diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 53a164c48..7e35d0d80 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -460,6 +460,7 @@ sub initialize( $ ) { OPTIMIZE_ACCOUNTING => undef, DYNAMIC_BLACKLIST => undef, LOAD_HELPERS_ONLY => undef, + REQUIRE_INTERFACE => undef, # # Packet Disposition # @@ -580,6 +581,7 @@ sub initialize( $ ) { OPTIMIZE_ACCOUNTING => undef, DYNAMIC_BLACKLIST => undef, LOAD_HELPERS_ONLY => undef, + REQUIRE_INTERFACE => undef, # # Packet Disposition # @@ -2947,6 +2949,7 @@ sub get_configuration( $ ) { default_yes_no 'ACCOUNTING' , 'Yes'; default_yes_no 'OPTIMIZE_ACCOUNTING' , ''; default_yes_no 'DYNAMIC_BLACKLIST' , 'Yes'; + default_yes_no 'REQUIRE_INTERFACE' , ''; numeric_option 'TC_BITS', $config{WIDE_TC_MARKS} ? 14 : 8 , 0; numeric_option 'MASK_BITS', $config{WIDE_TC_MARKS} ? 16 : 8, $config{TC_BITS}; diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 4db5ca2db..abd637179 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -853,7 +853,12 @@ sub handle_optional_interfaces() { my $physical = get_physical $interface; my $base = uc chain_base( $physical ); - emit ''; + emit( '' ); + + if ( $config{REQUIRE_INTERFACE} ) { + emit( 'HAVE_INTERFACE=' ); + emit( '' ); + } if ( $provider ) { # @@ -873,12 +878,37 @@ sub handle_optional_interfaces() { emit qq(if interface_is_usable $physical; then); } + emit( ' HAVE_INTERFACE=Yes' ) if $config{REQUIRE_INTERFACE}; + emit( " SW_${base}_IS_USABLE=Yes" , 'else' , " SW_${base}_IS_USABLE=" , 'fi' ); } + if ( $config{REQUIRE_INTERFACE} ) { + emit( '', + 'if [ -z "$HAVE_INTERFACE" ]; then' , + ' case "$COMMAND" in', + ' start|restart|restore|refresh)' + ); + + if ( $family == F_IPV4 ) { + emit( ' if shorewall_is_started; then' ); + } else { + emit( ' if shorewall6_is_started; then' ); + } + + emit( ' fatal_error "No network interface available"', + ' else', + ' startup_error "No network interface available', + ' fi', + ' ;;', + ' esac', + 'fi' + ); + } + $returnvalue = 1; } diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 7e6cdc18a..652ddca6f 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -342,6 +342,19 @@ None. Please note that the action is carried out using the current compiled script; the configuration is not recompiled. + A new option has been added to shorewall.conf and + shorewall6.conf. The REQUIRE_INTERFACE option determines the + outcome when an attempt to start/restart/restore/refresh the + firewall is made and none of the optional interfaces are available. + With REQUIRE_INTERFACE=No (the default), the operation is + performed. If REQUIRE_INTERFACE=Yes, then the operation fails and + the firewall is placed in the stopped state. This option is + suitable for a laptop with both ethernet and wireless + interfaces. If either come up, the firewall starts. If neither + comes up, the firewall remains in the stopped state. Similarly, if + an optional interface goes down and there are no optional + interfaces remaining in the up state, then the firewall is stopped. + ---------------------------------------------------------------------------- V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S I N P R I O R R E L E A S E S