diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 49fafaf87..6b989dae5 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -64,6 +64,12 @@ Problems corrected in Shorewall 3.9.2 10) A syntax error in the lib.base Shell library has been corrected. +11) When ROUTE_FILTER=Yes in shorewall.conf, Shorewall no longer clears + the rp_filter flag for all interfaces. + +12) When LOG_MARTIANS=Yes in shorewall.conf, Shorewall no longer clears + the log_martians flag for all interfaces. + Other changes in Shorewall 3.9.2 1) A LOCKFILE option has been added to shorewall.conf. This file is diff --git a/Shorewall-perl/Shorewall/Proc.pm b/Shorewall-perl/Shorewall/Proc.pm index 95ecb825d..2a621000a 100644 --- a/Shorewall-perl/Shorewall/Proc.pm +++ b/Shorewall-perl/Shorewall/Proc.pm @@ -105,10 +105,12 @@ sub setup_route_filtering() { save_progress_message "Setting up Route Filtering..."; - emit "for f in /proc/sys/net/ipv4/conf/*; do - [ -f \$f/log_martians ] && echo 0 > \$f/rp_filter + unless ( $config{ROUTE_FILTER} ) { + emit "for f in /proc/sys/net/ipv4/conf/*; do + [ -f \$f/rp_filter ] && echo 0 > \$f/rp_filter done "; + } for my $interface ( @$interfaces ) { my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter"; @@ -121,12 +123,8 @@ fi "; } - emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter'; - - if ( $config{ROUTE_FILTER} ) { - emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter'; - emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter'; - } + emit 'echo 1 0 /proc/sys/net/ipv4/conf/all/rp_filter'; + emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter' if $config{ROUTE_FILTER}; emit "[ -n \"\$NOROUTES\" ] || ip route flush cache"; } @@ -162,11 +160,7 @@ fi } emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians'; - - if ( $config{LOG_MARTIANS} ) { - emit 'echo 1 > /proc/sys/net/ipv4/conf/default/log_martians'; - emit 'echo 1 > /proc/sys/net/ipv4/conf/all/log_martians'; - } + emit 'echo 1 > /proc/sys/net/ipv4/conf/default/log_martians' if $config{LOG_MARTIANS}; } } diff --git a/Shorewall-shell/compiler b/Shorewall-shell/compiler index 91f846b85..5ba533152 100755 --- a/Shorewall-shell/compiler +++ b/Shorewall-shell/compiler @@ -3715,13 +3715,16 @@ __EOF__ save_progress_message "Setting up Route Filtering..." - indent >&3 << __EOF__ + if [ -z "$ROUTE_FILTER" ]; THEN + indent >&3 << __EOF__ for f in /proc/sys/net/ipv4/conf/*; do - [ -f \$f/log_martians ] && echo 0 > \$f/rp_filter + [ -f \$f/rp_filter ] && echo 0 > \$f/rp_filter done __EOF__ + fi + for interface in $interfaces; do file=/proc/sys/net/ipv4/conf/$interface/rp_filter @@ -3738,7 +3741,6 @@ __EOF__ if [ -n "$ROUTE_FILTER" ]; then save_command "echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter" - save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" fi save_command "[ -n \"\$NOROUTES\" ] || ip route flush cache" @@ -3754,13 +3756,16 @@ __EOF__ save_progress_message "Setting up Martian Logging..." - indent >&3 << __EOF__ + if [ -z "$LOG_MARTIANS" ]; then + indent >&3 << __EOF__ for f in /proc/sys/net/ipv4/conf/*; do [ -f \$f/log_martians ] && echo 0 > \$f/log_martians done __EOF__ + fi + for interface in $interfaces; do file=/proc/sys/net/ipv4/conf/$interface/log_martians @@ -3774,9 +3779,10 @@ fi __EOF__ done + save_command "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians" + if [ -n "$LOG_MARTIANS" ]; then save_command "echo 1 > /proc/sys/net/ipv4/conf/default/log_martians" - save_command "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians" fi fi