diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 84f0b664f..14fd01a6f 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -4431,12 +4431,7 @@ sub record_runtime_address( $$;$ ) {
if ( $addrtype eq '&' ) {
$addr = get_interface_address( $interface );
} else {
- $addr = get_interface_gateway( $interface );
-
- if ( $protect ) {
- $addr =~ s/\$/\${/;
- $addr .= ( NILIP . '}' );
- }
+ $addr = get_interface_gateway( $interface, $protect );
}
$addr . ' ';
@@ -5161,8 +5156,8 @@ sub interface_gateway( $ ) {
#
# Record that the ruleset requires the gateway address on the passed interface
#
-sub get_interface_gateway ( $ ) {
- my ( $logical ) = $_[0];
+sub get_interface_gateway ( $;$ ) {
+ my ( $logical, $protect ) = @_;
my $interface = get_physical $logical;
my $variable = interface_gateway( $interface );
@@ -5179,7 +5174,7 @@ sub get_interface_gateway ( $ ) {
);
}
- "\$$variable";
+ $protect ? "\${$variable:-" . NILIP . '}' : "\$$variable";
}
#
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index d797e3f2c..b78ce4e5e 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1013,9 +1013,10 @@ sub add_common_rules ( $ ) {
for $interface ( @$list ) {
my $chainref = $filter_table->{input_option_chain $interface};
my $base = uc chain_base get_physical $interface;
- my $variable = get_interface_gateway $interface;
+ my $optional = interface_is_optional( $interface );
+ my $variable = get_interface_gateway( $interface, ! $optional );
- if ( interface_is_optional $interface ) {
+ if ( $optional ) {
add_commands( $chainref,
qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
incr_cmd_level( $chainref );
diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml
index c62cd1dc0..8b922eee5 100644
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -1329,17 +1329,29 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true
For optional interfaces, if the interface is not usable at the time
- that the firewall starts, the all-zero address will be used (0.0.0.0 in
- IPv4 and :: in IPv6), resulting in no packets matching the rule.
+ that the firewall starts, one of two approaches are taken, depending on
+ the context:
+
+
+
+ the all-zero address will be used (0.0.0.0 in IPv4 and :: in
+ IPv6), resulting in no packets matching the rule (or all packets if
+ used with exclusion).
+
+
+
+ the entire rule is omitted from the ruleset.
+
+
Beginning with Shorewall 4.5.1, Run-time Gateway
Variables in the form of a percent sign ('%') followed by a
logical interface name are also supported. These are expanded at run-time
to the gateway through the named interface. For optional interfaces, if
- the interface is not usable at the time that the firewall starts, the
- all-zero address will be used (0.0.0.0 in IPv4 and :: in IPv6), resulting
- in no packets matching the rule. Run-time gateway variables may be used in
- the SOURCE and DEST columns of the following configuration files:
+ the interface is not usable at the time that the firewall starts, the nil
+ address will be used (0.0.0.0 in IPv4 and :: in IPv6), resulting in no
+ packets matching the rule. Run-time gateway variables may be used in the
+ SOURCE and DEST columns of the following configuration files:
@@ -1396,6 +1408,10 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true
+ If there is no gateway out of the named interface, the nil IP
+ address is used (0.0.0.0 in IPv4 and :: in IPv6). That way, the generated
+ rule will match no packets (or all packets if used with exclusion).
+
Beginning with Shorewall 4.4.27, you may also use options in shorewall.conf (5) (e.g.,
$BLACKLIST_LOGLEVEL).