Add arp_filter interface option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@690 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2003-08-08 20:55:06 +00:00 · 2003-08-08 20:55:06 +00:00 · b235cd19e1
commit b235cd19e1
parent 61ba5353e5
4 changed files with 43 additions and 3 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -22,3 +22,5 @@ Changes since 1.4.6
 10) Added support for Address Range Lists in /etc/shorewall/masq.

 11) Simplify ip_broadcast()
+
+12) Add 'arp_filter' interface option.
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -597,7 +597,7 @@ validate_interfaces_file() {

 	for option in $options; do
 	    case $option in
-		dhcp|norfc1918|tcpflags|newnotsyn)
+		dhcp|norfc1918|tcpflags|newnotsyn|arp_filter)
 		    ;;
 		routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
 		    ;;
@ -3813,6 +3813,27 @@ add_common_rules() {
 	done
    fi
    #
+    # ARP Filtering
+    #
+    for f in /proc/sys/net/ipv4/conf/*/arp_filter; do
+	echo 0 > $f
+    done
+
+    interfaces=`find_interfaces_by_option arp_filter`
+
+    if [ -n "$interfaces" ]; then
+	echo "Setting up ARP Filtering..."
+	for interface in $interfaces; do
+	    file=/proc/sys/net/ipv4/conf/$interface/arp_filter
+	    if [ -f $file ]; then
+		echo 1 > $file
+	    else
+		error_message \
+		    "Warning: Cannot set ARP filtering on $interface"
+	    fi
+	done
+    fi
+    #
    # Process Black List
    #
    setup_blacklist
@ -3832,8 +3853,6 @@ add_common_rules() {
 	if [ -n "$ROUTE_FILTER" ]; then
 	    echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
 	else
-	    echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
-
 	    for interface in $interfaces; do
 		file=/proc/sys/net/ipv4/conf/$interface/rp_filter
 		if [ -f $file ]; then
--- a/Shorewall/interfaces
+++ b/Shorewall/interfaces
@ -103,6 +103,15 @@
 #				       This option has no effect if 
 #				       NEWNOTSYN=Yes.
 #
+#			arp_filter   - If specified, this interface will only
+#				       respond to ARP who-has requests for IP
+#				       addresses configured on the interface.
+#				       If not specified, the interface can
+#				       respond to ARP who-has requests for
+#				       IP addresses on any of the firewall's
+#                                      interface. The interface must be up
+#				       when Shorewall is started.
+#
 #			The order in which you list the options is not
 #			significant but the list should have no embedded white
 #			space.
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -115,4 +115,14 @@ New Features:
 			If specified, the remote gateway is to be
 			considered part of these zones.

+5) An 'arp_filter' option has been added to the
+   /etc/shorewall/interfaces file. This option causes
+   /proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the
+   result that this interface will only answer ARP 'who-has' requests
+   from hosts that are routed out of that interface. Setting this
+   option facilitates testing of your firewall where multiple firewall
+   interfaces are connected to the same HUB/Switch (all interfaces
+   connected to the single HUB/Switch should have this option
+   specified). Note that using such a configuration in a production
+   environment is strongly recommended against.