Fix routing of traffic from the firewall; add gateway detections for PPP connections

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2156 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-02-23 13:11:36 +01:00 · 2005-05-21 16:53:35 +00:00 · 2005-05-21 16:53:35 +00:00 · 2e0abc0089
commit 2e0abc0089
parent 80bae1a525
5 changed files with 37 additions and 5 deletions
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -10,6 +10,10 @@ Changes in 2.3.2

 5) Implement 'loose' routestopped option.

+6) Change 'loose' to 'source' and 'dest'
+
+7) Fix routing of connections from the firewall with multiple ISPs.
+
 Changes in 2.3.1

 1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -1060,7 +1060,7 @@ verify_mark() # $1 = value to test
 #
 setup_providers()
 {
-    local table number mark duplicate interface gateway options provider
+    local table number mark duplicate interface gateway options provider address

    add_a_provider() {
 	local t n iface option
@ -1093,6 +1093,10 @@ setup_providers()
 	    done
 	fi

+	if [ "x$gateway" = xdetect ] ; then
+	    gateway=$( find_peer $(ip addr ls $interface ) )
+	fi
+
 	ensure_and_save_command ip route add default via $gateway dev $interface table $number
 	
 	verify_mark $mark
@ -1103,6 +1107,11 @@ setup_providers()
 	
 	ensure_and_save_command ip rule add fwmark $mark table $number

+	for address in $(find_interface_addresses $interface); do
+	    run_and_save_command qt ip rule del from $address
+	    ensure_and_save_command ip rule add from $address table $number
+	done
+
 	for option in $(separate_list $options); do
 	    case $option in
 		-)
@ -2687,16 +2696,16 @@ process_tc_rule()

 	if [ "x$source" != "x-"	 ]; then
 	    case $source in
+		$FW:*)
+		    chain=tcout
+		    r="$(source_ip_range ${source#*:}) " 
+		    ;;
 		*.*.*|+*|!+*)
 		    r="$(source_ip_range $source) "
 		    ;;
 		~*)
 		    r="$(mac_match $source) "
 		    ;;
-		$FW:*)
-		    chain=tcout
-		    r="$(source_ip_range ${source%:*}) " 
-		    ;;
 		$FW)
 		    chain=tcout
 		    ;;
--- a/Shorewall2/functions
+++ b/Shorewall2/functions
@ -789,6 +789,18 @@ find_gateway() {
    done
 }
    
+#
+# Find the value 'peer' in the passed arguments then echo the next value up to
+# "/"
+#
+
+find_peer() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xpeer ] && echo ${2%/*} && return
+	shift
+    done
+}
+    
 #
 # Find the interfaces that have a route to the passed address - the default
 # route is not used.
--- a/Shorewall2/providers
+++ b/Shorewall2/providers
@ -32,6 +32,10 @@
 #
 #	GATEWAY		The IP address of the provider's gateway router.
 #
+#			Users with point-to-point dynamic connections such
+#			as PPPoE, PPPoA and PPTP can enter "detect" here and
+#			Shorewall will automatically detect the gateway.
+#
 #	OPTIONS		A comma-separated list selected from the following:
 #
 #		track	If specified, connections FROM this interface are
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -13,6 +13,9 @@ Problems Corrected since 2.3.2
   copied to new routing tables created by entries in
   /etc/shorewall/providers.

+4) Where multiple internet providers were configured, traffic from the
+   firewall itself was mishandled.
+
 -----------------------------------------------------------------------
 Upgrade Issues when moving to 2.4.0