forked from extern/shorewall_code
Add arp_filter interface option
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@690 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
61ba5353e5
commit
b235cd19e1
@ -22,3 +22,5 @@ Changes since 1.4.6
|
|||||||
10) Added support for Address Range Lists in /etc/shorewall/masq.
|
10) Added support for Address Range Lists in /etc/shorewall/masq.
|
||||||
|
|
||||||
11) Simplify ip_broadcast()
|
11) Simplify ip_broadcast()
|
||||||
|
|
||||||
|
12) Add 'arp_filter' interface option.
|
||||||
|
@ -597,7 +597,7 @@ validate_interfaces_file() {
|
|||||||
|
|
||||||
for option in $options; do
|
for option in $options; do
|
||||||
case $option in
|
case $option in
|
||||||
dhcp|norfc1918|tcpflags|newnotsyn)
|
dhcp|norfc1918|tcpflags|newnotsyn|arp_filter)
|
||||||
;;
|
;;
|
||||||
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
|
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
|
||||||
;;
|
;;
|
||||||
@ -3813,6 +3813,27 @@ add_common_rules() {
|
|||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
|
# ARP Filtering
|
||||||
|
#
|
||||||
|
for f in /proc/sys/net/ipv4/conf/*/arp_filter; do
|
||||||
|
echo 0 > $f
|
||||||
|
done
|
||||||
|
|
||||||
|
interfaces=`find_interfaces_by_option arp_filter`
|
||||||
|
|
||||||
|
if [ -n "$interfaces" ]; then
|
||||||
|
echo "Setting up ARP Filtering..."
|
||||||
|
for interface in $interfaces; do
|
||||||
|
file=/proc/sys/net/ipv4/conf/$interface/arp_filter
|
||||||
|
if [ -f $file ]; then
|
||||||
|
echo 1 > $file
|
||||||
|
else
|
||||||
|
error_message \
|
||||||
|
"Warning: Cannot set ARP filtering on $interface"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
#
|
||||||
# Process Black List
|
# Process Black List
|
||||||
#
|
#
|
||||||
setup_blacklist
|
setup_blacklist
|
||||||
@ -3832,8 +3853,6 @@ add_common_rules() {
|
|||||||
if [ -n "$ROUTE_FILTER" ]; then
|
if [ -n "$ROUTE_FILTER" ]; then
|
||||||
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
|
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
|
||||||
else
|
else
|
||||||
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
|
|
||||||
|
|
||||||
for interface in $interfaces; do
|
for interface in $interfaces; do
|
||||||
file=/proc/sys/net/ipv4/conf/$interface/rp_filter
|
file=/proc/sys/net/ipv4/conf/$interface/rp_filter
|
||||||
if [ -f $file ]; then
|
if [ -f $file ]; then
|
||||||
|
@ -103,6 +103,15 @@
|
|||||||
# This option has no effect if
|
# This option has no effect if
|
||||||
# NEWNOTSYN=Yes.
|
# NEWNOTSYN=Yes.
|
||||||
#
|
#
|
||||||
|
# arp_filter - If specified, this interface will only
|
||||||
|
# respond to ARP who-has requests for IP
|
||||||
|
# addresses configured on the interface.
|
||||||
|
# If not specified, the interface can
|
||||||
|
# respond to ARP who-has requests for
|
||||||
|
# IP addresses on any of the firewall's
|
||||||
|
# interface. The interface must be up
|
||||||
|
# when Shorewall is started.
|
||||||
|
#
|
||||||
# The order in which you list the options is not
|
# The order in which you list the options is not
|
||||||
# significant but the list should have no embedded white
|
# significant but the list should have no embedded white
|
||||||
# space.
|
# space.
|
||||||
|
@ -115,4 +115,14 @@ New Features:
|
|||||||
If specified, the remote gateway is to be
|
If specified, the remote gateway is to be
|
||||||
considered part of these zones.
|
considered part of these zones.
|
||||||
|
|
||||||
|
5) An 'arp_filter' option has been added to the
|
||||||
|
/etc/shorewall/interfaces file. This option causes
|
||||||
|
/proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the
|
||||||
|
result that this interface will only answer ARP 'who-has' requests
|
||||||
|
from hosts that are routed out of that interface. Setting this
|
||||||
|
option facilitates testing of your firewall where multiple firewall
|
||||||
|
interfaces are connected to the same HUB/Switch (all interfaces
|
||||||
|
connected to the single HUB/Switch should have this option
|
||||||
|
specified). Note that using such a configuration in a production
|
||||||
|
environment is strongly recommended against.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user