Tweak to Run-time gateway variables

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -4431,12 +4431,7 @@ sub record_runtime_address( $$;$ ) {
     if ( $addrtype eq '&' ) {
 	$addr = get_interface_address( $interface );
     } else {
-	$addr = get_interface_gateway( $interface );
+	$addr = get_interface_gateway( $interface, $protect );
-
-	if ( $protect ) {
-	    $addr =~ s/\$/\${/;
-	    $addr .= ( NILIP . '}' );
-	}
     }
 
     $addr . ' ';
@@ -5161,8 +5156,8 @@ sub interface_gateway( $ ) {
 #
 # Record that the ruleset requires the gateway address on the passed interface
 #
-sub get_interface_gateway ( $ ) {
+sub get_interface_gateway ( $;$ ) {
-    my ( $logical ) = $_[0];
+    my ( $logical, $protect ) = @_;
 
     my $interface = get_physical $logical;
     my $variable = interface_gateway( $interface );
@@ -5179,7 +5174,7 @@ sub get_interface_gateway ( $ ) {
 );
     }
 
-    "\$$variable";
+    $protect ? "\${$variable:-" . NILIP . '}' : "\$$variable";
 }
 
 #

Shorewall/Perl/Shorewall/Misc.pm

@@ -1013,9 +1013,10 @@ sub add_common_rules ( $ ) {
 	    for $interface ( @$list ) {
 		my $chainref = $filter_table->{input_option_chain $interface};
 		my $base     = uc chain_base get_physical $interface;
-		my $variable = get_interface_gateway $interface;
+		my $optional = interface_is_optional( $interface );
+		my $variable = get_interface_gateway( $interface, ! $optional );
 
-		if ( interface_is_optional $interface ) {
+		if ( $optional ) {
 		    add_commands( $chainref,
 				  qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
 		    incr_cmd_level( $chainref );

docs/configuration_file_basics.xml

@@ -1329,17 +1329,29 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
     </itemizedlist>
 
     <para>For optional interfaces, if the interface is not usable at the time
-    that the firewall starts, the all-zero address will be used (0.0.0.0 in
+    that the firewall starts, one of two approaches are taken, depending on
-    IPv4 and :: in IPv6), resulting in no packets matching the rule.</para>
+    the context:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>the all-zero address will be used (0.0.0.0 in IPv4 and :: in
+        IPv6), resulting in no packets matching the rule (or all packets if
+        used with exclusion).</para>
+      </listitem>
+
+      <listitem>
+        <para>the entire rule is omitted from the ruleset.</para>
+      </listitem>
+    </itemizedlist>
 
     <para>Beginning with Shorewall 4.5.1, <firstterm>Run-time Gateway
     Variables</firstterm> in the form of a percent sign ('%') followed by a
     logical interface name are also supported. These are expanded at run-time
     to the gateway through the named interface. For optional interfaces, if
-    the interface is not usable at the time that the firewall starts, the
+    the interface is not usable at the time that the firewall starts, the nil
-    all-zero address will be used (0.0.0.0 in IPv4 and :: in IPv6), resulting
+    address will be used (0.0.0.0 in IPv4 and :: in IPv6), resulting in no
-    in no packets matching the rule. Run-time gateway variables may be used in
+    packets matching the rule. Run-time gateway variables may be used in the
-    the SOURCE and DEST columns of the following configuration files:</para>
+    SOURCE and DEST columns of the following configuration files:</para>
 
     <itemizedlist>
       <listitem>
@@ -1396,6 +1408,10 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
       </varlistentry>
     </variablelist>
 
+    <para>If there is no gateway out of the named interface, the nil IP
+    address is used (0.0.0.0 in IPv4 and :: in IPv6). That way, the generated
+    rule will match no packets (or all packets if used with exclusion).</para>
+
     <para>Beginning with Shorewall 4.4.27, you may also use options in <ulink
     url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) (e.g.,
     $BLACKLIST_LOGLEVEL).</para>