Make ROUTE_FILTER and LOG_MARTIANS tri-valued

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6052 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-03 00:15:54 +02:00 · 2007-04-21 21:24:38 +00:00 · 2007-04-21 21:24:38 +00:00 · 9c9546c55a
commit 9c9546c55a
parent 145d33c044
8 changed files with 82 additions and 21 deletions
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@ -4,6 +4,10 @@ Changes in 3.9.4
 2)  Fix log_martians.
 3)  Make LOG_MARTIANS and ROUTE_FILTER tri-valued.
 4)  Fix arp_ignore.
 Changes in 3.9.3
 1)  Apply Steven Springl's patch for port checking.
--- a/Shorewall-common/lib.config
+++ b/Shorewall-common/lib.config
@ -1863,7 +1863,45 @@ do_initialize() {
 	IP_FORWARDING=On
    fi
-   [ -n "${BLACKLIST_DISPOSITION:=DROP}" ]
+    if [ -n "$ROUTE_FILTER" ]; then
 	case "$ROUTE_FILTER" in
 	    Yes|yes|YES)
 		ROUTE_FILTER=yes
 		;;
 	    No|no|NO)
 		ROUTE_FILTER=no
 		;;
 	    Keep|keep|KEEP)
 		ROUTE_FILTER=
 		;;
 	    *)
 		startup_error "Invalid value ($ROUTE_FILTER) for ROUTE_FILTER"
 		;;
 	esac
    else
 	ROUTE_FILTER=yes
    fi
    if [ -n "$LOG_MARTIANS" ]; then
 	case "$LOG_MARTIANS" in
 	    Yes|yes|YES)
 		LOG_MARTIANS=yes
 		;;
 	    No|no|NO)
 		LOG_MARTIANS=no
 		;;
 	    Keep|keep|KEEP)
 		LOG_MARTIANS=
 		;;
 	    *)
 		startup_error "Invalid value ($LOG_MARTIANS) for LOG_MARTIANS"
 		;;
 	esac
    else
 	LOG_MARTIANS=yes
    fi
    [ -n "${BLACKLIST_DISPOSITION:=DROP}" ]
    case "$CLAMPMSS" in
 	[0-9]*)
@ -1874,8 +1912,6 @@ do_initialize() {
    esac
    ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES)
    ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER)
    LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS)
    DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS)
    MACLIST_TARGET=reject
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@ -22,9 +22,17 @@ Problems corrected in 3.9.4.
 2)  logmartions=0 was being treated the same as logmartians=1.
 3)  arp_ignore caused an internal error in validate_interfaces_file().
 Other changes in Shorewall 3.9.4
-None.
+1)  The LOG_MARTIANS and ROUTE_FILTER options are not tri-valued.
 	Yes -  Same as before
 	No  -  Same as before except that it applies regardless of
 	       whether any interfaces have the logmartians/routefilter
 	       option
 	Keep - Shorewall ignores the option entirely.
 Migration Considerations:
--- a/Shorewall-perl/Shorewall/Config.pm
+++ b/Shorewall-perl/Shorewall/Config.pm
@ -792,10 +792,22 @@ sub get_configuration( $ ) {
 	$config{IP_FORWARDING} = 'On';
    }
    if ( $config{ROUTE_FILTER} ) {
 	fatal_error "Invalid value ( $config{ROUTE_FILTER} ) for ROUTE_FILTER"
 	    unless $config{ROUTE_FILTER} =~ /^(Yes|No|Keep)$/i;
    } else {
 	$config{ROUTE_FILTER} = 'Keep';
    }
    if ( $config{LOG_MARTIANS} ) {
 	fatal_error "Invalid value ( $config{LOG_MARTIANS} ) for LOG_MARTIANS"
 	    unless $config{LOG_MARTIANS} =~ /^(Yes|No|Keep)$/i;
    } else {
 	$config{LOG_MARTIANS} = 'Keep';
    }
    default_yes_no 'ADD_IP_ALIASES'             , 'Yes';
    default_yes_no 'ADD_SNAT_ALIASES'           , '';
    default_yes_no 'ROUTE_FILTER'               , '';
    default_yes_no 'LOG_MARTIANS'               , '';
    default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
    default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
    default_yes_no 'CLEAR_TC'                   , 'Yes';
--- a/Shorewall-perl/Shorewall/Interfaces.pm
+++ b/Shorewall-perl/Shorewall/Interfaces.pm
@ -208,11 +208,11 @@ sub validate_interfaces_file()
 		    $options{$option} = $value;
 		} elsif ( $type == ENUM_IF_OPTION ) {
 		    fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard;
-		    if ( $option eq 'arp_filter' ) {
+		    if ( $option eq 'arp_ignore' ) {
 			if ( $value =~ /^[1-3,8]$/ ) {
-			    $options{arp_filter} = $value;
+			    $options{arp_ignore} = $value;
 			} else {
-			    fatal_error "Invalid value ($value) for arp_filter";
+			    fatal_error "Invalid value ($value) for arp_ignore";
 			}
 		    } else {
 			fatal_error "Internal Error in validate_interfaces_file"
--- a/Shorewall-perl/Shorewall/Proc.pm
+++ b/Shorewall-perl/Shorewall/Proc.pm
@ -95,7 +95,7 @@ sub setup_route_filtering() {
    my $interfaces = find_interfaces_by_option 'routefilter';
-    if ( @$interfaces || $config{ROUTE_FILTER} ) {
+    if ( @$interfaces || ! ( $config{ROUTE_FILTER} =~ /keep/i ) ) {
 	progress_message2 "$doing Kernel Route Filtering...";
@ -114,9 +114,9 @@ sub setup_route_filtering() {
 	emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
-	if ( $config{ROUTE_FILTER} ) {
+	if ( $config{ROUTE_FILTER} =~ /yes/i ) {
 	    emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter';
-	} else {
+	} elsif (  $config{ROUTE_FILTER} =~ /no/i ) {
 	    emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
 	}
@ -131,7 +131,7 @@ sub setup_route_filtering() {
 sub setup_martian_logging() {
    my $interfaces = find_interfaces_by_option 'logmartians';
-    if ( @$interfaces || $config{LOG_MARTIANS} ) {
+    if ( @$interfaces || ! ( $config{LOG_MARTIANS} =~ /keep/i ) ) {
 	progress_message2 "$doing Martian Logging...";
@ -149,14 +149,13 @@ sub setup_martian_logging() {
 	    emit   "fi\n";
 	}
-	if ( $config{LOG_MARTIANS} ) {
+	if ( $config{LOG_MARTIANS} =~ /yes/i ) {
 	    emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians';
 	    emit 'echo 1 > /proc/sys/net/ipv4/conf/default/log_martians';
-	} else {
+	} elsif ( $config{LOG_MARTIANS} =~ /no/i ) {
 	    emit 'echo 0 > /proc/sys/net/ipv4/conf/all/log_martians';
 	    emit 'echo 0 > /proc/sys/net/ipv4/conf/default/log_martians';
 	}
    }
 }
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@ -1108,7 +1108,9 @@ sub process_rule1 ( $$$$$$$$$ ) {
 }
 #
-# Process a Record in the rules file
+# Process a Record in the rules file 
 #
 #     Deals with the ugliness of wildcard zones ('all' in rules).
 #
 sub process_rule ( $$$$$$$$$ ) {
    my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user ) = @_;
--- a/Shorewall-shell/compiler
+++ b/Shorewall-shell/compiler
@ -3715,7 +3715,7 @@ __EOF__
 	save_progress_message "Setting up Route Filtering..."
-	if [ -z "$ROUTE_FILTER" ]; then
+	if [ "$ROUTE_FILTER" = no ]; then
 	    indent >&3 << __EOF__
 for f in /proc/sys/net/ipv4/conf/*; do
@ -3739,7 +3739,7 @@ __EOF__
 	save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter"
-	if [ -n "$ROUTE_FILTER" ]; then
+	if [ "$ROUTE_FILTER" = yes ]; then
 	    save_command "echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter"
 	fi
@ -3756,7 +3756,7 @@ __EOF__
 	save_progress_message "Setting up Martian Logging..."
-	if [ -z "$LOG_MARTIANS" ]; then
+	if [ "$LOG_MARTIANS" = no ]; then
 	    indent >&3 << __EOF__
 for f in /proc/sys/net/ipv4/conf/*; do
@ -3779,7 +3779,7 @@ fi
 __EOF__
 	    done
-	if [ -n "$LOG_MARTIANS" ]; then
+	if [ "$LOG_MARTIANS" = yes ]; then
 	    save_command "echo 1 > /proc/sys/net/ipv4/conf/default/log_martians"
 	fi