diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 02f951ee4..726fddde0 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -10,6 +10,10 @@ Changes in 2.3.2 5) Implement 'loose' routestopped option. +6) Change 'loose' to 'source' and 'dest' + +7) Fix routing of connections from the firewall with multiple ISPs. + Changes in 2.3.1 1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in diff --git a/Shorewall2/firewall b/Shorewall2/firewall index f69cf15a3..ec21f6b3a 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -1060,7 +1060,7 @@ verify_mark() # $1 = value to test # setup_providers() { - local table number mark duplicate interface gateway options provider + local table number mark duplicate interface gateway options provider address add_a_provider() { local t n iface option @@ -1093,6 +1093,10 @@ setup_providers() done fi + if [ "x$gateway" = xdetect ] ; then + gateway=$( find_peer $(ip addr ls $interface ) ) + fi + ensure_and_save_command ip route add default via $gateway dev $interface table $number verify_mark $mark @@ -1103,6 +1107,11 @@ setup_providers() ensure_and_save_command ip rule add fwmark $mark table $number + for address in $(find_interface_addresses $interface); do + run_and_save_command qt ip rule del from $address + ensure_and_save_command ip rule add from $address table $number + done + for option in $(separate_list $options); do case $option in -) @@ -2687,16 +2696,16 @@ process_tc_rule() if [ "x$source" != "x-" ]; then case $source in + $FW:*) + chain=tcout + r="$(source_ip_range ${source#*:}) " + ;; *.*.*|+*|!+*) r="$(source_ip_range $source) " ;; ~*) r="$(mac_match $source) " ;; - $FW:*) - chain=tcout - r="$(source_ip_range ${source%:*}) " - ;; $FW) chain=tcout ;; diff --git a/Shorewall2/functions b/Shorewall2/functions index 74bb55986..4fa81a821 100755 --- a/Shorewall2/functions +++ b/Shorewall2/functions @@ -789,6 +789,18 @@ find_gateway() { done } +# +# Find the value 'peer' in the passed arguments then echo the next value up to +# "/" +# + +find_peer() { + while [ $# -gt 1 ]; do + [ "x$1" = xpeer ] && echo ${2%/*} && return + shift + done +} + # # Find the interfaces that have a route to the passed address - the default # route is not used. diff --git a/Shorewall2/providers b/Shorewall2/providers index b4e47c71e..0e18099ad 100755 --- a/Shorewall2/providers +++ b/Shorewall2/providers @@ -32,6 +32,10 @@ # # GATEWAY The IP address of the provider's gateway router. # +# Users with point-to-point dynamic connections such +# as PPPoE, PPPoA and PPTP can enter "detect" here and +# Shorewall will automatically detect the gateway. +# # OPTIONS A comma-separated list selected from the following: # # track If specified, connections FROM this interface are diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index e7dfdc885..fa30f2293 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -13,6 +13,9 @@ Problems Corrected since 2.3.2 copied to new routing tables created by entries in /etc/shorewall/providers. +4) Where multiple internet providers were configured, traffic from the + firewall itself was mishandled. + ----------------------------------------------------------------------- Upgrade Issues when moving to 2.4.0