extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-18 02:31:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Handle kernel 2.6.31 and rp_filter

Browse Source
This commit is contained in:
Tom Eastep 2009-12-19 13:47:12 -08:00
parent 74a4d48840
commit 54eb78d9b0
3 changed files with 39 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
Shorewall/Perl/Shorewall/Config.pm
View File

@ -2239,8 +2239,8 @@ sub read_capabilities() {
} }
unless ( $capabilities{KERNELVERSION} ) { unless ( $capabilities{KERNELVERSION} ) {
warning_message "Your capabilities file does not contain a Kernel Version -- using the local kernel's version"; warning_message "Your capabilities file does not contain a Kernel Version -- using 2.6.30";
determine_kernelversion; $capabilities{KERNELVERSION} = 20630;
} }
} }
@ -2349,7 +2349,26 @@ sub get_configuration( $ ) {
} }
check_trivalue ( 'IP_FORWARDING', 'on' ); check_trivalue ( 'IP_FORWARDING', 'on' );
check_trivalue ( 'ROUTE_FILTER', '' ); fatal_error "ROUTE_FILTER=On is not supported in IPv6" if $config{ROUTE_FILTER} eq 'on' && $family == F_IPV6;
my $val;
if ( $capabilities{KERNELVERSION} < 20631 ) {
check_trivalue ( 'ROUTE_FILTER', '' );
} else {
$val = $capabilities{ROUTE_FILTER};
if ( defined $val ) {
if ( $val =~ /\d+/ ) {
fatal_error "Invalid value ($val) for ROUTE_FILTER" unless $val < 3;
} else {
check_trivalue( 'ROUTE_FILTER', '' );
}
}
}
if ( $family == F_IPV6 ) {
$val = $capabilities{ROUTE_FILTER};
fatal_error "ROUTE_FILTER=$val is not supported in IPv6" unless $val eq 'off' || $val eq '';
}
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
check_trivalue ( 'LOG_MARTIANS', 'on' ); check_trivalue ( 'LOG_MARTIANS', 'on' );
@ -2437,8 +2456,6 @@ sub get_configuration( $ ) {
default_yes_no 'WIDE_TC_MARKS' , ''; default_yes_no 'WIDE_TC_MARKS' , '';
default_yes_no 'TRACK_PROVIDERS' , ''; default_yes_no 'TRACK_PROVIDERS' , '';
my $val;
if ( defined ( $val = $config{ZONE2ZONE} ) ) { if ( defined ( $val = $config{ZONE2ZONE} ) ) {
fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/; fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
} else { } else {

20
Shorewall/Perl/Shorewall/Proc.pm
View File

@ -96,16 +96,18 @@ sub setup_arp_filtering() {
sub setup_route_filtering() { sub setup_route_filtering() {
my $interfaces = find_interfaces_by_option 'routefilter'; my $interfaces = find_interfaces_by_option 'routefilter';
my $config = $config{ROUTE_FILTER};
if ( @$interfaces || $config{ROUTE_FILTER} ) { if ( @$interfaces || $config ) {
progress_message2 "$doing Kernel Route Filtering..."; progress_message2 "$doing Kernel Route Filtering...";
save_progress_message "Setting up Route Filtering..."; save_progress_message "Setting up Route Filtering...";
my $val = '';
if ( $config{ROUTE_FILTER} ) { if ( $config{ROUTE_FILTER} ne '' ) {
my $val = $config{ROUTE_FILTER} eq 'on' ? 1 : 0; $val = $config eq 'on' ? 1 : $config eq 'off' ? 0 : $config;
emit ( 'for file in /proc/sys/net/ipv4/conf/*; do', emit ( 'for file in /proc/sys/net/ipv4/conf/*; do',
" [ -f \$file/rp_filter ] && echo $val > \$file/rp_filter", " [ -f \$file/rp_filter ] && echo $val > \$file/rp_filter",
@ -128,14 +130,14 @@ sub setup_route_filtering() {
emit "fi\n"; emit "fi\n";
} }
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter'; if ( $capabilities{KERNELVERSION} < 20631 ) {
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
if ( $config{ROUTE_FILTER} eq 'on' ) { } elsif ( $val ne '' ) {
emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter'; emit "echo $val > /proc/sys/net/ipv4/conf/all/rp_filter";
} elsif ( $config{ROUTE_FILTER} eq 'off' ) {
emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
} }
emit "echo $val > /proc/sys/net/ipv4/conf/default/rp_filter" if $val ne '';
emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache"; emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache";
} }
} }

7
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -178,6 +178,10 @@ use constant { SIMPLE_IF_OPTION => 1,
our %validinterfaceoptions; our %validinterfaceoptions;
our %defaultinterfaceoptions = ( routefilter => 1 );
our %maxoptionvalue = ( routefilter => 2, mss => 100000 );
our %validhostoptions; our %validhostoptions;
# #
@ -850,9 +854,10 @@ sub process_interface( $ ) {
assert( 0 ); assert( 0 );
} }
} elsif ( $type == NUMERIC_IF_OPTION ) { } elsif ( $type == NUMERIC_IF_OPTION ) {
$value = $defaultinterfaceoptions{$option} unless defined $value;
fatal_error "The '$option' option requires a value" unless defined $value; fatal_error "The '$option' option requires a value" unless defined $value;
my $numval = numeric_value $value; my $numval = numeric_value $value;
fatal_error "Invalid value ($value) for option $option" unless defined $numval; fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
$options{$option} = $numval; $options{$option} = $numval;
$hostoptions{$option} = $numval if $hostopt; $hostoptions{$option} = $numval if $hostopt;
} elsif ( $type == IPLIST_IF_OPTION ) { } elsif ( $type == IPLIST_IF_OPTION ) {