Implement 'optional' interface option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5991 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/changelog.txt

@@ -2,6 +2,8 @@ Changes in 3.9.3
 
 1)  Apply Steven Springl's patch for port checking.
 
+2)  Implement 'optional' interface option.
+
 Changes in 3.9.2
 
 1)  Implement '-C {shell|perl}'.

Shorewall-common/releasenotes.txt

@@ -27,7 +27,10 @@ Problems corrected in Shorewall 3.9.3
 
 Other changes in Shorewall 3.9.3
 
-None.
+1)  An 'optional' option has been added to
+    /etc/shorewall/interfaces. When 'optional' is specified for an
+    interface, Shorewall will be silent when it is not possible to
+    modify the interface's /proc/sys/net/ipv4/conf/ attributes. 
 
 Migration Considerations:
 

Shorewall-perl/Shorewall/Interfaces.pm

@@ -33,6 +33,7 @@ our @ISA = qw(Exporter);
 our @EXPORT = qw( add_group_to_zone
 		  validate_interfaces_file
 		  known_interface
+                  interface_is_optional
 		  find_interfaces_by_option
 		  get_interface_option
 
@@ -125,6 +126,7 @@ sub validate_interfaces_file()
 			logmartians => 1,
 			norfc1918 => 1,
 			nosmurfs => 1,
+			optional => 1,
 			proxyarp => 1,
 			routeback => 1,
 			routefilter => 1,
@@ -229,6 +231,14 @@ sub known_interface($)
     0;
 }
 
+#
+# Return the 'optional' setting of the passed interface
+#
+sub interface_is_optional($) {
+    my $optionsref = $interfaces{$_[0]}{options};
+    $optionsref && $optionsref->{optional};
+}
+
 #
 # Returns reference to array of interfaces with the passed option
 #

Shorewall-perl/Shorewall/Proc.pm

@@ -67,13 +67,12 @@ done
 
 	for my $interface ( @$interfaces ) {
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
-	    emit "
-if [ -f $file ]; then
-    echo 1 > $file
-else
-    error_message \"WARNING: Cannot set ARP filtering on $interface\"
-fi
-";
+	    emitj( '',
+		   "if [ -f $file ]; then",
+		   "    echo 1 > $file");
+	    emitj( 'else',
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
+	    emit   "fi\n";
 	}
 
 	for my $interface ( @$interfaces1 ) {
@@ -82,12 +81,11 @@ fi
 
 	    fatal_error "Internal Error in setup_arp_filtering()" unless defined $value;
 
-	    emit "if [ -f $file ]; then
-    echo $value > $file
-else
-    error_message \"WARNING: Cannot set ARP filtering on $interface\"
-fi
-";
+	    emitj( "if [ -f $file ]; then",
+		   "    echo $value > $file");
+	    emitj( 'else',
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
+	    emit   "fi\n";
 	}
     }
 }
@@ -106,21 +104,19 @@ sub setup_route_filtering() {
 	save_progress_message "Setting up Route Filtering...";
 
 	unless ( $config{ROUTE_FILTER} ) {
-	    emit "for f in /proc/sys/net/ipv4/conf/*; do
-    [ -f \$f/rp_filter ] && echo 0 > \$f/rp_filter
-done
-";
+	    emitj( "for f in /proc/sys/net/ipv4/conf/*; do" ,
+		   "    [ -f \$f/rp_filter ] && echo 0 > \$f/rp_filter" ,
+		   "done\n" );
 	}
 
 	for my $interface ( @$interfaces ) {
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
 
-	    emit "if [ -f $file ]; then
-    echo 1 > $file
-else
-    error_message \"WARNING: Cannot set route filtering on $interface\"
-fi
-";
+	    emitj( "if [ -f $file ]; then" ,
+		   "    echo 1 > $file" );
+	    emitj( 'else' ,
+		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless interface_is_optional( $interface);
+	    emit   "fi\n";
 	}
 
 	emit 'echo 1 0 /proc/sys/net/ipv4/conf/all/rp_filter';
@@ -143,20 +139,19 @@ sub setup_martian_logging() {
 
 	save_progress_message "Setting up Martian Logging...";
 
-	emit "for f in /proc/sys/net/ipv4/conf/*; do
-    [ -f \$f/log_martians ] && echo 0 > \$f/log_martians
-done
-";
+	emitj( "for f in /proc/sys/net/ipv4/conf/*; do" ,
+	       "    [ -f \$f/log_martians ] && echo 0 > \$f/log_martians" ,
+	       "done\n" );
 
 	for my $interface ( @$interfaces ) {
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";
 
-	    emit "if [ -f $file ]; then
-    echo 1 > $file
-else
-    error_message \"WARNING: Cannot set Martian logging on $interface\"
-fi
-";
+	    emitj( "if [ -f $file ]; then" ,
+		   "    echo 1 > $file" );
+
+	    emitj( 'else' ,
+		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface); 
+	    emit   "fi\n";
 	}
 
 	emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians';
@@ -172,10 +167,9 @@ sub setup_source_routing() {
 
     save_progress_message 'Setting up Accept Source Routing...';
 
-    emit "for f in /proc/sys/net/ipv4/conf/*; do
-    [ -f \$f/accept_source_route ] && echo 0 > \$f/accept_source_route
-done
-";
+    emitj( "for f in /proc/sys/net/ipv4/conf/*; do" ,
+	   "    [ -f \$f/accept_source_route ] && echo 0 > \$f/accept_source_route" ,
+	   "done\n" );
 
     my $interfaces = find_interfaces_by_option 'sourceroute';
 
@@ -187,12 +181,11 @@ done
 	for my $interface ( @$interfaces ) {
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/accept_source_route";
 
-	    emit "if [ -f $file ]; then
-    echo 1 > $file
-else
-    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"
-fi
-";
+	    emitj( "if [ -f $file ]; then" ,
+		   "    echo 1 > $file" );
+	    emitj( 'else' ,
+		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless interface_is_optional( $interface);
+	    emit   "fi\n";
 	}
     }
 }

Shorewall-perl/Shorewall/Proxyarp.pm

@@ -64,11 +64,11 @@ sub setup_one_proxy_arp( $$$$$ ) {
 	$haveroute = 1 if $persistent;
     }
 
-    emit "if ! arp -i $external -Ds $address $external pub; then
-    fatal_error \"Command 'arp -i $external -Ds $address $external pub' failed\"
-fi
-
-progress_message \"   Host $address connected to $interface added to ARP on $external\"\n";
+    emitj( "if ! arp -i $external -Ds $address $external pub; then",
+	   "    fatal_error \"Command 'arp -i $external -Ds $address $external pub' failed\"" ,
+	   'fi' ,
+	   '',
+	   "progress_message \"   Host $address connected to $interface added to ARP on $external\"\n" );
 
     push @proxyarp, "$address $interface $external $haveroute";
 
@@ -106,20 +106,30 @@ sub setup_proxy_arp() {
 	    setup_one_proxy_arp( $address, $interface, $external, $haveroute, $persistent );
 	}
 
+	emit '';
+
 	for my $interface ( keys %reset ) {
-	    emit "echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" unless $set{interface};
+	    unless ( $set{interface} ) {
+		emitj ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" ,
+			"    echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
+		emit    "fi\n";
+	    }
 	}
 
 	for my $interface ( keys %set ) {
-	    emit "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp";
+	    emitj ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" ,
+		    "    echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
+	    emitj ( 'else' ,
+		    "    error_message \"    WARNING: Cannot set the 'proxy_arp' option for interface $interface\"" ) unless interface_is_optional( $interface );
+	    emit    "fi\n";
 	}
 
 	for my $interface ( @$interfaces ) {
-	    emit "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then
-    echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp
-else
-    error_message \"WARNING: Unable to enable proxy ARP on $interface\"
-fi\n";
+	    emitj( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
+		   "    echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
+	    emitj( 'else' ,
+		   "    error_message \"WARNING: Unable to enable proxy ARP on $interface\"" ) unless interface_is_optional( $interface ); 
+	    emit   "fi\n";
 	}
     }
 }