diff --git a/Shorewall-docs2/Shorewall_and_Routing.xml b/Shorewall-docs2/Shorewall_and_Routing.xml
index e930d5878..e77a0b582 100644
--- a/Shorewall-docs2/Shorewall_and_Routing.xml
+++ b/Shorewall-docs2/Shorewall_and_Routing.xml
@@ -15,7 +15,7 @@
- 2005-08-11
+ 2005-09-25
2005
@@ -305,138 +305,145 @@
Shorewall configuration files, enter "-" in a column if you don't want
to enter any value.
-
-
- /etc/shorewall/providers:
+
+
+ NAME
-
- NAME
+
+ The provider name. Must begin with a letter and consist of
+ letters and digits. The provider name becomes the name of the
+ generated routing table for this provider.
+
+
-
- The provider name. Must begin with a letter and consist of
- letters and digits. The provider name becomes the name of the
- generated routing table for this provider.
-
-
+
+ NUMBER
-
- NUMBER
+
+ A number between 1 and 252. This becomes the routing table
+ number for the generated table for this provider.
+
+
-
- A number between 1 and 252. This becomes the routing table
- number for the generated table for this provider.
-
-
+
+ MARK
-
- MARK
+
+ A mark value used in your /etc/shorewall/tcrules file to
+ direct packets to this provider. Shorewall will also mark
+ connections that have seen input from this provider with this
+ value and will restore the packet mark in the PREROUTING
+ CHAIN.
+
+
-
- A mark value used in your /etc/shorewall/tcrules file to
- direct packets to this provider. Shorewall will also mark
- connections that have seen input from this provider with this
- value and will restore the packet mark in the PREROUTING
- CHAIN.
-
-
+
+ DUPLICATE
-
- DUPLICATE
+
+ Gives the name or number of a routing table to duplicate.
+ May be 'main' or the name or number of a previously declared
+ provider. For most applications, you want to specify 'main'
+ here.
+
+
-
- Gives the name or number of a routing table to duplicate.
- May be 'main' or the name or number of a previously declared
- provider. For most applications, you want to specify 'main'
- here.
-
-
+
+ INTERFACE
-
- INTERFACE
+
+ The name of the interface to the provider.
+
+
-
- The name of the interface to the provider.
-
-
+
+ GATEWAY
-
- GATEWAY
+
+ The IP address of the provider's Gateway router.
-
- The IP address of the provider's Gateway router.
+ You can enter detect here
+ and Shorewall will attempt to automatically determine the gateway
+ IP address.
- You can enter detect here
- and Shorewall will attempt to automatically determine the
- gateway IP address.
+ Hint: "detect" is appropriate for use in cases
+ where the interface named in the INTERFACE column is dynamically
+ configured via DHCP etc.
+
+
- Hint: "detect" is appropriate for use in cases
- where the interface named in the INTERFACE column is dynamically
- configured via DHCP etc.
-
-
+
+ OPTIONS
-
- OPTIONS
+
+ A comma-separated list from the following:
-
- A comma-separated list from the following:
+
+
+ track
-
-
- track
+
+ If specified, connections FROM this interface are to
+ be tracked so that responses may be routed back out this
+ same interface.
-
- If specified, connections FROM this interface are to
- be tracked so that responses may be routed back out this
- same interface.
+ You want specify 'track' if internet hosts will be
+ connecting to local servers through this provider. Any time
+ that you specify 'track', you will also want to specify
+ 'balance' (see below).
+
+
- You want specify 'track' if internet hosts will be
- connecting to local servers through this provider. Any
- time that you specify 'track', you will also want to
- specify 'balance' (see below).
-
-
+
+ balance
-
- balance
+
+ The providers that have 'balance' specified will get
+ outbound traffic load-balanced among them. Balancing will
+ not be perfect, as it is route based, and routes are cached.
+ This means that routes to often-used sites will always be
+ over the same provider.
-
- The providers that have 'balance' specified will get
- outbound traffic load-balanced among them. Balancing will
- not be perfect, as it is route based, and routes are
- cached. This means that routes to often-used sites will
- always be over the same provider.
+ By default, each provider is given the same weight (1)
+ . Beginning with 2.4.0-RC3, you can change the weight of a
+ given provider by following balance
+ with "=" and the desired weight (e.g., balance=2). The
+ weights reflect the relative bandwidth of the providers
+ connections and should be small numbers since the kernel
+ actually creates additional default routes for each weight
+ increment.
+
+
- By default, each provider is given the same weight
- (1) . Beginning with 2.4.0-RC3, you can change the weight
- of a given provider by following
- balance with "=" and the desired
- weight (e.g., balance=2). The weights reflect the relative
- bandwidth of the providers connections and should be small
- numbers since the kernel actually creates additional
- default routes for each weight increment.
-
-
-
-
-
+
+ loose
-
- COPY
+
+ Do not include routing rules that force traffic whose
+ source IP is an address of the INTERFACE to be routed to
+ this provider. Useful for defining providers that are to be
+ used only when the appropriate packet mark is
+ applied.
+
+
+
+
+
-
- When you specify an existing table in the DUPLICATE
- column, Shorewall copies all routes through the interface
- specified in the INTERFACE column plus the interfaces listed in
- this column. At a minumum, you should list all interfaces on
- your firewall in this column except those internet interfaces
- specified in the INTERFACE column of entries in this
- file.
-
-
-
-
+
+ COPY
+
+
+ When you specify an existing table in the DUPLICATE column,
+ Shorewall copies all routes through the interface specified in the
+ INTERFACE column plus the interfaces listed in this column. At a
+ minumum, you should list all interfaces on your firewall in this
+ column except those internet interfaces specified in the INTERFACE
+ column of entries in this file.
+
+
+
@@ -447,8 +454,9 @@
- An ip rule is generated for each IP address on the INTERFACE
- that routes traffic from that address through the associated routing
+ Unless loose is specified, an
+ ip rule is generated for each IP address on the INTERFACE that
+ routes traffic from that address through the associated routing
table.
@@ -562,236 +570,4 @@ eth1 eth2 130.252.99.27
2:P <local network> 0.0.0.0/0 tcp 25
-
-
- Experimental Routing with Shorewall 2.3.2 and Later
-
- Beginning with Shorewall 2.3.2, Shorewall is integrated with the
- ROUTE target extension available from Netfilter Patch-O-Matic-NG (http://www.netfilter.org).
-
-
- As of this writing, I know of no distribution that is shipping a
- kernel or iptables with the ROUTE target patch included. This means that
- you must patch and build your own kernel and iptables in order to be
- able to use the feature described in this section. This code remains experimental since there is no
- intent by the Netfilter team to ever submit the ROUTE target patch for
- inclusion in the official kernels from kernel.org. This support may also
- be removed from Shorewall in a future release.
-
-
- See Shorewall FAQ 42 for
- information about determining if your kernel and iptables have this
- support enabled. You must be running Shorewall 2.3.2 or later to make this
- determination.
-
- Routing with Shorewall is specified through entries in
- /etc/shorewall/routes. Note that entries in the
- /etc/shorewall/routes file override the routing
- specified in your routing tables. These rules generate Netfilter rules in
- the mangle tables FORWARD chain or OUTPUT chain depending whether the
- packets are being routed through the firewall or originate on the firewall
- itself (see the flow diagram at the top of this article).
-
- Columns in this file are as follows:
-
-
-
- SOURCE
-
-
- Source of the packet. May be any of the following:
-
-
-
- A host or network address
-
-
-
- A network interface name.
-
-
-
- The name of an ipset prefaced with "+"
-
-
-
- $FW (for packets originating on the firewall)
-
-
-
- A MAC address in Shorewall format
-
-
-
- A range of IP addresses (assuming that your kernel and
- iptables support range match)
-
-
-
- A network interface name followed by ":" and an address or
- address range.
-
-
-
-
-
-
- DEST
-
-
- Destination of the packet. May be any of the following:
-
-
-
- A host or network address
-
-
-
- A network interface name (determined from routing
- table(s))
-
-
-
- The name of an ipset prefaced with "+"
-
-
-
- A network interface name followed by ":" and an address or
- address range.
-
-
-
-
-
-
- PROTO
-
-
- Protocol - Must be a protocol listed in /etc/protocols, a
- number or "ipp2p", a number, or "all". "ipp2p" require ipp2p match
- support in your kernel and iptables.
-
-
-
-
- PORT(S)
-
-
- Destination Ports. A comma-separated list of Port names (from
- /etc/services), port numbers or port ranges; if the protocol is
- "icmp", this column is interpreted as the destination
- icmp-type(s).
-
- If the protocol is ipp2p, this column is interpreted as an
- ipp2p option without the leading "--" (example "bit" for
- bit-torrent). If no PORT is given, "ipp2p" is assumed.
-
- This column is ignored if PROTOCOL = all but must be entered
- if any of the following field is supplied. In that case, it is
- suggested that this field contain "-"
-
-
-
-
- SOURCE PORT(S)
-
-
- Optional) Source port(s). If omitted, any source port is
- acceptable. Specified as a comma-separated list of port names, port
- numbers or port ranges.
-
-
-
-
- TEST
-
-
- Defines a test on the existing packet or connection mark. The
- rule will match only if the test returns true. Tests have the
- format
-
-
- [!]<value>[/<mask>][:C]
-
-
- where:
-
-
-
- !
-
-
- Inverts the test (not equal)
-
-
-
-
- <value>
-
-
- Value of the packet or connection mark.
-
-
-
-
- <mask>
-
-
- A mask to be applied to the mark before testing
-
-
-
-
- :C
-
-
- Designates a connection mark. If omitted, the packet
- mark's value is tested
-
-
-
-
-
-
-
- INTERFACE
-
-
- The interface that the packet is to be routed out of. If you
- do not specify this field then you must place "-" in this column and
- enter an IP address in the GATEWAY column.
-
-
-
-
- GATEWAY
-
-
- The gateway that the packet is to be forwarded through.
-
-
-
-
- The idea here is that traffic that matches the SOURCE, DEST, PROTO,
- PORT(S), SOURCE PORT(S) and TEST columns is routed out of the INTERFACE
- through the optional GATEWAY.
-
-
- Example:
-
- Your local interface is eth1 and your DMZ interface is eth2. You
- want to run Squid as a transparent proxy for HTTP on 192.168.3.22 in
- your DMZ. You would use the following entry in
- /etc/shorewall/routes:
-
- #SOURCE DEST PROTO PORT(S) SOURCE TEST INTERFACE GATEWAY
-# PORT(S)
-eth1 0.0.0.0/0 tcp 80 - - eth1 192.168.3.22
-
- This entry specifies that "traffic coming in through eth1 to TCP
- port 80 is to be routed out of eth1 to gateway 192.168.3.22".
-
-
\ No newline at end of file