Fix routing of traffic from the firewall; add gateway detections for PPP connections

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2156 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-05-21 16:53:35 +00:00
parent 80bae1a525
commit 2e0abc0089
5 changed files with 37 additions and 5 deletions

View File

@ -10,6 +10,10 @@ Changes in 2.3.2
5) Implement 'loose' routestopped option. 5) Implement 'loose' routestopped option.
6) Change 'loose' to 'source' and 'dest'
7) Fix routing of connections from the firewall with multiple ISPs.
Changes in 2.3.1 Changes in 2.3.1
1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in 1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in

View File

@ -1060,7 +1060,7 @@ verify_mark() # $1 = value to test
# #
setup_providers() setup_providers()
{ {
local table number mark duplicate interface gateway options provider local table number mark duplicate interface gateway options provider address
add_a_provider() { add_a_provider() {
local t n iface option local t n iface option
@ -1093,6 +1093,10 @@ setup_providers()
done done
fi fi
if [ "x$gateway" = xdetect ] ; then
gateway=$( find_peer $(ip addr ls $interface ) )
fi
ensure_and_save_command ip route add default via $gateway dev $interface table $number ensure_and_save_command ip route add default via $gateway dev $interface table $number
verify_mark $mark verify_mark $mark
@ -1103,6 +1107,11 @@ setup_providers()
ensure_and_save_command ip rule add fwmark $mark table $number ensure_and_save_command ip rule add fwmark $mark table $number
for address in $(find_interface_addresses $interface); do
run_and_save_command qt ip rule del from $address
ensure_and_save_command ip rule add from $address table $number
done
for option in $(separate_list $options); do for option in $(separate_list $options); do
case $option in case $option in
-) -)
@ -2687,16 +2696,16 @@ process_tc_rule()
if [ "x$source" != "x-" ]; then if [ "x$source" != "x-" ]; then
case $source in case $source in
$FW:*)
chain=tcout
r="$(source_ip_range ${source#*:}) "
;;
*.*.*|+*|!+*) *.*.*|+*|!+*)
r="$(source_ip_range $source) " r="$(source_ip_range $source) "
;; ;;
~*) ~*)
r="$(mac_match $source) " r="$(mac_match $source) "
;; ;;
$FW:*)
chain=tcout
r="$(source_ip_range ${source%:*}) "
;;
$FW) $FW)
chain=tcout chain=tcout
;; ;;

View File

@ -789,6 +789,18 @@ find_gateway() {
done done
} }
#
# Find the value 'peer' in the passed arguments then echo the next value up to
# "/"
#
find_peer() {
while [ $# -gt 1 ]; do
[ "x$1" = xpeer ] && echo ${2%/*} && return
shift
done
}
# #
# Find the interfaces that have a route to the passed address - the default # Find the interfaces that have a route to the passed address - the default
# route is not used. # route is not used.

View File

@ -32,6 +32,10 @@
# #
# GATEWAY The IP address of the provider's gateway router. # GATEWAY The IP address of the provider's gateway router.
# #
# Users with point-to-point dynamic connections such
# as PPPoE, PPPoA and PPTP can enter "detect" here and
# Shorewall will automatically detect the gateway.
#
# OPTIONS A comma-separated list selected from the following: # OPTIONS A comma-separated list selected from the following:
# #
# track If specified, connections FROM this interface are # track If specified, connections FROM this interface are

View File

@ -13,6 +13,9 @@ Problems Corrected since 2.3.2
copied to new routing tables created by entries in copied to new routing tables created by entries in
/etc/shorewall/providers. /etc/shorewall/providers.
4) Where multiple internet providers were configured, traffic from the
firewall itself was mishandled.
----------------------------------------------------------------------- -----------------------------------------------------------------------
Upgrade Issues when moving to 2.4.0 Upgrade Issues when moving to 2.4.0