Fix routing of traffic from the firewall; add gateway detections for PPP connections

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2156 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/changelog.txt

@@ -10,6 +10,10 @@ Changes in 2.3.2
 
 5) Implement 'loose' routestopped option.
 
+6) Change 'loose' to 'source' and 'dest'
+
+7) Fix routing of connections from the firewall with multiple ISPs.
+
 Changes in 2.3.1
 
 1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in

Shorewall2/firewall

@@ -1060,7 +1060,7 @@ verify_mark() # $1 = value to test
 #
 setup_providers()
 {
-    local table number mark duplicate interface gateway options provider
+    local table number mark duplicate interface gateway options provider address
 
     add_a_provider() {
 	local t n iface option
@@ -1093,6 +1093,10 @@ setup_providers()
 	    done
 	fi
 
+	if [ "x$gateway" = xdetect ] ; then
+	    gateway=$( find_peer $(ip addr ls $interface ) )
+	fi
+
 	ensure_and_save_command ip route add default via $gateway dev $interface table $number
 	
 	verify_mark $mark
@@ -1103,6 +1107,11 @@ setup_providers()
 	
 	ensure_and_save_command ip rule add fwmark $mark table $number
 
+	for address in $(find_interface_addresses $interface); do
+	    run_and_save_command qt ip rule del from $address
+	    ensure_and_save_command ip rule add from $address table $number
+	done
+
 	for option in $(separate_list $options); do
 	    case $option in
 		-)
@@ -2687,16 +2696,16 @@ process_tc_rule()
 
 	if [ "x$source" != "x-"	 ]; then
 	    case $source in
+		$FW:*)
+		    chain=tcout
+		    r="$(source_ip_range ${source#*:}) " 
+		    ;;
 		*.*.*|+*|!+*)
 		    r="$(source_ip_range $source) "
 		    ;;
 		~*)
 		    r="$(mac_match $source) "
 		    ;;
-		$FW:*)
-		    chain=tcout
-		    r="$(source_ip_range ${source%:*}) " 
-		    ;;
 		$FW)
 		    chain=tcout
 		    ;;

Shorewall2/functions

@@ -789,6 +789,18 @@ find_gateway() {
     done
 }
     
+#
+# Find the value 'peer' in the passed arguments then echo the next value up to
+# "/"
+#
+
+find_peer() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xpeer ] && echo ${2%/*} && return
+	shift
+    done
+}
+    
 #
 # Find the interfaces that have a route to the passed address - the default
 # route is not used.

Shorewall2/providers

@@ -32,6 +32,10 @@
 #
 #	GATEWAY		The IP address of the provider's gateway router.
 #
+#			Users with point-to-point dynamic connections such
+#			as PPPoE, PPPoA and PPTP can enter "detect" here and
+#			Shorewall will automatically detect the gateway.
+#
 #	OPTIONS		A comma-separated list selected from the following:
 #
 #		track	If specified, connections FROM this interface are

Shorewall2/releasenotes.txt

@@ -13,6 +13,9 @@ Problems Corrected since 2.3.2
    copied to new routing tables created by entries in
    /etc/shorewall/providers.
 
+4) Where multiple internet providers were configured, traffic from the
+   firewall itself was mishandled.
+
 -----------------------------------------------------------------------
 Upgrade Issues when moving to 2.4.0