diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 9e006d31e..b2ad87fd3 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -6,6 +6,8 @@ Changes in 2.5.4 3) "shorewall check" now checks the masq file. +4) "shorewall check" now checks the proxyarp file. + Changes in 2.5.3 1) Allow exclusion lists in /etc/shorewall/tcrules. diff --git a/Shorewall/firewall b/Shorewall/firewall index 19cc5a230..5582d3256 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -2605,21 +2605,25 @@ setup_proxy_arp() { ;; esac - if [ -z "$haveroute" ]; then - ensure_and_save_command ip route replace $address dev $interface - [ -n "$persistent" ] && haveroute=yes + if [ $COMMAND != check ]; then + if [ -z "$haveroute" ]; then + ensure_and_save_command ip route replace $address dev $interface + [ -n "$persistent" ] && haveroute=yes + fi + + ensure_and_save_command arp -i $external -Ds $address $external pub + + echo $address $interface $external $haveroute >> /var/lib/shorewall/proxyarp fi - ensure_and_save_command arp -i $external -Ds $address $external pub - - echo $address $interface $external $haveroute >> /var/lib/shorewall/proxyarp - progress_message " Host $address connected to $interface added to ARP on $external" } - > /var/lib/shorewall/proxyarp + if [ $COMMAND != check ]; then + > /var/lib/shorewall/proxyarp - save_progress_message "Restoring Proxy ARP..." + save_progress_message "Restoring Proxy ARP..." + fi while read address interface external haveroute persistent; do expandv address interface external haveroute persistent @@ -2628,25 +2632,27 @@ setup_proxy_arp() { setup_one_proxy_arp done < $TMP_DIR/proxyarp - for interface in $resetlist; do - list_search $interface $setlist || \ - run_and_save_command "echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" - done + if [ $COMMAND != check ]; then + for interface in $resetlist; do + list_search $interface $setlist || \ + run_and_save_command "echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" + done - for interface in $setlist; do - run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" - done + for interface in $setlist; do + run_and_save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" + done - interfaces=$(find_interfaces_by_option proxyarp) + interfaces=$(find_interfaces_by_option proxyarp) - for interface in $interfaces; do - if echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp 2> /dev/null; then - progress_message " Enabled proxy ARP on $interface" - save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" - else - error_message "WARNING: Unable to enable proxy ARP on $interface" - fi - done + for interface in $interfaces; do + if echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp 2> /dev/null; then + progress_message " Enabled proxy ARP on $interface" + save_command "echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" + else + error_message "WARNING: Unable to enable proxy ARP on $interface" + fi + done + fi } # @@ -3666,6 +3672,10 @@ check_config() { validate_blacklist + echo "Validating Proxy ARP" + strip_file proxyarp + setup_proxy_arp + echo "Pre-validating Actions..." process_actions1 diff --git a/Shorewall/help b/Shorewall/help index b1465b89a..90f130f3b 100755 --- a/Shorewall/help +++ b/Shorewall/help @@ -74,9 +74,9 @@ allow) check) echo "check: check [ ] Performs a cursory validation of the zones, interfaces, hosts, - rules, policy and masq files. Use this if you are unsure of any edits - you have made to the shorewall configuration. See the try command - examples for a recommended way to make changes." + rules, policy, masq, blacklist and proxyarp files. Use this if you are + unsure of any edits you have made to the shorewall configuration. See the + try command examples for a recommended way to make changes." ;; clear) diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index d24e05341..4fa313f60 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -29,8 +29,8 @@ New Features in Shorewall 2.5.4 Now, $1 = these, $2 = are and $3 = parameters -2) The "shorewall check" command now checks the /etc/shorewall/masq - file. +2) The "shorewall check" command now checks the /etc/shorewall/masq, + /etc/shorewall/blacklist and /etc/shorewall/proxyarp files. Problems Corrected in 2.5.3: