From d415de18834641f5951c1992d4b2a2f1485d1c70 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sat, 30 Mar 2013 16:44:18 -0700
Subject: [PATCH] Add the accept_ra Shorewall6 interface option.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Compiler.pm          |  2 ++
 Shorewall/Perl/Shorewall/Proc.pm              | 34 ++++++++++++++++--
 Shorewall/Perl/Shorewall/Zones.pm             |  7 ++--
 Shorewall6/manpages/shorewall6-interfaces.xml | 36 +++++++++++++++++++
 4 files changed, 74 insertions(+), 5 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm
index b6eac6b83..7446147a2 100644
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -741,6 +741,8 @@ sub compiler {
 	  ''
 	);
 
+    setup_accept_ra if $family == F_IPV6;
+
     if ( $scriptfilename || $debug ) {
 	emit 'return 0';
 	pop_indent;
diff --git a/Shorewall/Perl/Shorewall/Proc.pm b/Shorewall/Perl/Shorewall/Proc.pm
index 05d625782..dd6c2123d 100644
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -38,6 +38,7 @@ our @EXPORT = qw(
 		 setup_route_filtering
 		 setup_martian_logging
 		 setup_source_routing
+		 setup_accept_ra
 		 setup_forwarding
 		 );
 our @EXPORT_OK = qw( setup_interface_proc );
@@ -214,6 +215,35 @@ sub setup_source_routing( $ ) {
     }
 }
 
+#
+# Source Routing
+#
+sub setup_accept_ra() {
+
+    my $interfaces = find_interfaces_by_option 'accept_ra';
+
+    if ( @$interfaces ) {
+	progress_message2 "$doing Accept Routing Advertisements...";
+
+	save_progress_message 'Setting up Accept Routing Advertisements...';
+
+	for my $interface ( @$interfaces ) {
+	    my $value = get_interface_option $interface, 'accept_ra';
+	    my $optional = interface_is_optional $interface;
+
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv6/conf/$interface/accept_ra";
+
+	    emit ( "if [ -f $file ]; then" ,
+		   "    echo $value > $file" );
+	    emit ( 'else' ,
+		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless $optional;
+	    emit   "fi\n";
+	}
+    }
+}
+
 sub setup_forwarding( $$ ) {
     my ( $family, $first ) = @_;
 
@@ -297,8 +327,8 @@ sub setup_interface_proc( $ ) {
 	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
     }
 
-    if ( interface_has_option( $interface, 'sourceroute' , $value ) ) {
-	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
+    if ( interface_has_option( $interface, 'accept_ra' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv6/conf/$physical/accept_ra";
     }
 
     if ( @emitted ) {
diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index 495d75bcc..603c17190 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -234,9 +234,9 @@ use constant { NO_UPDOWN   => 1,
 
 our %validinterfaceoptions;
 
-our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
+our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60, accept_ra => 1 );
 
-our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN, accept_ra => 2 );
 
 our %validhostoptions;
 
@@ -334,7 +334,8 @@ sub initialize( $$ ) {
 			    );
 	%zonetypes = ( 1 => 'firewall', 2 => 'ipv4', 4 => 'bport4', 8 => 'ipsec4', 16 => 'vserver' );
     } else {
-	%validinterfaceoptions = (  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
+	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
+				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
diff --git a/Shorewall6/manpages/shorewall6-interfaces.xml b/Shorewall6/manpages/shorewall6-interfaces.xml
index 196c9d3e6..f7474a44a 100644
--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@@ -148,6 +148,42 @@ loc     eth2            -</programlisting>
           should have no embedded white space.</para>
 
           <variablelist>
+            <varlistentry>
+              <term>accept_ra[={0|1|2)]</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.16. Values are:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term>0</term>
+
+                    <listitem>
+                      <para>Do not accept Router Advertisements.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>1</term>
+
+                    <listitem>
+                      <para>Accept Route Advertisements if forwarding is
+                      disabled.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>2</term>
+
+                    <listitem>
+                      <para>Overrule forwarding behavior. Accept Route
+                      Advertisements even if forwarding is enabled.</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">blacklist</emphasis></term>