From 3890b8a8846ffade684e7013b2466dc97a1736a9 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 2 Jan 2015 08:49:38 -0800 Subject: [PATCH] Infrastructure for detecting loopback interfaces Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 3 +++ Shorewall-core/lib.common | 18 ++++++++++++++++++ Shorewall/Perl/lib.core | 15 +++++++++------ Shorewall/lib.cli-std | 2 ++ 4 files changed, 32 insertions(+), 6 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 51aa595ed..7f491a571 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -3421,6 +3421,8 @@ get_config() { TC=tc + g_loopback=$(find_loopback_interfaces) + } # @@ -3724,6 +3726,7 @@ shorewall_cli() { g_inline= g_tcrules= g_counters= + g_loopback= VERBOSE= VERBOSITY=1 diff --git a/Shorewall-core/lib.common b/Shorewall-core/lib.common index 39c8a135d..ad39baec9 100644 --- a/Shorewall-core/lib.common +++ b/Shorewall-core/lib.common @@ -645,6 +645,24 @@ find_first_interface_address_if_any() # $1 = interface fi } +# +#Determines if the passed interface is a loopback interface +# +loopback_interface() { #$1 = Interface name + [ "$1" = lo ] || $IP link show $1 | fgrep -q LOOPBACK +} + +# +# Find Loopback Interfaces +# +find_loopback_interfaces() { + local interfaces + + interfaces=$($IP link show | fgrep LOOPBACK | sed 's/://g' | cut -d ' ' -f 2) + + [ -n "$interfaces" ] && echo $interfaces || echo lo +} + # # Internal version of 'which' # diff --git a/Shorewall/Perl/lib.core b/Shorewall/Perl/lib.core index a381396f3..3b5dd1877 100644 --- a/Shorewall/Perl/lib.core +++ b/Shorewall/Perl/lib.core @@ -652,7 +652,7 @@ interface_is_usable() # $1 = interface local status; status=0 - if [ "$1" != lo ]; then + if ! loopback_interface $1 then if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then [ "$COMMAND" = enable ] || run_isusable_exit $1 status=$? @@ -902,18 +902,21 @@ detect_gateway() # $1 = interface # Disable IPV6 # disable_ipv6() { - local foo - foo="$($IP -f inet6 addr list 2> /dev/null)" + local temp + temp="$($IP -f inet6 addr list 2> /dev/null)" - if [ -n "$foo" ]; then + if [ -n "$temp" ]; then if [ -x "$IP6TABLES" ]; then $IP6TABLES -P FORWARD DROP $IP6TABLES -P INPUT DROP $IP6TABLES -P OUTPUT DROP $IP6TABLES -F $IP6TABLES -X - $IP6TABLES -A OUTPUT -o lo -j ACCEPT - $IP6TABLES -A INPUT -i lo -j ACCEPT + + for temp in $(find_loopback_interfaces); do + $IP6TABLES -A OUTPUT -o $temp -j ACCEPT + $IP6TABLES -A INPUT -i $temp -j ACCEPT + done else error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables" fi diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index 1affdbd25..b818e5d14 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -323,6 +323,8 @@ get_config() { LEGACY_FASTSTART=Yes ;; esac + + g_loopback=$(find_loopback_interfaces) } #