From d415de18834641f5951c1992d4b2a2f1485d1c70 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 30 Mar 2013 16:44:18 -0700 Subject: [PATCH] Add the accept_ra Shorewall6 interface option. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Compiler.pm | 2 ++ Shorewall/Perl/Shorewall/Proc.pm | 34 ++++++++++++++++-- Shorewall/Perl/Shorewall/Zones.pm | 7 ++-- Shorewall6/manpages/shorewall6-interfaces.xml | 36 +++++++++++++++++++ 4 files changed, 74 insertions(+), 5 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index b6eac6b83..7446147a2 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -741,6 +741,8 @@ sub compiler { '' ); + setup_accept_ra if $family == F_IPV6; + if ( $scriptfilename || $debug ) { emit 'return 0'; pop_indent; diff --git a/Shorewall/Perl/Shorewall/Proc.pm b/Shorewall/Perl/Shorewall/Proc.pm index 05d625782..dd6c2123d 100644 --- a/Shorewall/Perl/Shorewall/Proc.pm +++ b/Shorewall/Perl/Shorewall/Proc.pm @@ -38,6 +38,7 @@ our @EXPORT = qw( setup_route_filtering setup_martian_logging setup_source_routing + setup_accept_ra setup_forwarding ); our @EXPORT_OK = qw( setup_interface_proc ); @@ -214,6 +215,35 @@ sub setup_source_routing( $ ) { } } +# +# Source Routing +# +sub setup_accept_ra() { + + my $interfaces = find_interfaces_by_option 'accept_ra'; + + if ( @$interfaces ) { + progress_message2 "$doing Accept Routing Advertisements..."; + + save_progress_message 'Setting up Accept Routing Advertisements...'; + + for my $interface ( @$interfaces ) { + my $value = get_interface_option $interface, 'accept_ra'; + my $optional = interface_is_optional $interface; + + $interface = get_physical $interface; + + my $file = "/proc/sys/net/ipv6/conf/$interface/accept_ra"; + + emit ( "if [ -f $file ]; then" , + " echo $value > $file" ); + emit ( 'else' , + " error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless $optional; + emit "fi\n"; + } + } +} + sub setup_forwarding( $$ ) { my ( $family, $first ) = @_; @@ -297,8 +327,8 @@ sub setup_interface_proc( $ ) { push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route"; } - if ( interface_has_option( $interface, 'sourceroute' , $value ) ) { - push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route"; + if ( interface_has_option( $interface, 'accept_ra' , $value ) ) { + push @emitted, "echo $value > /proc/sys/net/ipv6/conf/$physical/accept_ra"; } if ( @emitted ) { diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 495d75bcc..603c17190 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -234,9 +234,9 @@ use constant { NO_UPDOWN => 1, our %validinterfaceoptions; -our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 ); +our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60, accept_ra => 1 ); -our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN ); +our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN, accept_ra => 2 ); our %validhostoptions; @@ -334,7 +334,8 @@ sub initialize( $$ ) { ); %zonetypes = ( 1 => 'firewall', 2 => 'ipv4', 4 => 'bport4', 8 => 'ipsec4', 16 => 'vserver' ); } else { - %validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST, + %validinterfaceoptions = ( accept_ra => NUMERIC_IF_OPTION, + blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST, bridge => SIMPLE_IF_OPTION, dhcp => SIMPLE_IF_OPTION, ignore => NUMERIC_IF_OPTION + IF_OPTION_WILDOK, diff --git a/Shorewall6/manpages/shorewall6-interfaces.xml b/Shorewall6/manpages/shorewall6-interfaces.xml index 196c9d3e6..f7474a44a 100644 --- a/Shorewall6/manpages/shorewall6-interfaces.xml +++ b/Shorewall6/manpages/shorewall6-interfaces.xml @@ -148,6 +148,42 @@ loc eth2 - should have no embedded white space. + + accept_ra[={0|1|2)] + + + Added in Shorewall 4.5.16. Values are: + + + + 0 + + + Do not accept Router Advertisements. + + + + + 1 + + + Accept Route Advertisements if forwarding is + disabled. + + + + + 2 + + + Overrule forwarding behavior. Accept Route + Advertisements even if forwarding is enabled. + + + + + + blacklist