diff --git a/Shorewall/Perl/Shorewall/Proc.pm b/Shorewall/Perl/Shorewall/Proc.pm index 196325d9d..a236461f2 100644 --- a/Shorewall/Perl/Shorewall/Proc.pm +++ b/Shorewall/Perl/Shorewall/Proc.pm @@ -40,7 +40,7 @@ our @EXPORT = qw( setup_source_routing setup_forwarding ); -our @EXPORT_OK = qw( ); +our @EXPORT_OK = qw( setup_interface_proc ); our $VERSION = 'MODULEVERSION'; # @@ -277,4 +277,45 @@ sub setup_forwarding( $$ ) { } } +sub setup_interface_proc( $ ) { + my $interface = shift; + my $physical = get_physical $interface; + my $value; + my @emitted; + + if ( interface_has_option( $interface, 'arp_filter' , $value ) ) { + push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_filter"; + } + + if ( interface_has_option( $interface, 'arp_ignore' , $value ) ) { + push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_ignore"; + } + + if ( interface_has_option( $interface, 'routefilter' , $value ) ) { + push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/rp_filter"; + } + + if ( interface_has_option( $interface, 'logmartians' , $value ) ) { + push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/log_martians"; + } + + if ( interface_has_option( $interface, 'sourceroute' , $value ) ) { + push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route"; + } + + if ( interface_has_option( $interface, 'sourceroute' , $value ) ) { + push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route"; + } + + if ( @emitted ) { + emit( '', + 'if [ $COMMAND = enable ]; then' ); + push_indent; + emit "$_" for @emitted; + pop_indent; + emit "fi\n"; + } +} + + 1; diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index d0a212021..35497d992 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -29,6 +29,7 @@ use Shorewall::Config qw(:DEFAULT :internal); use Shorewall::IPAddrs; use Shorewall::Zones; use Shorewall::Chains qw(:DEFAULT :internal); +use Shorewall::Proc qw( setup_interface_proc ); use strict; @@ -143,6 +144,8 @@ sub copy_table( $$$ ) { # my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : ''; + emit ''; + if ( $realm ) { emit ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) } else { @@ -174,6 +177,8 @@ sub copy_and_edit_table( $$$$ ) { # Shell and iptables use a different wildcard character # $copy =~ s/\+/*/; + + emit ''; if ( $realm ) { emit ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | while read net route; do" ) @@ -441,7 +446,6 @@ sub add_a_provider( $ ) { } else { start_provider( $table, $number, "if interface_is_usable $physical; then" ); } - $provider_interfaces{$interface} = $table; if ( $gatewaycase eq 'none' ) { @@ -453,6 +457,8 @@ sub add_a_provider( $ ) { } } + setup_interface_proc( $interface ); + if ( $mark ne '-' ) { my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : ''; diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index dda524035..720b5e26a 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -73,6 +73,7 @@ our @EXPORT = qw( NOTHING find_interfaces_by_option find_interfaces_by_option1 get_interface_option + interface_has_option set_interface_option interface_zones verify_required_interfaces @@ -1409,6 +1410,22 @@ sub get_interface_option( $$ ) { } +# +# Return the value of an option for an interface +# +sub interface_has_option( $$\$ ) { + my ( $interface, $option, $value ) = @_; + + my $ref = $interfaces{$interface}; + + $ref = known_interface( $interface ) unless $ref; + + if ( exists $ref->{options}{$option} ) { + $$value = $ref->{options}{$option}; + 1; + } +} + # # Set an option for an interface #