'shorewall check' now checks the proxyarp file

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2593 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -6,6 +6,8 @@ Changes in 2.5.4
 
 3) "shorewall check" now checks the masq file.
 
+4) "shorewall check" now checks the proxyarp file.
+
 Changes in 2.5.3
 
 1) Allow exclusion lists in /etc/shorewall/tcrules.

Shorewall/firewall

@@ -2605,21 +2605,25 @@ setup_proxy_arp() {
 	    ;;
 	esac
 
-	if [ -z "$haveroute" ]; then
-	    ensure_and_save_command ip route replace $address dev $interface
-	    [ -n "$persistent" ] && haveroute=yes
+	if [ $COMMAND != check ]; then
+	    if [ -z "$haveroute" ]; then
+		ensure_and_save_command ip route replace $address dev $interface
+		[ -n "$persistent" ] && haveroute=yes
+	    fi
+
+	    ensure_and_save_command arp -i $external -Ds $address $external pub
+
+	    echo $address $interface $external $haveroute >> /var/lib/shorewall/proxyarp
 	fi
 
-	ensure_and_save_command arp -i $external -Ds $address $external pub
-
-	echo $address $interface $external $haveroute >> /var/lib/shorewall/proxyarp
-
 	progress_message "   Host $address connected to $interface added to ARP on $external"
     }
 
-    > /var/lib/shorewall/proxyarp
+    if [ $COMMAND != check ]; then
+	> /var/lib/shorewall/proxyarp
 
-    save_progress_message "Restoring Proxy ARP..."
+	save_progress_message "Restoring Proxy ARP..."
+    fi
 
     while read address interface external haveroute persistent; do
 	expandv address interface external haveroute persistent
@@ -2628,25 +2632,27 @@ setup_proxy_arp() {
 	setup_one_proxy_arp
     done < $TMP_DIR/proxyarp
 
-    for interface in $resetlist; do
-	list_search $interface $setlist || \
-	    run_and_save_command "echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp"
-    done
+    if [ $COMMAND != check ]; then
+	for interface in $resetlist; do
+	    list_search $interface $setlist || \
+		run_and_save_command "echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp"
+	done
 
-    for interface in $setlist; do
-	run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp"
-    done
+	for interface in $setlist; do
+	    run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp"
+	done
 
-    interfaces=$(find_interfaces_by_option proxyarp)
+	interfaces=$(find_interfaces_by_option proxyarp)
 
-    for interface in $interfaces; do
-	if echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp 2> /dev/null; then
-	    progress_message "   Enabled proxy ARP on $interface"
-	    save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp"
-        else
-	    error_message "WARNING: Unable to enable proxy ARP on $interface"
-        fi
-    done
+	for interface in $interfaces; do
+	    if echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp 2> /dev/null; then
+		progress_message "   Enabled proxy ARP on $interface"
+		save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp"
+	    else
+		error_message "WARNING: Unable to enable proxy ARP on $interface"
+	    fi
+	done
+    fi
 }
 
 #
@@ -3666,6 +3672,10 @@ check_config() {
 
     validate_blacklist
 
+    echo "Validating Proxy ARP"
+    strip_file proxyarp
+    setup_proxy_arp
+
     echo "Pre-validating Actions..."
 
     process_actions1

Shorewall/help

@@ -74,9 +74,9 @@ allow)
 check)
 	echo "check: check [ <configuration-directory> ]
    Performs a cursory validation of the zones, interfaces, hosts,
-   rules, policy and masq files.  Use this if you are unsure of any edits
-   you have made to the shorewall configuration.  See the try command
-   examples for a recommended way to make changes."
+   rules, policy, masq, blacklist and proxyarp files.  Use this if you are
+   unsure of any edits you have made to the shorewall configuration.  See the
+   try command examples for a recommended way to make changes."
 	;;
 
 clear)

Shorewall/releasenotes.txt

@@ -29,8 +29,8 @@ New Features in Shorewall 2.5.4
 
     Now, $1 = these, $2 = are and $3 = parameters
 
-2)  The "shorewall check" command now checks the /etc/shorewall/masq
-    file.
+2)  The "shorewall check" command now checks the /etc/shorewall/masq,
+    /etc/shorewall/blacklist and /etc/shorewall/proxyarp files.
 
 Problems Corrected in 2.5.3: