Configure /proc during 'enable' processing.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-26 09:33:14 +01:00 · 2011-08-27 09:21:02 -07:00 · 2011-08-27 09:21:02 -07:00 · 5d21b55ecc
commit 5d21b55ecc
parent cedf203c21
3 changed files with 66 additions and 2 deletions
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@ -40,7 +40,7 @@ our @EXPORT = qw(
 		 setup_source_routing
 		 setup_forwarding
 		 );
-our @EXPORT_OK = qw( );
+our @EXPORT_OK = qw( setup_interface_proc );
 our $VERSION = 'MODULEVERSION';

 #
@ -277,4 +277,45 @@ sub setup_forwarding( $$ ) {
    }
 }

+sub setup_interface_proc( $ ) {
+    my $interface = shift;
+    my $physical  = get_physical $interface;
+    my $value;
+    my @emitted;
+
+    if ( interface_has_option( $interface, 'arp_filter' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_filter";
+    }
+	 
+    if ( interface_has_option( $interface, 'arp_ignore' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_ignore";
+    }
+
+    if ( interface_has_option( $interface, 'routefilter' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/rp_filter";
+    }
+
+    if ( interface_has_option( $interface, 'logmartians' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/log_martians";
+    }
+
+    if ( interface_has_option( $interface, 'sourceroute' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
+    }
+
+    if ( interface_has_option( $interface, 'sourceroute' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
+    }
+
+    if ( @emitted ) {
+	emit( '',
+	      'if [ $COMMAND = enable ]; then' );
+	push_indent;
+	emit "$_" for @emitted;
+	pop_indent;
+	emit "fi\n";
+    }
+}
+	 
+
 1;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@ -29,6 +29,7 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
+use Shorewall::Proc qw( setup_interface_proc );

 use strict;

@ -143,6 +144,8 @@ sub copy_table( $$$ ) {
    #
    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';

+    emit '';
+
    if ( $realm ) {
 	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
    } else {
@ -174,6 +177,8 @@ sub copy_and_edit_table( $$$$ ) {
    # Shell and iptables use a different wildcard character
    #
    $copy =~ s/\+/*/;
+    
+    emit '';

    if ( $realm ) {
 	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | while read net route; do" )
@ -441,7 +446,6 @@ sub add_a_provider( $ ) {
 	} else {
 	    start_provider( $table, $number, "if interface_is_usable $physical; then" );
 	}
-
 	$provider_interfaces{$interface} = $table;

 	if ( $gatewaycase eq 'none' ) {
@ -453,6 +457,8 @@ sub add_a_provider( $ ) {
 	}
    }

+    setup_interface_proc( $interface );
+
    if ( $mark ne '-' ) {
 	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';

--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@ -73,6 +73,7 @@ our @EXPORT = qw( NOTHING
 		  find_interfaces_by_option
 		  find_interfaces_by_option1
 		  get_interface_option
+		  interface_has_option
 		  set_interface_option
 		  interface_zones
 		  verify_required_interfaces
@ -1409,6 +1410,22 @@ sub get_interface_option( $$ ) {
    
 }

+#
+# Return the value of an option for an interface
+#
+sub interface_has_option( $$\$ ) {
+    my ( $interface, $option, $value ) = @_;
+
+    my $ref = $interfaces{$interface};
+
+    $ref = known_interface( $interface ) unless $ref;
+
+    if ( exists $ref->{options}{$option} ) {
+	$$value = $ref->{options}{$option};
+	1;
+    }
+}
+
 #
 # Set an option for an interface
 #