Implement the 'REQUIRE_INTERFACE' option.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-05-19 07:32:02 -07:00 · 2010-05-19 07:32:02 -07:00 · 50dc02da07
commit 50dc02da07
parent 62f3e5f009
3 changed files with 47 additions and 1 deletions
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -460,6 +460,7 @@ sub initialize( $ ) {
 	      OPTIMIZE_ACCOUNTING => undef,
 	      DYNAMIC_BLACKLIST => undef,
 	      LOAD_HELPERS_ONLY => undef,
+	      REQUIRE_INTERFACE => undef,
 	      #
 	      # Packet Disposition
 	      #
@ -580,6 +581,7 @@ sub initialize( $ ) {
 	      OPTIMIZE_ACCOUNTING => undef,
 	      DYNAMIC_BLACKLIST => undef,
 	      LOAD_HELPERS_ONLY => undef,
+	      REQUIRE_INTERFACE => undef,
 	      #
 	      # Packet Disposition
 	      #
@ -2947,6 +2949,7 @@ sub get_configuration( $ ) {
    default_yes_no 'ACCOUNTING'                 , 'Yes';
    default_yes_no 'OPTIMIZE_ACCOUNTING'        , '';
    default_yes_no 'DYNAMIC_BLACKLIST'          , 'Yes';
+    default_yes_no 'REQUIRE_INTERFACE'          , '';

    numeric_option 'TC_BITS',          $config{WIDE_TC_MARKS} ? 14 : 8 , 0;
    numeric_option 'MASK_BITS',        $config{WIDE_TC_MARKS} ? 16 : 8,  $config{TC_BITS};
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@ -853,7 +853,12 @@ sub handle_optional_interfaces() {
 	    my $physical = get_physical $interface;
 	    my $base     = uc chain_base( $physical );

-	    emit '';
+	    emit( '' );
+
+	    if ( $config{REQUIRE_INTERFACE} ) {
+		emit( 'HAVE_INTERFACE=' );
+		emit( '' );
+	    }

 	    if ( $provider ) {
 		#
@ -873,12 +878,37 @@ sub handle_optional_interfaces() {
 		emit qq(if interface_is_usable $physical; then);
 	    }

+	    emit( '    HAVE_INTERFACE=Yes' ) if $config{REQUIRE_INTERFACE};
+
 	    emit( "    SW_${base}_IS_USABLE=Yes" ,
 		  'else' ,
 		  "    SW_${base}_IS_USABLE=" ,
 		  'fi' );
 	}

+	if ( $config{REQUIRE_INTERFACE} ) {
+	    emit( '', 
+		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
+		  '    case "$COMMAND" in',
+		  '        start|restart|restore|refresh)'
+		);
+
+	    if ( $family == F_IPV4 ) {
+		emit( '            if shorewall_is_started; then' );
+	    } else {
+		emit( '            if shorewall6_is_started; then' );
+	    }
+	
+	    emit( '                fatal_error "No network interface available"',
+		  '            else',
+		  '                startup_error "No network interface available',
+		  '            fi',
+		  '            ;;',
+		  '    esac',
+		  'fi'
+		);
+	}
+
 	$returnvalue = 1;
    }

--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -342,6 +342,19 @@ None.
    Please note that the action is carried out using the current
    compiled script; the configuration is not recompiled.

+    A new option has been added to shorewall.conf and
+    shorewall6.conf. The REQUIRE_INTERFACE option determines the
+    outcome when an attempt to start/restart/restore/refresh the
+    firewall is made and none of the optional interfaces are available.
+    With REQUIRE_INTERFACE=No (the default), the operation is
+    performed. If REQUIRE_INTERFACE=Yes, then the operation fails and
+    the firewall is placed in the stopped state. This option is
+    suitable for a laptop with both ethernet and wireless
+    interfaces. If either come up, the firewall starts. If neither
+    comes up, the firewall remains in the stopped state. Similarly, if
+    an optional interface goes down and there are no optional
+    interfaces remaining in the up state, then the firewall is stopped.
+
 ----------------------------------------------------------------------------
 V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
      I N   P R I O R  R E L E A S E S