Implement 'optional' interface option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5991 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-20 17:58:07 +02:00 · 2007-04-18 01:07:39 +00:00 · 2007-04-18 01:07:39 +00:00 · cc4962ac82
commit cc4962ac82
parent 264d0eb52d
5 changed files with 74 additions and 56 deletions
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@ -2,6 +2,8 @@ Changes in 3.9.3
 1)  Apply Steven Springl's patch for port checking.
 2)  Implement 'optional' interface option.
 Changes in 3.9.2
 1)  Implement '-C {shell|perl}'.
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@ -27,7 +27,10 @@ Problems corrected in Shorewall 3.9.3
 Other changes in Shorewall 3.9.3
-None.
+1)  An 'optional' option has been added to
    /etc/shorewall/interfaces. When 'optional' is specified for an
    interface, Shorewall will be silent when it is not possible to
    modify the interface's /proc/sys/net/ipv4/conf/ attributes. 
 Migration Considerations:
--- a/Shorewall-perl/Shorewall/Interfaces.pm
+++ b/Shorewall-perl/Shorewall/Interfaces.pm
@ -33,6 +33,7 @@ our @ISA = qw(Exporter);
 our @EXPORT = qw( add_group_to_zone
 		  validate_interfaces_file
 		  known_interface
                  interface_is_optional
 		  find_interfaces_by_option
 		  get_interface_option
@ -125,6 +126,7 @@ sub validate_interfaces_file()
 			logmartians => 1,
 			norfc1918 => 1,
 			nosmurfs => 1,
 			optional => 1,
 			proxyarp => 1,
 			routeback => 1,
 			routefilter => 1,
@ -229,6 +231,14 @@ sub known_interface($)
    0;
 }
 #
 # Return the 'optional' setting of the passed interface
 #
 sub interface_is_optional($) {
    my $optionsref = $interfaces{$_[0]}{options};
    $optionsref && $optionsref->{optional};
 }
 #
 # Returns reference to array of interfaces with the passed option
 #
--- a/Shorewall-perl/Shorewall/Proc.pm
+++ b/Shorewall-perl/Shorewall/Proc.pm
@ -67,13 +67,12 @@ done
 	for my $interface ( @$interfaces ) {
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
-	    emit "
+	    emitj( '',
-if [ -f $file ]; then
+		   "if [ -f $file ]; then",
-    echo 1 > $file
+		   "    echo 1 > $file");
-else
+	    emitj( 'else',
-    error_message \"WARNING: Cannot set ARP filtering on $interface\"
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
-fi
+	    emit   "fi\n";
 ";
 	}
 	for my $interface ( @$interfaces1 ) {
@ -82,12 +81,11 @@ fi
 	    fatal_error "Internal Error in setup_arp_filtering()" unless defined $value;
-	    emit "if [ -f $file ]; then
+	    emitj( "if [ -f $file ]; then",
-    echo $value > $file
+		   "    echo $value > $file");
-else
+	    emitj( 'else',
-    error_message \"WARNING: Cannot set ARP filtering on $interface\"
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
-fi
+	    emit   "fi\n";
 ";
 	}
    }
 }
@ -106,21 +104,19 @@ sub setup_route_filtering() {
 	save_progress_message "Setting up Route Filtering...";
 	unless ( $config{ROUTE_FILTER} ) {
-	    emit "for f in /proc/sys/net/ipv4/conf/*; do
+	    emitj( "for f in /proc/sys/net/ipv4/conf/*; do" ,
-    [ -f \$f/rp_filter ] && echo 0 > \$f/rp_filter
+		   "    [ -f \$f/rp_filter ] && echo 0 > \$f/rp_filter" ,
-done
+		   "done\n" );
 ";
 	}
 	for my $interface ( @$interfaces ) {
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
-	    emit "if [ -f $file ]; then
+	    emitj( "if [ -f $file ]; then" ,
-    echo 1 > $file
+		   "    echo 1 > $file" );
-else
+	    emitj( 'else' ,
-    error_message \"WARNING: Cannot set route filtering on $interface\"
+		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless interface_is_optional( $interface);
-fi
+	    emit   "fi\n";
 ";
 	}
 	emit 'echo 1 0 /proc/sys/net/ipv4/conf/all/rp_filter';
@ -143,20 +139,19 @@ sub setup_martian_logging() {
 	save_progress_message "Setting up Martian Logging...";
-	emit "for f in /proc/sys/net/ipv4/conf/*; do
+	emitj( "for f in /proc/sys/net/ipv4/conf/*; do" ,
-    [ -f \$f/log_martians ] && echo 0 > \$f/log_martians
+	       "    [ -f \$f/log_martians ] && echo 0 > \$f/log_martians" ,
-done
+	       "done\n" );
 ";
 	for my $interface ( @$interfaces ) {
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";
-	    emit "if [ -f $file ]; then
+	    emitj( "if [ -f $file ]; then" ,
-    echo 1 > $file
+		   "    echo 1 > $file" );
-else
+
-    error_message \"WARNING: Cannot set Martian logging on $interface\"
+	    emitj( 'else' ,
-fi
+		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface); 
-";
+	    emit   "fi\n";
 	}
 	emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians';
@ -172,10 +167,9 @@ sub setup_source_routing() {
    save_progress_message 'Setting up Accept Source Routing...';
-    emit "for f in /proc/sys/net/ipv4/conf/*; do
+    emitj( "for f in /proc/sys/net/ipv4/conf/*; do" ,
-    [ -f \$f/accept_source_route ] && echo 0 > \$f/accept_source_route
+	   "    [ -f \$f/accept_source_route ] && echo 0 > \$f/accept_source_route" ,
-done
+	   "done\n" );
 ";
    my $interfaces = find_interfaces_by_option 'sourceroute';
@ -187,12 +181,11 @@ done
 	for my $interface ( @$interfaces ) {
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/accept_source_route";
-	    emit "if [ -f $file ]; then
+	    emitj( "if [ -f $file ]; then" ,
-    echo 1 > $file
+		   "    echo 1 > $file" );
-else
+	    emitj( 'else' ,
-    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"
+		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless interface_is_optional( $interface);
-fi
+	    emit   "fi\n";
 ";
 	}
    }
 }
--- a/Shorewall-perl/Shorewall/Proxyarp.pm
+++ b/Shorewall-perl/Shorewall/Proxyarp.pm
@ -64,11 +64,11 @@ sub setup_one_proxy_arp( $$$$$ ) {
 	$haveroute = 1 if $persistent;
    }
-    emit "if ! arp -i $external -Ds $address $external pub; then
+    emitj( "if ! arp -i $external -Ds $address $external pub; then",
-    fatal_error \"Command 'arp -i $external -Ds $address $external pub' failed\"
+	   "    fatal_error \"Command 'arp -i $external -Ds $address $external pub' failed\"" ,
-fi
+	   'fi' ,
-
+	   '',
-progress_message \"   Host $address connected to $interface added to ARP on $external\"\n";
+	   "progress_message \"   Host $address connected to $interface added to ARP on $external\"\n" );
    push @proxyarp, "$address $interface $external $haveroute";
@ -106,20 +106,30 @@ sub setup_proxy_arp() {
 	    setup_one_proxy_arp( $address, $interface, $external, $haveroute, $persistent );
 	}
 	emit '';
 	for my $interface ( keys %reset ) {
-	    emit "echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" unless $set{interface};
+	    unless ( $set{interface} ) {
 		emitj ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" ,
 			"    echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
 		emit    "fi\n";
 	    }
 	}
 	for my $interface ( keys %set ) {
-	    emit "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp";
+	    emitj ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
 	    emitj ( 'else' ,
 		    "    error_message \"    WARNING: Cannot set the 'proxy_arp' option for interface $interface\"" ) unless interface_is_optional( $interface );
 	    emit    "fi\n";
 	}
 	for my $interface ( @$interfaces ) {
-	    emit "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then
+	    emitj( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
-    echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp
+		   "    echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
-else
+	    emitj( 'else' ,
-    error_message \"WARNING: Unable to enable proxy ARP on $interface\"
+		   "    error_message \"WARNING: Unable to enable proxy ARP on $interface\"" ) unless interface_is_optional( $interface ); 
-fi\n";
+	    emit   "fi\n";
 	}
    }
 }