extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-04-02 20:06:49 +02:00
Code Issues Packages Projects Releases Wiki Activity

Implement USE_DEFAULT_RT=Exact

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2017-01-14 08:14:08 -08:00
parent b36b07b567
commit 2ca1ae734a
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
16 changed files with 99 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Shorewall/Perl/Shorewall/Config.pm
View File

@ -6282,11 +6282,20 @@ sub get_configuration( $$$$ ) {
require_capability 'COMMENTS', 'TRACK_RULES=Yes', 's' if $config{TRACK_RULES}; require_capability 'COMMENTS', 'TRACK_RULES=Yes', 's' if $config{TRACK_RULES};
default_yes_no 'MANGLE_ENABLED' , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : ''; default_yes_no 'MANGLE_ENABLED' , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : '';
default_yes_no 'USE_DEFAULT_RT' , '';
default_yes_no 'RESTORE_DEFAULT_ROUTE' , 'Yes'; default_yes_no 'RESTORE_DEFAULT_ROUTE' , 'Yes';
default_yes_no 'AUTOMAKE' , ''; default_yes_no 'AUTOMAKE' , '';
default_yes_no 'TRACK_PROVIDERS' , ''; default_yes_no 'TRACK_PROVIDERS' , '';
if ( supplied( $val = $config{USE_DEFAULT_RT} ) ) {
if ( lc( $val ) eq 'exact' ) {
$config{USE_DEFAULT_RT} = 'exact';
} else {
default_yes_no 'USE_DEFAULT_RT' , '';
}
} else {
default_yes_no 'USE_DEFAULT_RT' , '';
}
unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) { unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
default_yes_no( 'NULL_ROUTE_RFC1918', '' ); default_yes_no( 'NULL_ROUTE_RFC1918', '' );
$config{NULL_ROUTE_RFC1918} = 'blackhole' if $config{NULL_ROUTE_RFC1918}; $config{NULL_ROUTE_RFC1918} = 'blackhole' if $config{NULL_ROUTE_RFC1918};

8
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -519,11 +519,11 @@ sub process_a_provider( $ ) {
my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent ); my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );
if ( $pseudo ) { if ( $pseudo ) {
( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $local, $load, $what , $hostroute, $persistent ) = ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $local, $load, $what , $hostroute, $persistent ) =
( 0, 0 , 0 , 0, 0, 1 , '' , 0 , 0, 0, 'interface', 0, 0); ( 0, 0 , 0 , 0, 0, 1 , '' , 0 , 0, 0, 'interface', 0, 0);
} else { } else {
( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $local, $load, $what , $hostroute, $persistent )= ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $local, $load, $what , $hostroute, $persistent )=
( 0, $config{TRACK_PROVIDERS}, 0 , 0, $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' , 0 , 0, 0, 'provider', 1, 0); ( 0, $config{TRACK_PROVIDERS}, 0 , 0, $config{USE_DEFAULT_RT} eq 'Yes' ? 1 : 0, interface_is_optional( $interface ), '' , 0 , 0, 0, 'provider', 1, 0);
} }
unless ( $options eq '-' ) { unless ( $options eq '-' ) {

2
Shorewall/Samples/Universal/shorewall.conf
View File

@ -240,7 +240,7 @@ TRACK_PROVIDERS=Yes
TRACK_RULES=No TRACK_RULES=No
USE_DEFAULT_RT=Yes USE_DEFAULT_RT=Exact
USE_PHYSICAL_NAMES=No USE_PHYSICAL_NAMES=No

2
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -251,7 +251,7 @@ TRACK_PROVIDERS=Yes
TRACK_RULES=No TRACK_RULES=No
USE_DEFAULT_RT=Yes USE_DEFAULT_RT=Exact
USE_PHYSICAL_NAMES=No USE_PHYSICAL_NAMES=No

2
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -248,7 +248,7 @@ TRACK_PROVIDERS=Yes
TRACK_RULES=No TRACK_RULES=No
USE_DEFAULT_RT=Yes USE_DEFAULT_RT=Exact
USE_PHYSICAL_NAMES=No USE_PHYSICAL_NAMES=No

2
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -251,7 +251,7 @@ TRACK_PROVIDERS=Yes
TRACK_RULES=No TRACK_RULES=No
USE_DEFAULT_RT=Yes USE_DEFAULT_RT=Exact
USE_PHYSICAL_NAMES=No USE_PHYSICAL_NAMES=No

2
Shorewall/configfiles/shorewall.conf
View File

@ -240,7 +240,7 @@ TRACK_PROVIDERS=No
TRACK_RULES=No TRACK_RULES=No
USE_DEFAULT_RT=Yes USE_DEFAULT_RT=Exact
USE_PHYSICAL_NAMES=No USE_PHYSICAL_NAMES=No

8
Shorewall/manpages/shorewall-providers.xml
View File

@ -208,6 +208,14 @@
<option>balance=</option><replaceable>weight</replaceable> <option>balance=</option><replaceable>weight</replaceable>
where <replaceable>weight</replaceable> is the weight of the where <replaceable>weight</replaceable> is the weight of the
route out of this interface.</para> route out of this interface.</para>
<para>The setting <option>balance=1</option> is the default
when USE_DEFAULT_RT=Yes in and neither
<option>balance</option>[=], <option>primary</option>,
<option>fallback</option>, <option>loose</option> nor
<option>tproxy</option> is specified. To suppress this
behavior, set USE_DEFAULT_RT=Strict (Shorewall 5.1.1 or
later).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

20
Shorewall/manpages/shorewall.conf.xml
View File

@ -2307,9 +2307,10 @@ INLINE - - - ;; -j REJECT
<para>RESTORE_DEFAULT_ROUTE=No is appropriate when you don't want a <para>RESTORE_DEFAULT_ROUTE=No is appropriate when you don't want a
default route in the main table (USE_DEFAULT_RT=No) or in the default route in the main table (USE_DEFAULT_RT=No) or in the
default table (USE_DEFAULT_RT=Yes) when there are no balance default table (USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact) when
providers available. In that case, RESTORE_DEFAULT_ROUTE=No will there are no balance providers available. In that case,
cause any default route in the relevant table to be deleted.</para> RESTORE_DEFAULT_ROUTE=No will cause any default route in the
relevant table to be deleted.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -2805,7 +2806,8 @@ INLINE - - - ;; -j REJECT
<varlistentry> <varlistentry>
<term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis <term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis
role="bold">No|Exact</emphasis>]</term>
<listitem> <listitem>
<para>When set to 'Yes', this option causes the Shorewall multi-ISP <para>When set to 'Yes', this option causes the Shorewall multi-ISP
@ -2816,7 +2818,8 @@ INLINE - - - ;; -j REJECT
the Shorewall-generated routing rules. So changes to the main table the Shorewall-generated routing rules. So changes to the main table
will affect the routing of packets by default.</para> will affect the routing of packets by default.</para>
<para>When USE_DEFAULT_RT=Yes:</para> <para>When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact (Shorewall
5.1.1 or later):</para>
<orderedlist> <orderedlist>
<listitem> <listitem>
@ -2831,8 +2834,11 @@ INLINE - - - ;; -j REJECT
</listitem> </listitem>
<listitem> <listitem>
<para><emphasis role="bold">balance</emphasis> is assumed unless <para>The <emphasis role="bold">balance</emphasis> provider
<emphasis role="bold">loose</emphasis> is specified.</para> option is assumed unless <emphasis role="bold">loose</emphasis>,
<option>fallback</option>,<option> load=</option> or
<option>tproxy</option> is specified for the provider or unless
USE_DEFAULT_RT=Exact.</para>
</listitem> </listitem>
<listitem> <listitem>

2
Shorewall6/Samples6/Universal/shorewall6.conf
View File

@ -211,7 +211,7 @@ TRACK_PROVIDERS=Yes
TRACK_RULES=No TRACK_RULES=No
USE_DEFAULT_RT=Yes USE_DEFAULT_RT=Exact
USE_PHYSICAL_NAMES=No USE_PHYSICAL_NAMES=No

2
Shorewall6/Samples6/one-interface/shorewall6.conf
View File

@ -212,7 +212,7 @@ TRACK_PROVIDERS=Yes
TRACK_RULES=No TRACK_RULES=No
USE_DEFAULT_RT=Yes USE_DEFAULT_RT=Exact
USE_PHYSICAL_NAMES=No USE_PHYSICAL_NAMES=No

2
Shorewall6/Samples6/three-interfaces/shorewall6.conf
View File

@ -211,7 +211,7 @@ TRACK_PROVIDERS=Yes
TRACK_RULES=No TRACK_RULES=No
USE_DEFAULT_RT=Yes USE_DEFAULT_RT=Exact
USE_PHYSICAL_NAMES=No USE_PHYSICAL_NAMES=No

2
Shorewall6/Samples6/two-interfaces/shorewall6.conf
View File

@ -211,7 +211,7 @@ TRACK_PROVIDERS=Yes
TRACK_RULES=No TRACK_RULES=No
USE_DEFAULT_RT=Yes USE_DEFAULT_RT=Exact
USE_PHYSICAL_NAMES=No USE_PHYSICAL_NAMES=No

8
Shorewall6/manpages/shorewall6-providers.xml
View File

@ -173,6 +173,14 @@
where <replaceable>weight</replaceable> is the weight of the where <replaceable>weight</replaceable> is the weight of the
route out of this interface. Prior to Shorewall 5.0.13, only route out of this interface. Prior to Shorewall 5.0.13, only
one provider can specify this option.</para> one provider can specify this option.</para>
<para>The setting <option>balance=1</option> is the default
when USE_DEFAULT_RT=Yes in and neither
<option>balance</option>[=], <option>primary</option>,
<option>fallback</option>[=], <option>loose</option> nor
<option>tproxy</option> is specified. To suppress this
behavior, set USE_DEFAULT_RT=Strict (Shorewall 5.1.1 or
later).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

13
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -2448,7 +2448,8 @@ INLINE - - - ;; -j REJECT
<varlistentry> <varlistentry>
<term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis <term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis
role="bold">No</emphasis>|Exact]</term>
<listitem> <listitem>
<para>Added in Shorewall6 4.4.25. When set to 'Yes', this option <para>Added in Shorewall6 4.4.25. When set to 'Yes', this option
@ -2460,7 +2461,8 @@ INLINE - - - ;; -j REJECT
changes to the main table will affect the routing of packets by changes to the main table will affect the routing of packets by
default.</para> default.</para>
<para>When USE_DEFAULT_RT=Yes:</para> <para>When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact (Shorewall
5.1.1 or later):</para>
<orderedlist> <orderedlist>
<listitem> <listitem>
@ -2475,8 +2477,11 @@ INLINE - - - ;; -j REJECT
</listitem> </listitem>
<listitem> <listitem>
<para><emphasis role="bold">balance</emphasis> is assumed unless <para>The <emphasis role="bold">balance</emphasis> provider
<emphasis role="bold">loose</emphasis> is specified.</para> option is assumed unless <emphasis role="bold">loose</emphasis>,
<option>fallback</option>,<option> load=</option> or
<option>tproxy</option> is specified for the provider or unless
USE_DEFAULT_RT=Exact.</para>
</listitem> </listitem>
<listitem> <listitem>

67
docs/MultiISP.xml
View File

@ -219,14 +219,16 @@
<para>The behavior and configuration of Multiple ISP support is <para>The behavior and configuration of Multiple ISP support is
dependent on the setting of USE_DEFAULT_RT in shorewall[6].conf.</para> dependent on the setting of USE_DEFAULT_RT in shorewall[6].conf.</para>
<para>When USE_DEFAULT_RT=Yes, packets are first routed through the main <para>When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact (Shorewall 5.1.1
routing table <emphasis>which does not contain a default and later), packets are first routed through the main routing table
route</emphasis>. Packets which fail to be routed by an entry in the <emphasis>which does not contain a default route</emphasis>. Packets
main table are then passed to shorewall-defined routing tables based on which fail to be routed by an entry in the main table are then passed to
your Multi-ISP configuration. The advantage of this approach is that shorewall-defined routing tables based on your Multi-ISP configuration.
dynamic changes to the ip configuration, such as VPNs going up and down, The advantage of this approach is that dynamic changes to the ip
do not require notificaiton of Shorewall. USE_DEFAULT_RT is now the configuration, such as VPNs going up and down, do not require
default and use of USE_DEFAULT_RT=No is deprecated.</para> notificaiton of Shorewall. USE_DEFAULT_RT=No (USE_DEFAULT_RT=Exact in
Shorewall 5.1.1 and later) is now the default and use of
USE_DEFAULT_RT=No is deprecated.</para>
<para>When USE_DEFAULT_RT=No, packets are routed via Shorewall-generated <para>When USE_DEFAULT_RT=No, packets are routed via Shorewall-generated
routing tables. As a consequence, the main routing table must be copied routing tables. As a consequence, the main routing table must be copied
@ -319,9 +321,10 @@
<para>Gives the name or number of a routing table to duplicate. <para>Gives the name or number of a routing table to duplicate.
May be 'main' or the name or number of a previously declared May be 'main' or the name or number of a previously declared
provider. This field should be be specified as '-' when provider. This field should be be specified as '-' when
USE_DEFAULT_RT=Yes in <filename>shorewall.conf. When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact in
USE_DEFAULT_RT=No (not recommended), this column is normally <filename>shorewall.conf. When USE_DEFAULT_RT=No (not
specified as <option>main</option>.</filename></para> recommended), this column is normally specified as
<option>main</option>.</filename></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -695,7 +698,8 @@ fi</programlisting>
interfaces should be routed through the main table using entries in interfaces should be routed through the main table using entries in
<filename>/etc/shorewall/rtrules</filename> (see Example 2 <link <filename>/etc/shorewall/rtrules</filename> (see Example 2 <link
linkend="Examples">below</link>) or by using <link linkend="Examples">below</link>) or by using <link
linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes</link> (recommended)</para> linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes or
USE_DEFAULT_RT=Exact</link> (recommended)</para>
<para>In addition:</para> <para>In addition:</para>
@ -907,8 +911,8 @@ DROP:info net:192.168.1.0/24 all</programlisting>
<title id="Example">Legacy Example</title> <title id="Example">Legacy Example</title>
<para>This section describes the legacy method of configuring multiple <para>This section describes the legacy method of configuring multiple
uplinks. It is deprecated in favor of the USE_DEFAULT_RT=Yes uplinks. It is deprecated in favor of the USE_DEFAULT_RT=Yes or
configuration described <link USE_DEFAULT_RT=Exact configuration described <link
linkend="USE_DEFAULT_RT">below</link>.</para> linkend="USE_DEFAULT_RT">below</link>.</para>
<para>The configuration in the figure at the top of this section would <para>The configuration in the figure at the top of this section would
@ -940,7 +944,8 @@ eth1 0.0.0.0/0 130.252.99.27</programlisting>
</section> </section>
<section id="Example2"> <section id="Example2">
<title id="Example99">Example using USE_DEFAULT_RT=Yes</title> <title id="Example99">Example using USE_DEFAULT_RT=Yes or
USE_DEFAULT_RT=Exact</title>
<para>This section shows the differences in configuring the above <para>This section shows the differences in configuring the above
example with USE_DEFAULT_RT=Yes. The changes are confined to the example with USE_DEFAULT_RT=Yes. The changes are confined to the
@ -1214,12 +1219,12 @@ gateway:~ #</programlisting>
VPN clients (including but not limited to OpenVPN in routed mode and VPN clients (including but not limited to OpenVPN in routed mode and
PPTP), the VPN software adds a host route to the <emphasis PPTP), the VPN software adds a host route to the <emphasis
role="bold">main</emphasis> table for each VPN client. The best role="bold">main</emphasis> table for each VPN client. The best
approach is to use USE_DEFAULT_RT=Yes as described <link approach is to use USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact as
linkend="USE_DEFAULT_RT">below</link>. If that isn't possible, you described <link linkend="USE_DEFAULT_RT">below</link>. If that isn't
must add a routing rule in the 1000-1999 range to specify the possible, you must add a routing rule in the 1000-1999 range to
<emphasis role="bold">main</emphasis> table for traffic addressed to specify the <emphasis role="bold">main</emphasis> table for traffic
those clients. See<link linkend="Openvpn"> Example 2</link> addressed to those clients. See<link linkend="Openvpn"> Example
below.</para> 2</link> below.</para>
<para>If you have an IPSEC gateway on your firewall, be sure to <para>If you have an IPSEC gateway on your firewall, be sure to
arrange for ESP packets to be routed out of the same interface that arrange for ESP packets to be routed out of the same interface that
@ -1789,9 +1794,9 @@ lillycat: #</programlisting>
route rules such as described in <link linkend="Openvpn">one of the route rules such as described in <link linkend="Openvpn">one of the
examples above</link> necessary.</para> examples above</link> necessary.</para>
<para>USE_DEFAULT_RT=Yes works around that problem by passing packets <para>USE_DEFAULT_RT=Yes and USE_DEFAULT_RT=Exact work around that
through the main table first rather than last. This has a number of problem by passing packets through the main table first rather than
implications:</para> last. This has a number of implications:</para>
<orderedlist> <orderedlist>
<listitem> <listitem>
@ -1802,9 +1807,12 @@ lillycat: #</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>The <emphasis role="bold">balance</emphasis> option is assumed <para>When USE_DEFAULT_RT=Yes, the <emphasis
for all interfaces that do not have the <emphasis role="bold">balance</emphasis> option is assumed for all interfaces
role="bold">loose</emphasis> option. When you want both <emphasis that do not have the <emphasis role="bold">loose</emphasis>,
<emphasis role="bold">primary</emphasis>, <emphasis
role="bold">fallback</emphasis> or <emphasis
role="bold">tproxy</emphasis> option. When you want both <emphasis
role="bold">balance</emphasis> and <emphasis role="bold">balance</emphasis> and <emphasis
role="bold">loose</emphasis>, both must be specified.</para> role="bold">loose</emphasis>, both must be specified.</para>
</listitem> </listitem>
@ -1898,8 +1906,9 @@ shorewall 2 2 - eth0 192.168.1.254 track,balance=2,optional<
<section> <section>
<title>DHCP with USE_DEFAULT_RT</title> <title>DHCP with USE_DEFAULT_RT</title>
<para>When USE_DEFAULT_RT=Yes, you don't want your DHCP client <para>When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact, you don't want
inserting a default route into the main routing table.</para> your DHCP client inserting a default route into the main routing
table.</para>
<section> <section>
<title>Debian</title> <title>Debian</title>