extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-02 16:05:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

Revert "Implement USE_DEFAULT_RT=Exact"

Browse Source 
This reverts commit 2ca1ae734a300d7a147d40d58f7c46177196b9a9.
This commit is contained in:
Tom Eastep 2017-01-17 08:25:33 -08:00
parent f23970b4f7
commit 2d16fac9ed
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
16 changed files with 54 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Shorewall/Perl/Shorewall/Config.pm
View File

@ -6282,20 +6282,11 @@ sub get_configuration( $$$$ ) {
require_capability 'COMMENTS', 'TRACK_RULES=Yes', 's' if $config{TRACK_RULES}; require_capability 'COMMENTS', 'TRACK_RULES=Yes', 's' if $config{TRACK_RULES};
default_yes_no 'MANGLE_ENABLED' , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : ''; default_yes_no 'MANGLE_ENABLED' , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : '';
default_yes_no 'USE_DEFAULT_RT' , '';
default_yes_no 'RESTORE_DEFAULT_ROUTE' , 'Yes'; default_yes_no 'RESTORE_DEFAULT_ROUTE' , 'Yes';
default_yes_no 'AUTOMAKE' , ''; default_yes_no 'AUTOMAKE' , '';
default_yes_no 'TRACK_PROVIDERS' , ''; default_yes_no 'TRACK_PROVIDERS' , '';
if ( supplied( $val = $config{USE_DEFAULT_RT} ) ) {
if ( lc( $val ) eq 'exact' ) {
$config{USE_DEFAULT_RT} = 'exact';
} else {
default_yes_no 'USE_DEFAULT_RT' , '';
}
} else {
default_yes_no 'USE_DEFAULT_RT' , '';
}
unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) { unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
default_yes_no( 'NULL_ROUTE_RFC1918', '' ); default_yes_no( 'NULL_ROUTE_RFC1918', '' );
$config{NULL_ROUTE_RFC1918} = 'blackhole' if $config{NULL_ROUTE_RFC1918}; $config{NULL_ROUTE_RFC1918} = 'blackhole' if $config{NULL_ROUTE_RFC1918};

8
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -519,11 +519,11 @@ sub process_a_provider( $ ) {
my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent ); my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );
if ( $pseudo ) { if ( $pseudo ) {
( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $local, $load, $what , $hostroute, $persistent ) = ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $local, $load, $what , $hostroute, $persistent ) =
( 0, 0 , 0 , 0, 0, 1 , '' , 0 , 0, 0, 'interface', 0, 0); ( 0, 0 , 0 , 0, 0, 1 , '' , 0 , 0, 0, 'interface', 0, 0);
} else { } else {
( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $local, $load, $what , $hostroute, $persistent )= ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $local, $load, $what , $hostroute, $persistent )=
( 0, $config{TRACK_PROVIDERS}, 0 , 0, $config{USE_DEFAULT_RT} eq 'Yes' ? 1 : 0, interface_is_optional( $interface ), '' , 0 , 0, 0, 'provider', 1, 0); ( 0, $config{TRACK_PROVIDERS}, 0 , 0, $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' , 0 , 0, 0, 'provider', 1, 0);
} }
unless ( $options eq '-' ) { unless ( $options eq '-' ) {

2
Shorewall/Samples/Universal/shorewall.conf
View File

@ -240,7 +240,7 @@ TRACK_PROVIDERS=Yes
TRACK_RULES=No TRACK_RULES=No
USE_DEFAULT_RT=Exact USE_DEFAULT_RT=Yes
USE_PHYSICAL_NAMES=No USE_PHYSICAL_NAMES=No

2
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -251,7 +251,7 @@ TRACK_PROVIDERS=Yes
TRACK_RULES=No TRACK_RULES=No
USE_DEFAULT_RT=Exact USE_DEFAULT_RT=Yes
USE_PHYSICAL_NAMES=No USE_PHYSICAL_NAMES=No

2
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -248,7 +248,7 @@ TRACK_PROVIDERS=Yes
TRACK_RULES=No TRACK_RULES=No
USE_DEFAULT_RT=Exact USE_DEFAULT_RT=Yes
USE_PHYSICAL_NAMES=No USE_PHYSICAL_NAMES=No

2
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -251,7 +251,7 @@ TRACK_PROVIDERS=Yes
TRACK_RULES=No TRACK_RULES=No
USE_DEFAULT_RT=Exact USE_DEFAULT_RT=Yes
USE_PHYSICAL_NAMES=No USE_PHYSICAL_NAMES=No

2
Shorewall/configfiles/shorewall.conf
View File

@ -240,7 +240,7 @@ TRACK_PROVIDERS=No
TRACK_RULES=No TRACK_RULES=No
USE_DEFAULT_RT=Exact USE_DEFAULT_RT=Yes
USE_PHYSICAL_NAMES=No USE_PHYSICAL_NAMES=No

8
Shorewall/manpages/shorewall-providers.xml
View File

@ -208,14 +208,6 @@
<option>balance=</option><replaceable>weight</replaceable> <option>balance=</option><replaceable>weight</replaceable>
where <replaceable>weight</replaceable> is the weight of the where <replaceable>weight</replaceable> is the weight of the
route out of this interface.</para> route out of this interface.</para>
<para>The setting <option>balance=1</option> is the default
when USE_DEFAULT_RT=Yes in and neither
<option>balance</option>[=], <option>primary</option>,
<option>fallback</option>, <option>loose</option> nor
<option>tproxy</option> is specified. To suppress this
behavior, set USE_DEFAULT_RT=Strict (Shorewall 5.1.1 or
later).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

20
Shorewall/manpages/shorewall.conf.xml
View File

@ -2307,10 +2307,9 @@ INLINE - - - ;; -j REJECT
<para>RESTORE_DEFAULT_ROUTE=No is appropriate when you don't want a <para>RESTORE_DEFAULT_ROUTE=No is appropriate when you don't want a
default route in the main table (USE_DEFAULT_RT=No) or in the default route in the main table (USE_DEFAULT_RT=No) or in the
default table (USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact) when default table (USE_DEFAULT_RT=Yes) when there are no balance
there are no balance providers available. In that case, providers available. In that case, RESTORE_DEFAULT_ROUTE=No will
RESTORE_DEFAULT_ROUTE=No will cause any default route in the cause any default route in the relevant table to be deleted.</para>
relevant table to be deleted.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -2806,8 +2805,7 @@ INLINE - - - ;; -j REJECT
<varlistentry> <varlistentry>
<term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis <term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
role="bold">No|Exact</emphasis>]</term>
<listitem> <listitem>
<para>When set to 'Yes', this option causes the Shorewall multi-ISP <para>When set to 'Yes', this option causes the Shorewall multi-ISP
@ -2818,8 +2816,7 @@ INLINE - - - ;; -j REJECT
the Shorewall-generated routing rules. So changes to the main table the Shorewall-generated routing rules. So changes to the main table
will affect the routing of packets by default.</para> will affect the routing of packets by default.</para>
<para>When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact (Shorewall <para>When USE_DEFAULT_RT=Yes:</para>
5.1.1 or later):</para>
<orderedlist> <orderedlist>
<listitem> <listitem>
@ -2834,11 +2831,8 @@ INLINE - - - ;; -j REJECT
</listitem> </listitem>
<listitem> <listitem>
<para>The <emphasis role="bold">balance</emphasis> provider <para><emphasis role="bold">balance</emphasis> is assumed unless
option is assumed unless <emphasis role="bold">loose</emphasis>, <emphasis role="bold">loose</emphasis> is specified.</para>
<option>fallback</option>,<option> load=</option> or
<option>tproxy</option> is specified for the provider or unless
USE_DEFAULT_RT=Exact.</para>
</listitem> </listitem>
<listitem> <listitem>

2
Shorewall6/Samples6/Universal/shorewall6.conf
View File

@ -211,7 +211,7 @@ TRACK_PROVIDERS=Yes
TRACK_RULES=No TRACK_RULES=No
USE_DEFAULT_RT=Exact USE_DEFAULT_RT=Yes
USE_PHYSICAL_NAMES=No USE_PHYSICAL_NAMES=No

2
Shorewall6/Samples6/one-interface/shorewall6.conf
View File

@ -212,7 +212,7 @@ TRACK_PROVIDERS=Yes
TRACK_RULES=No TRACK_RULES=No
USE_DEFAULT_RT=Exact USE_DEFAULT_RT=Yes
USE_PHYSICAL_NAMES=No USE_PHYSICAL_NAMES=No

2
Shorewall6/Samples6/three-interfaces/shorewall6.conf
View File

@ -211,7 +211,7 @@ TRACK_PROVIDERS=Yes
TRACK_RULES=No TRACK_RULES=No
USE_DEFAULT_RT=Exact USE_DEFAULT_RT=Yes
USE_PHYSICAL_NAMES=No USE_PHYSICAL_NAMES=No

2
Shorewall6/Samples6/two-interfaces/shorewall6.conf
View File

@ -211,7 +211,7 @@ TRACK_PROVIDERS=Yes
TRACK_RULES=No TRACK_RULES=No
USE_DEFAULT_RT=Exact USE_DEFAULT_RT=Yes
USE_PHYSICAL_NAMES=No USE_PHYSICAL_NAMES=No

8
Shorewall6/manpages/shorewall6-providers.xml
View File

@ -173,14 +173,6 @@
where <replaceable>weight</replaceable> is the weight of the where <replaceable>weight</replaceable> is the weight of the
route out of this interface. Prior to Shorewall 5.0.13, only route out of this interface. Prior to Shorewall 5.0.13, only
one provider can specify this option.</para> one provider can specify this option.</para>
<para>The setting <option>balance=1</option> is the default
when USE_DEFAULT_RT=Yes in and neither
<option>balance</option>[=], <option>primary</option>,
<option>fallback</option>[=], <option>loose</option> nor
<option>tproxy</option> is specified. To suppress this
behavior, set USE_DEFAULT_RT=Strict (Shorewall 5.1.1 or
later).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

13
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -2448,8 +2448,7 @@ INLINE - - - ;; -j REJECT
<varlistentry> <varlistentry>
<term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis <term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
role="bold">No</emphasis>|Exact]</term>
<listitem> <listitem>
<para>Added in Shorewall6 4.4.25. When set to 'Yes', this option <para>Added in Shorewall6 4.4.25. When set to 'Yes', this option
@ -2461,8 +2460,7 @@ INLINE - - - ;; -j REJECT
changes to the main table will affect the routing of packets by changes to the main table will affect the routing of packets by
default.</para> default.</para>
<para>When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact (Shorewall <para>When USE_DEFAULT_RT=Yes:</para>
5.1.1 or later):</para>
<orderedlist> <orderedlist>
<listitem> <listitem>
@ -2477,11 +2475,8 @@ INLINE - - - ;; -j REJECT
</listitem> </listitem>
<listitem> <listitem>
<para>The <emphasis role="bold">balance</emphasis> provider <para><emphasis role="bold">balance</emphasis> is assumed unless
option is assumed unless <emphasis role="bold">loose</emphasis>, <emphasis role="bold">loose</emphasis> is specified.</para>
<option>fallback</option>,<option> load=</option> or
<option>tproxy</option> is specified for the provider or unless
USE_DEFAULT_RT=Exact.</para>
</listitem> </listitem>
<listitem> <listitem>

67
docs/MultiISP.xml
View File

@ -219,16 +219,14 @@
<para>The behavior and configuration of Multiple ISP support is <para>The behavior and configuration of Multiple ISP support is
dependent on the setting of USE_DEFAULT_RT in shorewall[6].conf.</para> dependent on the setting of USE_DEFAULT_RT in shorewall[6].conf.</para>
<para>When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact (Shorewall 5.1.1 <para>When USE_DEFAULT_RT=Yes, packets are first routed through the main
and later), packets are first routed through the main routing table routing table <emphasis>which does not contain a default
<emphasis>which does not contain a default route</emphasis>. Packets route</emphasis>. Packets which fail to be routed by an entry in the
which fail to be routed by an entry in the main table are then passed to main table are then passed to shorewall-defined routing tables based on
shorewall-defined routing tables based on your Multi-ISP configuration. your Multi-ISP configuration. The advantage of this approach is that
The advantage of this approach is that dynamic changes to the ip dynamic changes to the ip configuration, such as VPNs going up and down,
configuration, such as VPNs going up and down, do not require do not require notificaiton of Shorewall. USE_DEFAULT_RT is now the
notificaiton of Shorewall. USE_DEFAULT_RT=No (USE_DEFAULT_RT=Exact in default and use of USE_DEFAULT_RT=No is deprecated.</para>
Shorewall 5.1.1 and later) is now the default and use of
USE_DEFAULT_RT=No is deprecated.</para>
<para>When USE_DEFAULT_RT=No, packets are routed via Shorewall-generated <para>When USE_DEFAULT_RT=No, packets are routed via Shorewall-generated
routing tables. As a consequence, the main routing table must be copied routing tables. As a consequence, the main routing table must be copied
@ -321,10 +319,9 @@
<para>Gives the name or number of a routing table to duplicate. <para>Gives the name or number of a routing table to duplicate.
May be 'main' or the name or number of a previously declared May be 'main' or the name or number of a previously declared
provider. This field should be be specified as '-' when provider. This field should be be specified as '-' when
USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact in USE_DEFAULT_RT=Yes in <filename>shorewall.conf. When
<filename>shorewall.conf. When USE_DEFAULT_RT=No (not USE_DEFAULT_RT=No (not recommended), this column is normally
recommended), this column is normally specified as specified as <option>main</option>.</filename></para>
<option>main</option>.</filename></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -698,8 +695,7 @@ fi</programlisting>
interfaces should be routed through the main table using entries in interfaces should be routed through the main table using entries in
<filename>/etc/shorewall/rtrules</filename> (see Example 2 <link <filename>/etc/shorewall/rtrules</filename> (see Example 2 <link
linkend="Examples">below</link>) or by using <link linkend="Examples">below</link>) or by using <link
linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes or linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes</link> (recommended)</para>
USE_DEFAULT_RT=Exact</link> (recommended)</para>
<para>In addition:</para> <para>In addition:</para>
@ -911,8 +907,8 @@ DROP:info net:192.168.1.0/24 all</programlisting>
<title id="Example">Legacy Example</title> <title id="Example">Legacy Example</title>
<para>This section describes the legacy method of configuring multiple <para>This section describes the legacy method of configuring multiple
uplinks. It is deprecated in favor of the USE_DEFAULT_RT=Yes or uplinks. It is deprecated in favor of the USE_DEFAULT_RT=Yes
USE_DEFAULT_RT=Exact configuration described <link configuration described <link
linkend="USE_DEFAULT_RT">below</link>.</para> linkend="USE_DEFAULT_RT">below</link>.</para>
<para>The configuration in the figure at the top of this section would <para>The configuration in the figure at the top of this section would
@ -944,8 +940,7 @@ eth1 0.0.0.0/0 130.252.99.27</programlisting>
</section> </section>
<section id="Example2"> <section id="Example2">
<title id="Example99">Example using USE_DEFAULT_RT=Yes or <title id="Example99">Example using USE_DEFAULT_RT=Yes</title>
USE_DEFAULT_RT=Exact</title>
<para>This section shows the differences in configuring the above <para>This section shows the differences in configuring the above
example with USE_DEFAULT_RT=Yes. The changes are confined to the example with USE_DEFAULT_RT=Yes. The changes are confined to the
@ -1219,12 +1214,12 @@ gateway:~ #</programlisting>
VPN clients (including but not limited to OpenVPN in routed mode and VPN clients (including but not limited to OpenVPN in routed mode and
PPTP), the VPN software adds a host route to the <emphasis PPTP), the VPN software adds a host route to the <emphasis
role="bold">main</emphasis> table for each VPN client. The best role="bold">main</emphasis> table for each VPN client. The best
approach is to use USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact as approach is to use USE_DEFAULT_RT=Yes as described <link
described <link linkend="USE_DEFAULT_RT">below</link>. If that isn't linkend="USE_DEFAULT_RT">below</link>. If that isn't possible, you
possible, you must add a routing rule in the 1000-1999 range to must add a routing rule in the 1000-1999 range to specify the
specify the <emphasis role="bold">main</emphasis> table for traffic <emphasis role="bold">main</emphasis> table for traffic addressed to
addressed to those clients. See<link linkend="Openvpn"> Example those clients. See<link linkend="Openvpn"> Example 2</link>
2</link> below.</para> below.</para>
<para>If you have an IPSEC gateway on your firewall, be sure to <para>If you have an IPSEC gateway on your firewall, be sure to
arrange for ESP packets to be routed out of the same interface that arrange for ESP packets to be routed out of the same interface that
@ -1794,9 +1789,9 @@ lillycat: #</programlisting>
route rules such as described in <link linkend="Openvpn">one of the route rules such as described in <link linkend="Openvpn">one of the
examples above</link> necessary.</para> examples above</link> necessary.</para>
<para>USE_DEFAULT_RT=Yes and USE_DEFAULT_RT=Exact work around that <para>USE_DEFAULT_RT=Yes works around that problem by passing packets
problem by passing packets through the main table first rather than through the main table first rather than last. This has a number of
last. This has a number of implications:</para> implications:</para>
<orderedlist> <orderedlist>
<listitem> <listitem>
@ -1807,12 +1802,9 @@ lillycat: #</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>When USE_DEFAULT_RT=Yes, the <emphasis <para>The <emphasis role="bold">balance</emphasis> option is assumed
role="bold">balance</emphasis> option is assumed for all interfaces for all interfaces that do not have the <emphasis
that do not have the <emphasis role="bold">loose</emphasis>, role="bold">loose</emphasis> option. When you want both <emphasis
<emphasis role="bold">primary</emphasis>, <emphasis
role="bold">fallback</emphasis> or <emphasis
role="bold">tproxy</emphasis> option. When you want both <emphasis
role="bold">balance</emphasis> and <emphasis role="bold">balance</emphasis> and <emphasis
role="bold">loose</emphasis>, both must be specified.</para> role="bold">loose</emphasis>, both must be specified.</para>
</listitem> </listitem>
@ -1906,9 +1898,8 @@ shorewall 2 2 - eth0 192.168.1.254 track,balance=2,optional<
<section> <section>
<title>DHCP with USE_DEFAULT_RT</title> <title>DHCP with USE_DEFAULT_RT</title>
<para>When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact, you don't want <para>When USE_DEFAULT_RT=Yes, you don't want your DHCP client
your DHCP client inserting a default route into the main routing inserting a default route into the main routing table.</para>
table.</para>
<section> <section>
<title>Debian</title> <title>Debian</title>