From 4ea801abb5364b28c8d76cc2d38f33dc17b9f0b3 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 10 Sep 2004 21:41:10 +0000 Subject: [PATCH] Fix complex proxy arp handling git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1618 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/changelog.txt | 2 ++ Shorewall2/firewall | 35 +++++++++++++++++++++-------------- Shorewall2/releasenotes.txt | 8 ++++++++ 3 files changed, 31 insertions(+), 14 deletions(-) diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index da9398bae..eab70a2c3 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -76,3 +76,5 @@ Changes since 2.0.3 36) Remove logunclean and dropunclean +37) Fixed proxy arp flag setting for complex configurations. + diff --git a/Shorewall2/firewall b/Shorewall2/firewall index c5f8d88c9..218f1e0fc 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -170,17 +170,15 @@ run_iptables() { # run_iptables2() { - if [ "x${*%!*}" = "x$*" ]; then - # - # No "!" in the command -- just execute it - # - run_iptables $@ - return - fi - # - # Need to insert white space before each "!" - # - run_iptables $(fix_bang $@) + case "$@" in + *!*) + run_iptables $(fix_bang $@) + ;; + *) + run_iptables $@ + ;; + esac + } # @@ -1771,6 +1769,8 @@ setup_ipsec() { # setup_proxy_arp() { + local setlist= resetlist= + print_error() { error_message "Invalid value for HAVEROUTE - ($haveroute)" error_message "Entry \"$address $interface $external $haveroute\" ignored" @@ -1824,9 +1824,6 @@ setup_proxy_arp() { ensure_and_save_command arp -i $external -Ds $address $external pub - run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" - run_and_save_command "echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp" - echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp progress_message " Host $address connected to $interface added to ARP on $external" @@ -1838,9 +1835,19 @@ setup_proxy_arp() { while read address interface external haveroute persistent; do expandv address interface external haveroute persistent + list_search $interface $setlist || setlist="$setlist $interface" + list_search $external $resetlist || list_search $external $setlist || resetlist="$resetlist $external" setup_one_proxy_arp done < $TMP_DIR/proxyarp + for interface in $resetlist; do + run_and_save_command "echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" + done + + for interface in $setlist; do + run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" + done + interfaces=$(find_interfaces_by_option proxyarp) for interface in $interfaces; do diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index d857ab0b5..73552bde2 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -58,6 +58,14 @@ Problems corrected since 2.1.8 2) Rules where an IP range appears in both the source and destination now work correctly. +3) With complex proxy arp configurations involving two or more + ordered pairs of interfaces, the /proc/sys/net/ipv4/conf/*/proxy_arp + flags were sometimes set incorrectly. This has been fixed. + + Users looking at their restore file (generated by "shorewall save") + may see that one of these flags might be first reset then set in rapid + succession. This is expected and is harmless since the correct value + (1) results. ----------------------------------------------------------------------- Issues when migrating from Shorewall 2.0 to Shorewall 2.1: