From 19b7601c72c850b39734f47a40d77f294f2931d8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 22 Dec 2017 10:30:10 -0800 Subject: [PATCH] Improve handling of wildcard interfaces and options Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Zones.pm | 36 +++-- Shorewall/manpages/shorewall-interfaces.xml | 143 ++++++++++++++++---- 2 files changed, 142 insertions(+), 37 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 2e26d87c7..22a1bc8a6 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -253,6 +253,17 @@ use constant { NO_UPDOWN => 1, our %validinterfaceoptions; +our %procinterfaceoptions=( accept_ra => 1, + arp_filter => 1, + arp_ignore => 1, + forward => 1, + logmartians => 1, + proxyarp => 1, + proxyndp => 1, + routefilter => 1, + sourceroute => 1, + ); + our %prohibitunmanaged = ( blacklist => 1, bridge => 1, @@ -363,9 +374,9 @@ sub initialize( $$ ) { upnp => SIMPLE_IF_OPTION, upnpclient => SIMPLE_IF_OPTION, mss => NUMERIC_IF_OPTION + IF_OPTION_WILDOK, - physical => STRING_IF_OPTION + IF_OPTION_HOST, + physical => STRING_IF_OPTION + IF_OPTION_HOST + IF_OPTION_WILDOK, unmanaged => SIMPLE_IF_OPTION, - wait => NUMERIC_IF_OPTION + IF_OPTION_WILDOK, + wait => NUMERIC_IF_OPTION, ); %validhostoptions = ( blacklist => 1, @@ -402,18 +413,18 @@ sub initialize( $$ ) { optional => SIMPLE_IF_OPTION, proxyndp => BINARY_IF_OPTION, required => SIMPLE_IF_OPTION, - routeback => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER, + routeback => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER + IF_OPTION_WILDOK, rpfilter => SIMPLE_IF_OPTION, sfilter => IPLIST_IF_OPTION, sourceroute => BINARY_IF_OPTION, tcpflags => BINARY_IF_OPTION + IF_OPTION_HOST, mss => NUMERIC_IF_OPTION + IF_OPTION_WILDOK, forward => BINARY_IF_OPTION, - physical => STRING_IF_OPTION + IF_OPTION_HOST, + physical => STRING_IF_OPTION + IF_OPTION_HOST + IF_OPTION_WILDOK, unmanaged => SIMPLE_IF_OPTION, upnp => SIMPLE_IF_OPTION, upnpclient => SIMPLE_IF_OPTION, - wait => NUMERIC_IF_OPTION + IF_OPTION_WILDOK, + wait => NUMERIC_IF_OPTION, ); %validhostoptions = ( blacklist => 1, @@ -1267,6 +1278,8 @@ sub process_interface( $$ ) { my $hostopt = $type & IF_OPTION_HOST; + my $fulltype = $type; + $type &= MASK_IF_OPTION; unless ( $type == BINARY_IF_OPTION && defined $value && $value eq '0' ) { @@ -1297,7 +1310,6 @@ sub process_interface( $$ ) { } elsif ( $type == BINARY_IF_OPTION ) { $value = 1 unless defined $value; fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' ); - fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard && ! $type && IF_OPTION_WILDOK; $options{$option} = $value; $hostoptions{$option} = $value if $hostopt; } elsif ( $type == ENUM_IF_OPTION ) { @@ -1321,7 +1333,6 @@ sub process_interface( $$ ) { assert( 0 ); } } elsif ( $type == NUMERIC_IF_OPTION ) { - fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK; $value = $defaultinterfaceoptions{$option} unless defined $value; fatal_error "The '$option' option requires a value" unless defined $value; my $numval = numeric_value $value; @@ -1373,7 +1384,9 @@ sub process_interface( $$ ) { fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port ); - fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/; + $physwild = ( $value =~ /\+$/ ); + fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $physwild; + $physical = $value; } else { assert(0); @@ -1381,6 +1394,12 @@ sub process_interface( $$ ) { } else { warning_message "Support for the $option interface option has been removed from Shorewall"; } + + if ( $root ) { + warning_message( "The '$option' option is ignored when used with a wildcard physical name" ), delete $options{$option} if $physwild && $procinterfaceoptions{$option}; + } else { + warning_message( "The '$option' option is ignored when used with interface name '+'" ), delete $options{$option} unless $fulltype & IF_OPTION_WILDOK; + } } fatal_error q(The 'required', 'optional' and 'ignore' options are mutually exclusive) @@ -1459,6 +1478,7 @@ sub process_interface( $$ ) { zones => {}, origin => shortlineinfo( '' ), wildcard => $wildcard, + physwild => $physwild, }; $interfaces{$physical} = $interfaceref if $physical ne $interface; diff --git a/Shorewall/manpages/shorewall-interfaces.xml b/Shorewall/manpages/shorewall-interfaces.xml index 839d03876..52acc7a7f 100644 --- a/Shorewall/manpages/shorewall-interfaces.xml +++ b/Shorewall/manpages/shorewall-interfaces.xml @@ -112,7 +112,10 @@ loc eth2 - url="/manpages/shorewall-nesting.html">shorewall-nesting(5) for a discussion of this problem. - Shorewall allows '+' as an interface name. + Shorewall allows '+' as an interface name, but that usage is + deprecated. A better approach is to specify + '=+' in the OPTIONS column (see + below). There is no need to define the loopback interface (lo) in this file. @@ -193,6 +196,54 @@ loc eth2 - should have no embedded white-space. + + accept_ra[={0|1|2}] + + + IPv6 only; added in Shorewall 4.5.16. Values are: + + + + 0 + + + Do not accept Router Advertisements. + + + + + 1 + + + Accept Route Advertisements if forwarding is + disabled. + + + + + 2 + + + Overrule forwarding behavior. Accept Route + Advertisements even if forwarding is enabled. + + + + + If the option is specified without a value, then the + value 1 is assumed. + + + This option does not work with a wild-card physical name (e.g., eth0.+). + Beginning with Shorewall 5.1.10, If this option is + specified, a warning is issued and the option is + ignored. + + + + arp_filter[={0|1}] @@ -209,12 +260,12 @@ loc eth2 - changed; the value assigned to the setting will be the value specified (if any) or 1 if no value is given. - - - This option does not work with a wild-card - interface name (e.g., eth0.+) in - the INTERFACE column. + This option does not work with a wild-card physical name (e.g., eth0.+). + Beginning with Shorewall 5.1.10, If this option is + specified, a warning is issued and the option is + ignored. @@ -243,16 +294,14 @@ loc eth2 - 8 - do not reply for all local addresses - - - This option does not work with a wild-card - interface name (e.g., eth0.+) in - the INTERFACE column. + This option does not work with a wild-card physical name (e.g., eth0.+). + Beginning with Shorewall 5.1.10, If this option is + specified, a warning is issued and the option is + ignored. - - Do not specify arp_ignore for any interface involved @@ -430,6 +479,25 @@ loc eth2 - + + forward[={0|1}] + + + IPv6 only Sets the + /proc/sys/net/ipv6/conf/interface/forwarding option to the + specified value. If no value is supplied, then 1 is + assumed. + + + This option does not work with a wild-card physical name (e.g., eth0.+). + Beginning with Shorewall 5.1.10, If this option is + specified, a warning is issued and the option is + ignored. + + + + ignore[=1] @@ -496,9 +564,11 @@ loc eth2 - - This option does not work with a wild-card - interface name (e.g., eth0.+) in - the INTERFACE column. + This option does not work with a wild-card physical name (e.g., eth0.+). + Beginning with Shorewall 5.1.10, If this option is + specified, a warning is issued and the option is + ignored.
@@ -625,7 +695,10 @@ loc eth2 - If the interface name is a wildcard name (ends with '+'), then the physical - name must also end in '+'. + name must also end in '+'. The physical + name may end in '+' (or be exactly + '+') when the interface name is not + a wildcard name. If is not specified, then it's value defaults to the interface @@ -647,9 +720,13 @@ loc eth2 - url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html. - Note: This option does - not work with a wild-card interface - name (e.g., eth0.+) in the INTERFACE column. + + This option does not work with a wild-card physical name (e.g., eth0.+). + Beginning with Shorewall 5.1.10, If this option is + specified, a warning is issued and the option is + ignored. + Only those interfaces with the option will have their setting changed; the value assigned to @@ -665,9 +742,13 @@ loc eth2 - IPv6 only. Sets /proc/sys/net/ipv6/conf/interface/proxy_ndp. - Note: This option does - not work with a wild-card interface - name (e.g., eth0.+) in the INTERFACE column. + + This option does not work with a wild-card physical name (e.g., eth0.+). + Beginning with Shorewall 5.1.10, If this option is + specified, a warning is issued and the option is + ignored. + Only those interfaces with the option will have their setting changed; the value assigned to @@ -731,9 +812,11 @@ loc eth2 - filtering. - This option does not work with a wild-card - interface name (e.g., eth0.+) in - the INTERFACE column. + This option does not work with a wild-card physical name (e.g., eth0.+). + Beginning with Shorewall 5.1.10, If this option is + specified, a warning is issued and the option is + ignored. This option can also be enabled globally via the @@ -842,9 +925,11 @@ loc eth2 - specified (if any) or 1 if no value is given. - This option does not work with a wild-card - interface name (e.g., eth0.+) in - the INTERFACE column. + This option does not work with a wild-card physical name (e.g., eth0.+). + Beginning with Shorewall 5.1.10, If this option is + specified, a warning is issued and the option is + ignored.