From cc4962ac82c42daab1d48306f4c2ab7935cfd3f7 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 18 Apr 2007 01:07:39 +0000
Subject: [PATCH] Implement 'optional' interface option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5991 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall-common/changelog.txt         |  2 +
 Shorewall-common/releasenotes.txt      |  5 +-
 Shorewall-perl/Shorewall/Interfaces.pm | 10 ++++
 Shorewall-perl/Shorewall/Proc.pm       | 79 ++++++++++++--------------
 Shorewall-perl/Shorewall/Proxyarp.pm   | 34 +++++++----
 5 files changed, 74 insertions(+), 56 deletions(-)

diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt
index e9a058b3f..0b7777f1b 100644
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@@ -2,6 +2,8 @@ Changes in 3.9.3
 
 1)  Apply Steven Springl's patch for port checking.
 
+2)  Implement 'optional' interface option.
+
 Changes in 3.9.2
 
 1)  Implement '-C {shell|perl}'.
diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index 1fae06d9c..a45fc2ba5 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -27,7 +27,10 @@ Problems corrected in Shorewall 3.9.3
 
 Other changes in Shorewall 3.9.3
 
-None.
+1)  An 'optional' option has been added to
+    /etc/shorewall/interfaces. When 'optional' is specified for an
+    interface, Shorewall will be silent when it is not possible to
+    modify the interface's /proc/sys/net/ipv4/conf/ attributes. 
 
 Migration Considerations:
 
diff --git a/Shorewall-perl/Shorewall/Interfaces.pm b/Shorewall-perl/Shorewall/Interfaces.pm
index afcef81cc..fa3b98bf8 100644
--- a/Shorewall-perl/Shorewall/Interfaces.pm
+++ b/Shorewall-perl/Shorewall/Interfaces.pm
@@ -33,6 +33,7 @@ our @ISA = qw(Exporter);
 our @EXPORT = qw( add_group_to_zone
 		  validate_interfaces_file
 		  known_interface
+                  interface_is_optional
 		  find_interfaces_by_option
 		  get_interface_option
 
@@ -125,6 +126,7 @@ sub validate_interfaces_file()
 			logmartians => 1,
 			norfc1918 => 1,
 			nosmurfs => 1,
+			optional => 1,
 			proxyarp => 1,
 			routeback => 1,
 			routefilter => 1,
@@ -229,6 +231,14 @@ sub known_interface($)
     0;
 }
 
+#
+# Return the 'optional' setting of the passed interface
+#
+sub interface_is_optional($) {
+    my $optionsref = $interfaces{$_[0]}{options};
+    $optionsref && $optionsref->{optional};
+}
+
 #
 # Returns reference to array of interfaces with the passed option
 #
diff --git a/Shorewall-perl/Shorewall/Proc.pm b/Shorewall-perl/Shorewall/Proc.pm
index 2a621000a..2bdf70643 100644
--- a/Shorewall-perl/Shorewall/Proc.pm
+++ b/Shorewall-perl/Shorewall/Proc.pm
@@ -67,13 +67,12 @@ done
 
 	for my $interface ( @$interfaces ) {
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
-	    emit "
-if [ -f $file ]; then
-    echo 1 > $file
-else
-    error_message \"WARNING: Cannot set ARP filtering on $interface\"
-fi
-";
+	    emitj( '',
+		   "if [ -f $file ]; then",
+		   "    echo 1 > $file");
+	    emitj( 'else',
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
+	    emit   "fi\n";
 	}
 
 	for my $interface ( @$interfaces1 ) {
@@ -82,12 +81,11 @@ fi
 
 	    fatal_error "Internal Error in setup_arp_filtering()" unless defined $value;
 
-	    emit "if [ -f $file ]; then
-    echo $value > $file
-else
-    error_message \"WARNING: Cannot set ARP filtering on $interface\"
-fi
-";
+	    emitj( "if [ -f $file ]; then",
+		   "    echo $value > $file");
+	    emitj( 'else',
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
+	    emit   "fi\n";
 	}
     }
 }
@@ -106,21 +104,19 @@ sub setup_route_filtering() {
 	save_progress_message "Setting up Route Filtering...";
 
 	unless ( $config{ROUTE_FILTER} ) {
-	    emit "for f in /proc/sys/net/ipv4/conf/*; do
-    [ -f \$f/rp_filter ] && echo 0 > \$f/rp_filter
-done
-";
+	    emitj( "for f in /proc/sys/net/ipv4/conf/*; do" ,
+		   "    [ -f \$f/rp_filter ] && echo 0 > \$f/rp_filter" ,
+		   "done\n" );
 	}
 
 	for my $interface ( @$interfaces ) {
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
 
-	    emit "if [ -f $file ]; then
-    echo 1 > $file
-else
-    error_message \"WARNING: Cannot set route filtering on $interface\"
-fi
-";
+	    emitj( "if [ -f $file ]; then" ,
+		   "    echo 1 > $file" );
+	    emitj( 'else' ,
+		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless interface_is_optional( $interface);
+	    emit   "fi\n";
 	}
 
 	emit 'echo 1 0 /proc/sys/net/ipv4/conf/all/rp_filter';
@@ -143,20 +139,19 @@ sub setup_martian_logging() {
 
 	save_progress_message "Setting up Martian Logging...";
 
-	emit "for f in /proc/sys/net/ipv4/conf/*; do
-    [ -f \$f/log_martians ] && echo 0 > \$f/log_martians
-done
-";
+	emitj( "for f in /proc/sys/net/ipv4/conf/*; do" ,
+	       "    [ -f \$f/log_martians ] && echo 0 > \$f/log_martians" ,
+	       "done\n" );
 
 	for my $interface ( @$interfaces ) {
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";
 
-	    emit "if [ -f $file ]; then
-    echo 1 > $file
-else
-    error_message \"WARNING: Cannot set Martian logging on $interface\"
-fi
-";
+	    emitj( "if [ -f $file ]; then" ,
+		   "    echo 1 > $file" );
+
+	    emitj( 'else' ,
+		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface); 
+	    emit   "fi\n";
 	}
 
 	emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians';
@@ -172,10 +167,9 @@ sub setup_source_routing() {
 
     save_progress_message 'Setting up Accept Source Routing...';
 
-    emit "for f in /proc/sys/net/ipv4/conf/*; do
-    [ -f \$f/accept_source_route ] && echo 0 > \$f/accept_source_route
-done
-";
+    emitj( "for f in /proc/sys/net/ipv4/conf/*; do" ,
+	   "    [ -f \$f/accept_source_route ] && echo 0 > \$f/accept_source_route" ,
+	   "done\n" );
 
     my $interfaces = find_interfaces_by_option 'sourceroute';
 
@@ -187,12 +181,11 @@ done
 	for my $interface ( @$interfaces ) {
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/accept_source_route";
 
-	    emit "if [ -f $file ]; then
-    echo 1 > $file
-else
-    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"
-fi
-";
+	    emitj( "if [ -f $file ]; then" ,
+		   "    echo 1 > $file" );
+	    emitj( 'else' ,
+		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless interface_is_optional( $interface);
+	    emit   "fi\n";
 	}
     }
 }
diff --git a/Shorewall-perl/Shorewall/Proxyarp.pm b/Shorewall-perl/Shorewall/Proxyarp.pm
index bfc2ceda6..6c8985474 100644
--- a/Shorewall-perl/Shorewall/Proxyarp.pm
+++ b/Shorewall-perl/Shorewall/Proxyarp.pm
@@ -64,11 +64,11 @@ sub setup_one_proxy_arp( $$$$$ ) {
 	$haveroute = 1 if $persistent;
     }
 
-    emit "if ! arp -i $external -Ds $address $external pub; then
-    fatal_error \"Command 'arp -i $external -Ds $address $external pub' failed\"
-fi
-
-progress_message \"   Host $address connected to $interface added to ARP on $external\"\n";
+    emitj( "if ! arp -i $external -Ds $address $external pub; then",
+	   "    fatal_error \"Command 'arp -i $external -Ds $address $external pub' failed\"" ,
+	   'fi' ,
+	   '',
+	   "progress_message \"   Host $address connected to $interface added to ARP on $external\"\n" );
 
     push @proxyarp, "$address $interface $external $haveroute";
 
@@ -106,20 +106,30 @@ sub setup_proxy_arp() {
 	    setup_one_proxy_arp( $address, $interface, $external, $haveroute, $persistent );
 	}
 
+	emit '';
+
 	for my $interface ( keys %reset ) {
-	    emit "echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" unless $set{interface};
+	    unless ( $set{interface} ) {
+		emitj ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" ,
+			"    echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
+		emit    "fi\n";
+	    }
 	}
 
 	for my $interface ( keys %set ) {
-	    emit "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp";
+	    emitj ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" ,
+		    "    echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
+	    emitj ( 'else' ,
+		    "    error_message \"    WARNING: Cannot set the 'proxy_arp' option for interface $interface\"" ) unless interface_is_optional( $interface );
+	    emit    "fi\n";
 	}
 
 	for my $interface ( @$interfaces ) {
-	    emit "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then
-    echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp
-else
-    error_message \"WARNING: Unable to enable proxy ARP on $interface\"
-fi\n";
+	    emitj( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
+		   "    echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
+	    emitj( 'else' ,
+		   "    error_message \"WARNING: Unable to enable proxy ARP on $interface\"" ) unless interface_is_optional( $interface ); 
+	    emit   "fi\n";
 	}
     }
 }