Fix complex proxy arp handling

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1618 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/changelog.txt

@@ -76,3 +76,5 @@ Changes since 2.0.3
 
 36) Remove logunclean and dropunclean
 
+37) Fixed proxy arp flag setting for complex configurations.
+

Shorewall2/firewall

@@ -170,17 +170,15 @@ run_iptables() {
 #
 run_iptables2() {
 
-    if [ "x${*%!*}" = "x$*" ]; then
+    case "$@" in
-	#
+	*!*)
-	# No "!" in the command -- just execute it
+	    run_iptables $(fix_bang $@)
-	#
+	    ;;
-	run_iptables $@
+	*)
-	return
+	    run_iptables $@
-    fi
+	    ;;
-    #
+    esac
-    # Need to insert white space before each "!"
+
-    #
-    run_iptables $(fix_bang $@)
 }
 
 #
@@ -1771,6 +1769,8 @@ setup_ipsec() {
 #
 setup_proxy_arp() {
 
+    local setlist= resetlist=
+
     print_error() {
 	error_message "Invalid value for HAVEROUTE - ($haveroute)"
 	error_message "Entry \"$address $interface $external $haveroute\" ignored"
@@ -1824,9 +1824,6 @@ setup_proxy_arp() {
 
 	ensure_and_save_command arp -i $external -Ds $address $external pub
 
-	run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp"
-	run_and_save_command "echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp"
-
 	echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp
 
 	progress_message "   Host $address connected to $interface added to ARP on $external"
@@ -1838,9 +1835,19 @@ setup_proxy_arp() {
 
     while read address interface external haveroute persistent; do
 	expandv address interface external haveroute persistent
+	list_search $interface $setlist   || setlist="$setlist $interface"
+	list_search $external  $resetlist || list_search $external $setlist || resetlist="$resetlist $external"
 	setup_one_proxy_arp
     done < $TMP_DIR/proxyarp
 
+    for interface in $resetlist; do
+	run_and_save_command "echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp"
+    done
+
+    for interface in $setlist; do
+	run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp"
+    done
+
     interfaces=$(find_interfaces_by_option proxyarp)
 
     for interface in $interfaces; do

Shorewall2/releasenotes.txt

@@ -58,6 +58,14 @@ Problems corrected since 2.1.8
 2)  Rules where an IP range appears in both the source and destination
     now work correctly.
 
+3)  With complex proxy arp configurations involving two or more 
+    ordered pairs of interfaces, the /proc/sys/net/ipv4/conf/*/proxy_arp
+    flags were sometimes set incorrectly. This has been fixed.
+
+    Users looking at their restore file (generated by "shorewall save")
+    may see that one of these flags might be first reset then set in rapid
+    succession. This is expected and is harmless since the correct value
+    (1) results.
 -----------------------------------------------------------------------
 Issues when migrating from Shorewall 2.0 to Shorewall 2.1: