From 3c18b9bf9a01575dd6cab370670382a1dd3a1fcf Mon Sep 17 00:00:00 2001
From: Mohit Mehta <mohit.mehta@vyatta.com>
Date: Thu, 19 Feb 2009 19:07:02 -0800
Subject: Fix Bug 3951 default values for kernel tunable security parameters
 under firewall

---
 templates/firewall/source-validation/node.def | 35 +++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 templates/firewall/source-validation/node.def

(limited to 'templates/firewall/source-validation')

diff --git a/templates/firewall/source-validation/node.def b/templates/firewall/source-validation/node.def
new file mode 100644
index 0000000..8e28d11
--- /dev/null
+++ b/templates/firewall/source-validation/node.def
@@ -0,0 +1,35 @@
+# rp_filter 
+# default value - 0
+# conf/all/rp_filter and conf/[interface]/rp_filter both must be set to TRUE 
+# to do source validation on the interface
+
+
+type: txt
+
+help: Set policy for source validation by reversed path, as specified in RFC1812
+
+comp_help:Possible completions:
+  enable\tDo source validation
+  disable\tNo source validation
+
+default: "disable"
+
+syntax:expression: $VAR(@) in "enable", "disable"; "source-validation must be enable or disable"
+
+update:
+	if [ x$VAR(@) == xenable ]; then
+            array=(`ls /proc/sys/net/ipv4/conf/`)
+            array_len=${#array[*]}
+            i=0
+            while [ $i -lt $array_len ]; do
+               sudo sh -c "echo 1 > \
+                 /proc/sys/net/ipv4/conf/${array[$i]%:*}/rp_filter"
+               let i++
+            done
+        else
+	    sudo sh -c "echo 0 > \
+		/proc/sys/net/ipv4/conf/all/rp_filter"
+	fi
+
+delete:
+	sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter"
-- 
cgit v1.2.3