From 620ad874c1ba4d9e01d082c543d7a35566b3e02e Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Sat, 13 Dec 2008 22:17:21 +0000
Subject: [PATCH] Add 'proxyndp' interface option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9039 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall-common/changelog.txt       |  4 ++
 Shorewall-perl/Shorewall/Compiler.pm |  6 +-
 Shorewall-perl/Shorewall/Proxyarp.pm | 94 +++++++++++++++++-----------
 Shorewall-perl/Shorewall/Zones.pm    |  1 +
 4 files changed, 65 insertions(+), 40 deletions(-)

diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt
index cd00fc959..1b5126a2e 100644
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@@ -6,6 +6,10 @@ Changes in Shorewall 4.3.3
 
 3) Enabled Traffic Shaping
 
+4) Convert AllowICMPs to a builtin action.
+
+5) Add 'proxyndp' interface option.
+
 Changes in Shorewall 4.3.2
 
 1) Added 'dhcp' option.
diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm
index 20954da9d..4141d99fe 100644
--- a/Shorewall-perl/Shorewall/Compiler.pm
+++ b/Shorewall-perl/Shorewall/Compiler.pm
@@ -70,7 +70,7 @@ sub reinitialize() {
     Shorewall::Actions::initialize( $family );
     Shorewall::Accounting::initialize;
     Shorewall::Rules::initialize($family);
-    Shorewall::Proxyarp::initialize;
+    Shorewall::Proxyarp::initialize($family);
     Shorewall::IPAddrs::initialize($family);
 }
 
@@ -972,9 +972,9 @@ sub compiler {
 
     setup_source_routing;
     #
-    # Proxy Arp
+    # Proxy Arp/Ndp
     #
-    setup_proxy_arp if $family == F_IPV4;
+    setup_proxy_arp;
     #
     # Handle MSS setings in the zones file
     #
diff --git a/Shorewall-perl/Shorewall/Proxyarp.pm b/Shorewall-perl/Shorewall/Proxyarp.pm
index e727d516c..c84d3920e 100644
--- a/Shorewall-perl/Shorewall/Proxyarp.pm
+++ b/Shorewall-perl/Shorewall/Proxyarp.pm
@@ -39,6 +39,8 @@ our $VERSION = 4.0.6;
 
 our @proxyarp;
 
+our $family;
+
 #
 # Initialize globals -- we take this novel approach to globals initialization to allow
 #                       the compiler to run multiple times in the same process. The
@@ -48,12 +50,13 @@ our @proxyarp;
 #                       the second and subsequent calls to that function.
 #
 
-sub initialize() {
+sub initialize( $ ) {
+    $family = shift;
     @proxyarp = ();
 }
 
 INIT {
-    initialize;
+    initialize( F_IPV4 );
 }
 
 sub setup_one_proxy_arp( $$$$$ ) {
@@ -95,58 +98,75 @@ sub setup_one_proxy_arp( $$$$$ ) {
 # Setup Proxy ARP
 #
 sub setup_proxy_arp() {
+    if ( $family == F_IPV4 ) {
 
-    my $interfaces= find_interfaces_by_option 'proxyarp';
-    my $fn = open_file 'proxyarp';
+	my $interfaces= find_interfaces_by_option 'proxyarp';
+	my $fn = open_file 'proxyarp';
 
-    if ( @$interfaces || $fn ) {
+	if ( @$interfaces || $fn ) {
 
-	my $first_entry = 1;
+	    my $first_entry = 1;
 
-	save_progress_message "Setting up Proxy ARP...";
+	    save_progress_message "Setting up Proxy ARP...";
+	    
+	    my ( %set, %reset );
 
-	my ( %set, %reset );
+	    while ( read_a_line ) {
 
-	while ( read_a_line ) {
+		my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 3, 5, 'proxyarp file';
 
-	    my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 3, 5, 'proxyarp file';
+		if ( $first_entry ) {
+		    progress_message2 "$doing $fn...";
+		    $first_entry = 0;
+		}
 
-	    if ( $first_entry ) {
-		progress_message2 "$doing $fn...";
-		$first_entry = 0;
+		$set{$interface}  = 1;
+		$reset{$external} = 1 unless $set{$external};
+		
+		setup_one_proxy_arp( $address, $interface, $external, $haveroute, $persistent );
 	    }
 
-	    $set{$interface}  = 1;
-	    $reset{$external} = 1 unless $set{$external};
+	    emit '';
 
-	    setup_one_proxy_arp( $address, $interface, $external, $haveroute, $persistent );
-	}
-
-	emit '';
-
-	for my $interface ( keys %reset ) {
-	    unless ( $set{interface} ) {
+	    for my $interface ( keys %reset ) {
+		unless ( $set{interface} ) {
+		    emit  ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" ,
+			    "    echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
+		    emit    "fi\n";
+		}
+	    }
+	    
+	    for my $interface ( keys %set ) {
 		emit  ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" ,
-			"    echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
+			"    echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
+		emit  ( 'else' ,
+			"    error_message \"    WARNING: Cannot set the 'proxy_arp' option for interface $interface\"" ) unless interface_is_optional( $interface );
 		emit    "fi\n";
 	    }
+	    
+	    for my $interface ( @$interfaces ) {
+		my $value = get_interface_option $interface, 'proxyarp';
+		emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
+		       "    echo $value > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
+		emit ( 'else' ,
+		       "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless interface_is_optional( $interface );
+		emit   "fi\n";
+	    }
 	}
+    } else {
+	my $interfaces= find_interfaces_by_option 'proxyndp';
 
-	for my $interface ( keys %set ) {
-	    emit  ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" ,
-		    "    echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
-	    emit  ( 'else' ,
-		    "    error_message \"    WARNING: Cannot set the 'proxy_arp' option for interface $interface\"" ) unless interface_is_optional( $interface );
-	    emit    "fi\n";
-	}
+	if ( @$interfaces ) {
+	    save_progress_message "Setting up Proxy NDP...";
 
-	for my $interface ( @$interfaces ) {
-	    my $value = get_interface_option $interface, 'proxyarp';
-	    emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
-		   "    echo $value > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
-	    emit ( 'else' ,
-		   "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless interface_is_optional( $interface );
-	    emit   "fi\n";
+	    for my $interface ( @$interfaces ) {
+		my $value = get_interface_option $interface, 'proxyndp';
+		emit ( "if [ -f /proc/sys/net/ipv6/conf/$interface/proxy_ndp ] ; then" ,
+		   "    echo $value > /proc/sys/net/ipv6/conf/$interface/proxy_ndp" );
+		emit ( 'else' ,
+		       "    error_message \"WARNING: Unable to set/reset Proxy NDP on $interface\"" ) unless interface_is_optional( $interface );
+		emit   "fi\n";
+	    }
 	}
     }
 }
diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm
index 9b4f2f247..e3c8b91fa 100644
--- a/Shorewall-perl/Shorewall/Zones.pm
+++ b/Shorewall-perl/Shorewall/Zones.pm
@@ -631,6 +631,7 @@ sub validate_interfaces_file( $ )
 			   maclist     => SIMPLE_IF_OPTION,
 			   nosmurfs    => SIMPLE_IF_OPTION,
 			   optional    => SIMPLE_IF_OPTION,
+			   proxyndp    => BINARY_IF_OPTION,
  			   routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY,
 			   sourceroute => BINARY_IF_OPTION,
 			   tcpflags    => SIMPLE_IF_OPTION,