diff options
| author | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-02-24 15:54:24 -0800 |
|---|---|---|
| committer | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-02-24 15:54:24 -0800 |
| commit | 7505fdcd0feca189b759306301cac445ec44d525 (patch) | |
| tree | 668055520eb3144f8d1a61265b546c2b9d415e7a /templates | |
| parent | d8520ae0d6930a29a3e46d4d385b021fc3733024 (diff) | |
| download | vyatta-cfg-firewall-7505fdcd0feca189b759306301cac445ec44d525.tar.gz vyatta-cfg-firewall-7505fdcd0feca189b759306301cac445ec44d525.zip | |
Fix Bug 4150 enable loose reverse path filtering
Diffstat (limited to 'templates')
| -rw-r--r-- | templates/firewall/source-validation/node.def | 31 |
1 files changed, 19 insertions, 12 deletions
diff --git a/templates/firewall/source-validation/node.def b/templates/firewall/source-validation/node.def index 8e28d11..2e9fa1c 100644 --- a/templates/firewall/source-validation/node.def +++ b/templates/firewall/source-validation/node.def @@ -1,34 +1,41 @@ -# rp_filter +# rp_filter # default value - 0 -# conf/all/rp_filter and conf/[interface]/rp_filter both must be set to TRUE -# to do source validation on the interface +# conf/all/rp_filter and conf/[interface]/rp_filter both must be set to +# a value greater than 0 to do source validation on the interface type: txt -help: Set policy for source validation by reversed path, as specified in RFC1812 +help: Set policy for source validation by reversed path, as specified in RFC3704 comp_help:Possible completions: - enable\tDo source validation + strict\tEnable Strict Reverse Path Forwarding as defined in RFC3704 + loose\t\tEnable Loose Reverse Path Forwarding as defined in RFC3704 disable\tNo source validation default: "disable" -syntax:expression: $VAR(@) in "enable", "disable"; "source-validation must be enable or disable" +syntax:expression: $VAR(@) in "strict", "loose", "disable"; "source-validation must be set to 'loose', 'strict' or 'disable'" update: - if [ x$VAR(@) == xenable ]; then - array=(`ls /proc/sys/net/ipv4/conf/`) - array_len=${#array[*]} - i=0 + array=(`ls /proc/sys/net/ipv4/conf/`) + array_len=${#array[*]} + i=0 + if [ x$VAR(@) == xstrict ]; then while [ $i -lt $array_len ]; do sudo sh -c "echo 1 > \ /proc/sys/net/ipv4/conf/${array[$i]%:*}/rp_filter" let i++ done + elif [ x$VAR(@) == xloose ]; then + while [ $i -lt $array_len ]; do + sudo sh -c "echo 2 > \ + /proc/sys/net/ipv4/conf/${array[$i]%:*}/rp_filter" + let i++ + done else - sudo sh -c "echo 0 > \ - /proc/sys/net/ipv4/conf/all/rp_filter" + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv4/conf/all/rp_filter" fi delete: |