Add arp_filter interface option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@690 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-08-08 20:55:06 +00:00
parent 61ba5353e5
commit b235cd19e1
4 changed files with 43 additions and 3 deletions

View File

@ -22,3 +22,5 @@ Changes since 1.4.6
10) Added support for Address Range Lists in /etc/shorewall/masq. 10) Added support for Address Range Lists in /etc/shorewall/masq.
11) Simplify ip_broadcast() 11) Simplify ip_broadcast()
12) Add 'arp_filter' interface option.

View File

@ -597,7 +597,7 @@ validate_interfaces_file() {
for option in $options; do for option in $options; do
case $option in case $option in
dhcp|norfc1918|tcpflags|newnotsyn) dhcp|norfc1918|tcpflags|newnotsyn|arp_filter)
;; ;;
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-) routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
;; ;;
@ -3813,6 +3813,27 @@ add_common_rules() {
done done
fi fi
# #
# ARP Filtering
#
for f in /proc/sys/net/ipv4/conf/*/arp_filter; do
echo 0 > $f
done
interfaces=`find_interfaces_by_option arp_filter`
if [ -n "$interfaces" ]; then
echo "Setting up ARP Filtering..."
for interface in $interfaces; do
file=/proc/sys/net/ipv4/conf/$interface/arp_filter
if [ -f $file ]; then
echo 1 > $file
else
error_message \
"Warning: Cannot set ARP filtering on $interface"
fi
done
fi
#
# Process Black List # Process Black List
# #
setup_blacklist setup_blacklist
@ -3832,8 +3853,6 @@ add_common_rules() {
if [ -n "$ROUTE_FILTER" ]; then if [ -n "$ROUTE_FILTER" ]; then
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
else else
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
for interface in $interfaces; do for interface in $interfaces; do
file=/proc/sys/net/ipv4/conf/$interface/rp_filter file=/proc/sys/net/ipv4/conf/$interface/rp_filter
if [ -f $file ]; then if [ -f $file ]; then

View File

@ -103,6 +103,15 @@
# This option has no effect if # This option has no effect if
# NEWNOTSYN=Yes. # NEWNOTSYN=Yes.
# #
# arp_filter - If specified, this interface will only
# respond to ARP who-has requests for IP
# addresses configured on the interface.
# If not specified, the interface can
# respond to ARP who-has requests for
# IP addresses on any of the firewall's
# interface. The interface must be up
# when Shorewall is started.
#
# The order in which you list the options is not # The order in which you list the options is not
# significant but the list should have no embedded white # significant but the list should have no embedded white
# space. # space.

View File

@ -115,4 +115,14 @@ New Features:
If specified, the remote gateway is to be If specified, the remote gateway is to be
considered part of these zones. considered part of these zones.
5) An 'arp_filter' option has been added to the
/etc/shorewall/interfaces file. This option causes
/proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the
result that this interface will only answer ARP 'who-has' requests
from hosts that are routed out of that interface. Setting this
option facilitates testing of your firewall where multiple firewall
interfaces are connected to the same HUB/Switch (all interfaces
connected to the single HUB/Switch should have this option
specified). Note that using such a configuration in a production
environment is strongly recommended against.