Add 'required' interface option

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Providers.pm

@@ -836,13 +836,15 @@ sub lookup_provider( $ ) {
 
 #
 # This function is called by the compiler when it is generating the detect_configuration() function.
-# The function emits code to set the ..._IS_USABLE interface variables appropriately for the
+# The function calls Shorewall::Zones::verify_required_interfaces then emits code to set the
-# optional interfaces
+# ..._IS_USABLE interface variables appropriately for the  optional interfaces
 #
-# Returns true if there were optional interfaces
+# Returns true if there were required or optional interfaces
 #
 sub handle_optional_interfaces() {
 
+    my $returnvalue = verify_required_interfaces;
+
     my $interfaces = find_interfaces_by_option 'optional';
 
     if ( @$interfaces ) {
@@ -877,8 +879,10 @@ sub handle_optional_interfaces() {
 		  'fi' );
 	}
 
-	1;
+	$returnvalue = 1;
     }
+
+    $returnvalue;
 }
 
 #

Shorewall/Perl/Shorewall/Zones.pm

@@ -69,6 +69,7 @@ our @EXPORT = qw( NOTHING
 		  find_interfaces_by_option
 		  get_interface_option
 		  set_interface_option
+		  verify_required_interfaces
 		  validate_hosts_file
 		  find_hosts_by_option
 		  all_ipsets
@@ -223,6 +224,7 @@ sub initialize( $ ) {
 				  nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  optional    => SIMPLE_IF_OPTION,
 				  proxyarp    => BINARY_IF_OPTION,
+				  required    => SIMPLE_IF_OPTION,
 				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
 				  routefilter => NUMERIC_IF_OPTION ,
 				  sourceroute => BINARY_IF_OPTION,
@@ -251,6 +253,7 @@ sub initialize( $ ) {
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
+				    required    => SIMPLE_IF_OPTION,
 				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -915,6 +918,8 @@ sub process_interface( $$ ) {
 	    }
 	}
 
+	fatal_error "Invalid combination of interface options" if $options{required} && $options{optional};
+
 	if ( $netsref eq 'dynamic' ) {
 	    my $ipset = "${zone}_" . chain_base $physical;
 	    $netsref = [ "+$ipset" ];
@@ -1169,6 +1174,26 @@ sub set_interface_option( $$$ ) {
     $interfaces{$interface}{options}{$option} = $value;
 }
 
+#
+# Verify that all required interfaces are available
+#
+sub verify_required_interfaces() {
+    
+    my $interfaces = find_interfaces_by_option 'required';
+
+    if ( @$interfaces ) {
+	for my $interface (@$interfaces ) {
+	    my $physical = get_physical $interface;
+	    
+	    emit qq(if ! interface_is_usable $physical; then);
+	    emit qq(    startup_error "Required interface $physical not available");
+	    emit qq(fi\n);
+	}
+
+	1;
+    }
+}
+
 #
 # Process a record in the hosts file
 #

manpages/shorewall-interfaces.xml

@@ -107,6 +107,8 @@ loc     eth2            -</programlisting>
 
             <member>proxyarp</member>
 
+            <member>required</member>
+
             <member>routefilter</member>
 
             <member>sourceroute</member>
@@ -382,7 +384,7 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">nosmurfs</emphasis></term>
+              <term>nosmurfs</term>
 
               <listitem>
                 <para>Filter packets for smurfs (packets with a broadcast
@@ -416,31 +418,24 @@ loc     eth2            -</programlisting>
                   </listitem>
                 </itemizedlist>
 
-                <para></para>
+                <para>May not be specified with <emphasis
+                role="bold">required</emphasis>.</para>
 
-                <blockquote>
+                <caution>
-                  <para>I specify <option>optional</option> on interfaces to
+                  <para>Use <option>optional</option> at your own risk. If you
-                  Xen virtual machines that may or may not be running when
+                  [re]start Shorewall when an 'optional' interface is not
-                  Shorewall is [re]started.</para>
+                  available and then do a <command>shorewall save</command>,
-
+                  subsequent <command>shorewall restore</command> and
-                  <para></para>
+                  <command>shorewall -f start</command> operations will
-
+                  instantiate a ruleset that does not support that interface,
-                  <caution>
+                  even if it is available at the time of the
-                    <para>Use <option>optional</option> at your own risk. If
+                  restore/start.</para>
-                    you [re]start Shorewall when an 'optional' interface is
+                </caution>
-                    not available and then do a <command>shorewall
-                    save</command>, subsequent <command>shorewall
-                    restore</command> and <command>shorewall -f
-                    start</command> operations will instantiate a ruleset that
-                    does not support that interface, even if it is available
-                    at the time of the restore/start.</para>
-                  </caution>
-                </blockquote>
               </listitem>
             </varlistentry>
 
             <varlistentry>
-              <term>physical=<emphasis
+              <term><emphasis role="bold">physical</emphasis>=<emphasis
               role="bold"><emphasis>name</emphasis></emphasis></term>
 
               <listitem>
@@ -486,6 +481,17 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">required</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.10. If this option is set, the
+                firewall will fail to start if the interface is not usable.
+                May not be specified together with <emphasis
+                role="bold">optional</emphasis>.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">routeback</emphasis></term>
 
@@ -523,11 +529,9 @@ loc     eth2            -</programlisting>
                   the INTERFACE column.</para>
                 </note>
 
-                <blockquote>
+                <para>This option can also be enabled globally in the <ulink
-                  <para>This option can also be enabled globally in the <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(5)
-                  url="shorewall.conf.html">shorewall.conf</ulink>(5)
+                file.</para>
-                  file.</para>
-                </blockquote>
               </listitem>
             </varlistentry>
 

manpages6/shorewall6-interfaces.xml

@@ -186,6 +186,9 @@ loc     eth2            -</programlisting>
                     cannot be obtained.</para>
                   </listitem>
                 </itemizedlist>
+
+                <para>This option may not be specified together with <emphasis
+                role="bold">required</emphasis>.</para>
               </listitem>
             </varlistentry>
 
@@ -211,6 +214,17 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">required</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.10. When specified, the firewall
+                will fail to start if the interface named in the INTERFACE
+                column is not usable. May not be specified together with
+                <emphasis role="bold">optional</emphasis>.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">routeback</emphasis></term>