                          $zoneref->{type},
-                          $interface,
-                          $family == F_IPV4 ? [ IPv4_MULTICAST ] : [ 
IPv6_MULTICAST ] ,
-                          { destonly => 1 } ) if $hostoptionsref->{multicast} 
&& $interfaces{$interface}{zone} ne $zone;
+       #add_group_to_zone( $zone,
+       #                  $zoneref->{type},
+       #                  $interface,
+       #                  $family == F_IPV4 ? [ IPv4_MULTICAST ] : [ 
IPv6_MULTICAST ] ,
+       #                  { destonly => 1 } ) if $hostoptionsref->{multicast} 
&& $interfaces{$interface}{zone} ne $zone;
     }
 
     progress_message "  Interface \"$currentline\" Validated";

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel