Fix route filtering

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@782 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -24,3 +24,9 @@ Changes since 1.4.7
 
 11) Remove incorrect comment from shorewall.conf regarding Debian
     lockfiles.
+
+12) Change "_exists" suffix (including _nat_exists) to an "exists_"
+    prefix to allow chain names beginning with a digit without
+    lengthening the variable name.
+
+13) Applied and improved Eric Bowles's fix for route filtering.

Shorewall/firewall

@@ -229,7 +229,7 @@ run_tc() {
 #
 # If the chain isn't one of the common chains then add a rule to the chain
 # allowing packets that are part of an established connection. Create a
-# variable ${1}_exists and set its value to Yes to indicate that the chain now
+# variable exists_${1} and set its value to Yes to indicate that the chain now
 # exists.
 #
 createchain() # $1 = chain name, $2 = If "yes", create default rules
@@ -244,7 +244,7 @@ createchain() # $1 = chain name, $2 = If "yes", create default rules
 	    run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
     fi
 
-    eval ${c}_exists=Yes
+    eval exists_${c}=Yes
 }
 
 createchain2() # $1 = chain name, $2 = If "yes", create default rules
@@ -259,22 +259,22 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules
 		run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
 	fi
 	
-	eval ${c}_exists=Yes
+	eval exists_${c}=Yes
     fi
 }
 
 #
 # Determine if a chain exists
 #
-# When we create a chain "chain", we create a variable named chain_exists and
+# When we create a chain "chain", we create a variable named exists_chain and
-# set its value to Yes. This function tests for the "_exists" variable
+# set its value to Yes. This function tests for the "exists_" variable
 # corresponding to the passed chain having the value of "Yes".
 #
 havechain() # $1 = name of chain
 {
     local c=`chain_base $1`
 
-    eval test \"\$${c}_exists\" = Yes
+    eval test \"\$exists_${c}\" = Yes
 }
 
 #
@@ -313,26 +313,26 @@ addrule() # $1 = chain name, remainder of arguments specify the rule
 #
 # Create a nat chain
 #
-# Create a variable ${1}_nat_exists and set its value to Yes to indicate that
+# Create a variable exists_nat_${1} and set its value to Yes to indicate that
 # the chain now exists.
 #
 createnatchain() # $1 = chain name
 {
     run_iptables -t nat -N $1
 
-    eval ${1}_nat_exists=Yes
+    eval exists_nat_${1}=Yes
 }
 
 #
 # Determine if a nat chain exists
 #
-# When we create a chain "chain", we create a variable named chain_nat_exists
+# When we create a chain "chain", we create a variable named exists_nat_chain
-# and set its value to Yes. This function tests for the "_exists" variable
+# and set its value to Yes. This function tests for the "exists_" variable
 # corresponding to the passed chain having the value of "Yes".
 #
 havenatchain() # $1 = name of chain
 {
-    eval test \"\$${1}_nat_exists\" = Yes
+    eval test \"\$exists_nat_${1}\" = Yes
 }
 
 #
@@ -4202,6 +4202,7 @@ add_common_rules() {
 
     if [ -n "$interfaces" ]; then
 	echo "Setting up ARP Filtering..."
+	
 	for interface in $interfaces; do
 	    file=/proc/sys/net/ipv4/conf/$interface/arp_filter
 	    if [ -f $file ]; then
@@ -4215,18 +4216,15 @@ add_common_rules() {
     #
     # Route Filtering
     #
-    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
-	echo 0 > $f
-    done
-
     interfaces="`find_interfaces_by_option routefilter`"
 
     if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
 	echo "Setting up Kernel Route Filtering..."
 
-	if [ -n "$ROUTE_FILTER" ]; then
+	for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
-	    echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
+	    echo 0 > $f
-	else
+	done
+
 	for interface in $interfaces; do
 	    file=/proc/sys/net/ipv4/conf/$interface/rp_filter
 	    if [ -f $file ]; then
@@ -4236,7 +4234,10 @@ add_common_rules() {
 		    "Warning: Cannot set route filtering on $interface"
 	    fi
 	done
-	fi
+	
+	echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
+	[ -n "$ROUTE_FILTER" ] && echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
+	run_ip route flush cache
     fi
     #
     # IP Forwarding

Shorewall/functions

@@ -422,9 +422,6 @@ chain_base() #$1 = interface
 
     while true; do
 	case $c in
-	    [0-9]*)
-                c=C${c}
-		;;
 	    *.*)
 		c="${c%.*}_${c##*.}"
 		;;

Shorewall/releasenotes.txt

@@ -44,9 +44,20 @@ Problems Corrected since version 1.4.7:
 8) An incorrect comment concerning Debian's use of the SYBSYSLOCK
    option has been removed from shorewall.conf.
 
+9) Previously, neither the 'routefilter' interface option nor the
+   ROUTE_FILTER parameter were working properly. This has been
+   corrected. The definition of the ROUTE_FILTER option has changed
+   however. Previously, ROUTE_FILTER=Yes was documented as enabling
+   route filtering on all interfaces (which didn't work). Beginning
+   with this release, setting ROUTE_FILTER=Yes will enable route
+   filtering of all interfaces brought up while Shorewall is
+   started. As a consequence, ROUTE_FILTER=Yes can coexist with the use
+   of the 'routefilter' option in the interfaces file.
+
 Migration Issues:
 
-None.
+1. The definition of the ROUTE_FILTER option in shorewall.conf has
+   changed as described in item 9) above.
 
 New Features:
 
@@ -84,3 +95,4 @@ New Features:
 
 
 
+

Shorewall/shorewall.conf

@@ -349,11 +349,12 @@ CLAMPMSS=No
 # ROUTE FILTERING
 #
 # Set this variable to "Yes" or "yes" if you want kernel route filtering on all
-# interfaces (anti-spoofing measure).
+# interfaces started while Shorewall is started (anti-spoofing measure).
 #
 # If this variable is not set or is set to the empty value, "No" is assumed.
-# In that case, you can still enable route filtering on individual interfaces
+# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
-# in the /etc/shorewall/interfaces file.
+# on individual interfaces using the 'routefilter' option in the
+# /etc/shorewall/interfaces file.
 
 ROUTE_FILTER=No