Add the accept_ra Shorewall6 interface option.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-03-30 16:44:18 -07:00
parent 2381b0fd8f
commit d415de1883
4 changed files with 74 additions and 5 deletions

View File

@ -741,6 +741,8 @@ sub compiler {
''
);
setup_accept_ra if $family == F_IPV6;
if ( $scriptfilename || $debug ) {
emit 'return 0';
pop_indent;

View File

@ -38,6 +38,7 @@ our @EXPORT = qw(
setup_route_filtering
setup_martian_logging
setup_source_routing
setup_accept_ra
setup_forwarding
);
our @EXPORT_OK = qw( setup_interface_proc );
@ -214,6 +215,35 @@ sub setup_source_routing( $ ) {
}
}
#
# Source Routing
#
sub setup_accept_ra() {
my $interfaces = find_interfaces_by_option 'accept_ra';
if ( @$interfaces ) {
progress_message2 "$doing Accept Routing Advertisements...";
save_progress_message 'Setting up Accept Routing Advertisements...';
for my $interface ( @$interfaces ) {
my $value = get_interface_option $interface, 'accept_ra';
my $optional = interface_is_optional $interface;
$interface = get_physical $interface;
my $file = "/proc/sys/net/ipv6/conf/$interface/accept_ra";
emit ( "if [ -f $file ]; then" ,
" echo $value > $file" );
emit ( 'else' ,
" error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless $optional;
emit "fi\n";
}
}
}
sub setup_forwarding( $$ ) {
my ( $family, $first ) = @_;
@ -297,8 +327,8 @@ sub setup_interface_proc( $ ) {
push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
}
if ( interface_has_option( $interface, 'sourceroute' , $value ) ) {
push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
if ( interface_has_option( $interface, 'accept_ra' , $value ) ) {
push @emitted, "echo $value > /proc/sys/net/ipv6/conf/$physical/accept_ra";
}
if ( @emitted ) {

View File

@ -234,9 +234,9 @@ use constant { NO_UPDOWN => 1,
our %validinterfaceoptions;
our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60, accept_ra => 1 );
our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );
our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN, accept_ra => 2 );
our %validhostoptions;
@ -334,7 +334,8 @@ sub initialize( $$ ) {
);
%zonetypes = ( 1 => 'firewall', 2 => 'ipv4', 4 => 'bport4', 8 => 'ipsec4', 16 => 'vserver' );
} else {
%validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
%validinterfaceoptions = ( accept_ra => NUMERIC_IF_OPTION,
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
bridge => SIMPLE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION,
ignore => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,

View File

@ -148,6 +148,42 @@ loc eth2 -</programlisting>
should have no embedded white space.</para>
<variablelist>
<varlistentry>
<term>accept_ra[={0|1|2)]</term>
<listitem>
<para>Added in Shorewall 4.5.16. Values are:</para>
<variablelist>
<varlistentry>
<term>0</term>
<listitem>
<para>Do not accept Router Advertisements.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>1</term>
<listitem>
<para>Accept Route Advertisements if forwarding is
disabled.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>2</term>
<listitem>
<para>Overrule forwarding behavior. Accept Route
Advertisements even if forwarding is enabled.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">blacklist</emphasis></term>