diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 284aad45e..882d7a89a 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -92,4 +92,6 @@ Changes since 2.0.3 44) Implememt LOGTAGONLY. -44) Merge 'tcrules' clarification from 2.0.10. +46) Merge 'tcrules' clarification from 2.0.10. + +46) Implement 'sourceroute' interface option. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 6a4c4afdc..a68db0718 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -905,7 +905,7 @@ validate_interfaces_file() { for option in $options; do case $option in - dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|blacklist|proxyarp|maclist|nosmurfs|-) + dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|-) ;; detectnets) [ -n "$wildcard" ] && \ @@ -5915,6 +5915,31 @@ add_common_rules() { fi + # + # Source Routing + # + save_progress_message "Restoring Accept Source Routing..." + + for f in /proc/sys/net/ipv4/conf/*; do + run_and_save_command "[ -f $f/accept_source_route ] && echo 0 > $f/accept_source_route" + done + + interfaces=$(find_interfaces_by_option sourceroute) + + if [ -n "$interfaces" ]; then + echo "Setting up Accept Source Routing..." + + for interface in $interfaces; do + file=/proc/sys/net/ipv4/conf/$interface/accept_source_route + if [ -f $file ]; then + run_and_save_command "echo 1 > $file" + else + error_message \ + "Warning: Cannot set Accept Source Routing on $interface" + fi + done + fi + if [ -n "$DYNAMIC_ZONES" ]; then echo "Setting up Dynamic Zone Chains..." diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index f01730468..b9b18bc30 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -515,3 +515,9 @@ New Features: Log prefix with LOGTAGONLY=Yes: Shorewall:ftp:DROP + +19) Shorewall now resets the 'accept_source_route' flag for all + interfaces. If you wish to accept source routing on an interface, + you must specify the new 'sourceroute' interface option in + /etc/shorewall/interfaces. +