From 54eb78d9b0cf9c61ba5820473726a20b02ab75fe Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sat, 19 Dec 2009 13:47:12 -0800
Subject: [PATCH] Handle kernel 2.6.31 and rp_filter

---
 Shorewall/Perl/Shorewall/Config.pm | 27 ++++++++++++++++++++++-----
 Shorewall/Perl/Shorewall/Proc.pm   | 20 +++++++++++---------
 Shorewall/Perl/Shorewall/Zones.pm  |  7 ++++++-
 3 files changed, 39 insertions(+), 15 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index da6cb750b..bee7e48f1 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -2239,8 +2239,8 @@ sub read_capabilities() {
     }
 
     unless ( $capabilities{KERNELVERSION} ) {
-	warning_message "Your capabilities file does not contain a Kernel Version -- using the local kernel's version";
-	determine_kernelversion;
+	warning_message "Your capabilities file does not contain a Kernel Version -- using 2.6.30";
+	$capabilities{KERNELVERSION} = 20630;
     }
 }
 
@@ -2349,7 +2349,26 @@ sub get_configuration( $ ) {
     }
 
     check_trivalue ( 'IP_FORWARDING', 'on' );
-    check_trivalue ( 'ROUTE_FILTER',  '' );    fatal_error "ROUTE_FILTER=On is not supported in IPv6" if $config{ROUTE_FILTER} eq 'on' && $family == F_IPV6;
+    
+    my $val;
+
+    if ( $capabilities{KERNELVERSION} < 20631 ) {
+	check_trivalue ( 'ROUTE_FILTER',  '' );
+    } else {
+	$val = $capabilities{ROUTE_FILTER};
+	if ( defined $val ) {
+	    if ( $val =~ /\d+/ ) {
+		fatal_error "Invalid value ($val) for ROUTE_FILTER" unless $val < 3;
+	    } else {
+		check_trivalue( 'ROUTE_FILTER', '' );
+	    }
+	}
+    }
+
+    if ( $family == F_IPV6 ) {
+	$val = $capabilities{ROUTE_FILTER};	
+	fatal_error "ROUTE_FILTER=$val is not supported in IPv6" unless $val eq 'off' || $val eq '';
+    }
 
     if ( $family == F_IPV4 ) {
 	check_trivalue ( 'LOG_MARTIANS',  'on' );
@@ -2437,8 +2456,6 @@ sub get_configuration( $ ) {
     default_yes_no 'WIDE_TC_MARKS'              , '';
     default_yes_no 'TRACK_PROVIDERS'            , '';
 
-    my $val;
-
     if ( defined ( $val = $config{ZONE2ZONE} ) ) {
 	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
     } else {
diff --git a/Shorewall/Perl/Shorewall/Proc.pm b/Shorewall/Perl/Shorewall/Proc.pm
index d3ba09d47..bc0364d4f 100644
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -96,16 +96,18 @@ sub setup_arp_filtering() {
 sub setup_route_filtering() {
 
     my $interfaces = find_interfaces_by_option 'routefilter';
+    my $config     = $config{ROUTE_FILTER};
 
-    if ( @$interfaces || $config{ROUTE_FILTER} ) {
+    if ( @$interfaces || $config ) {
 
 	progress_message2 "$doing Kernel Route Filtering...";
 
 	save_progress_message "Setting up Route Filtering...";
 
+	my $val = '';
 
-	if ( $config{ROUTE_FILTER} ) {
-	    my $val = $config{ROUTE_FILTER} eq 'on' ? 1 : 0;
+	if ( $config{ROUTE_FILTER} ne '' ) {
+	    $val = $config eq 'on' ? 1 : $config eq 'off' ? 0 : $config;
 
 	    emit ( 'for file in /proc/sys/net/ipv4/conf/*; do',
 		   "    [ -f \$file/rp_filter ] && echo $val > \$file/rp_filter",
@@ -128,14 +130,14 @@ sub setup_route_filtering() {
 	    emit   "fi\n";
 	}
 
-	emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
-
-	if ( $config{ROUTE_FILTER} eq 'on' ) {
-	    emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter';
-	} elsif (  $config{ROUTE_FILTER} eq 'off' ) {
-	    emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
+	if ( $capabilities{KERNELVERSION} < 20631 ) {
+	    emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
+	} elsif ( $val ne '' ) {
+	    emit "echo $val > /proc/sys/net/ipv4/conf/all/rp_filter";
 	}
 
+	emit "echo $val > /proc/sys/net/ipv4/conf/default/rp_filter" if $val ne '';
+
 	emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache";
     }
 }
diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index 7496b0cec..61bc05c9d 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -178,6 +178,10 @@ use constant { SIMPLE_IF_OPTION   => 1,
 
 our %validinterfaceoptions;
 
+our %defaultinterfaceoptions = ( routefilter => 1 );
+
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 );
+
 our %validhostoptions;
 
 #
@@ -850,9 +854,10 @@ sub process_interface( $ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
+		$value = $defaultinterfaceoptions{$option} unless defined $value;
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
-		fatal_error "Invalid value ($value) for option $option" unless defined $numval;
+		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {