From 427808d8c2c8109685e61fa35cd5ab0e554d5208 Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 1 Feb 2004 18:39:39 +0000 Subject: [PATCH] Restore 'haveroute' and add 'persistent' to proxyarp git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1113 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/changelog.txt | 1 + Shorewall2/firewall | 60 ++++++++++++++++++++++++++++++++----- Shorewall2/proxyarp | 18 ++++++++++- Shorewall2/releasenotes.txt | 27 ++++++++--------- 4 files changed, 84 insertions(+), 22 deletions(-) diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 15c1cb639..3be058c7b 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -18,4 +18,5 @@ Changes since 1.4.10 9) Get installer/uninstaller to work. +10) Restore HAVEROUTE and add PERSISTENT column to the proxy arp file. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 7f6ad1d88..978946358 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -1342,22 +1342,72 @@ setup_tunnels() # $1 = name of tunnels file # setup_proxy_arp() { + print_error() { + error_message "Invalid value for HAVEROUTE - ($haveroute)" + error_message "Entry \"$address $interface $external $haveroute\" ignored" + } + + print_error1() { + error_message "Invalid value for PERSISTENT - ($persistent)" + error_message "Entry \"$address $interface $external $haveroute $persistent\" ignored" + } + + print_warning() { + error_message "PERSISTENT setting ignored - ($persistent)" + error_message "Entry \"$address $interface $external $haveroute $persistent\"" + } + setup_one_proxy_arp() { + case $haveroute in + [Nn][Oo]) + haveroute= + ;; + [Yy][Ee][Ss]) + ;; + *) + if [ -n "$haveroute" ]; then + print_error + return + fi + ;; + esac + + case $persistent in + [Nn][Oo]) + persistent= + ;; + [Yy][Ee][Ss]) + ;; + *) + if [ -n "$persistent" ]; then + print_error1 + return + fi + + [ -z "$haveroute" ] || print_warning + ;; + esac + + if [ -z "$haveroute" ]; then + run_ip route replace $address dev $interface + [ -n "$persistent" ] && haveroute=yes + fi + run_arp -Ds $address $external pub echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp - echo $address $interface $external yes >> ${STATEDIR}/proxyarp + echo $address $interface $external $haveroute >> ${STATEDIR}/proxyarp echo " Host $address connected to $interface added to ARP on $external" } > ${STATEDIR}/proxyarp - while read address interface external; do - expandv address interface external + while read address interface external haveroute persistent; do + expandv address interface external haveroute persistent setup_one_proxy_arp done < $TMP_DIR/proxyarp @@ -1521,10 +1571,6 @@ delete_proxy_arp() { if [ -f ${STATEDIR}/proxyarp ]; then while read address interface external haveroute; do qt arp -i $external -d $address pub - # - # 1.x Shorewall included a mechanism for automatically - # adding routes - # [ -z "$haveroute" ] && qt ip route del $address dev $interface done < ${STATEDIR}/proxyarp diff --git a/Shorewall2/proxyarp b/Shorewall2/proxyarp index 7ff3d3920..c3fa307bf 100644 --- a/Shorewall2/proxyarp +++ b/Shorewall2/proxyarp @@ -14,6 +14,22 @@ # you may enter "-" in this column. # EXTERNAL External Interface to be used to access this system # +# HAVEROUTE If there is already a route from the firewall to +# the host whose address is given, enter "Yes" or "yes" +# in this column. Otherwise, entry "no", "No" or leave +# the column empty and Shorewall will add the route for +# you. If Shorewall adds the route,the route will be +# persistent if the PERSISTENT column contains Yes; +# otherwise, "shorewall stop" or "shorewall clear" will +# delete the route. +# +# PERSISTENT If HAVEROUTE is No or "no", then the value of this +# column determines if the route added by Shorewall +# persists after a "shorewall stop" or a "shorewall +# clear". If this column contains "Yes" or "yes" then +# the route persists; If the column is empty or contains +# "No"or "no" then the route is deleted at "shorewall +# stop" or "shorewall clear". # # Example: Host with IP 155.186.235.6 is connected to # interface eth1 and we want hosts attached via eth0 @@ -22,5 +38,5 @@ # #ADDRESS INTERFACE EXTERNAL # 155.186.235.6 eth1 eth0 ############################################################################## -#ADDRESS INTERFACE EXTERNAL +#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index cbb0e2343..f0096cbd8 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -1,7 +1,7 @@ -Shorewall 2.0.0-Alpha1 +Shorewall 2.0.0-Alpha2 This is a major release of Shorewall. During the Alpha and Beta stages, -the product name is changed to "Shoreall2" so that Shorewall version 1 +the product name is changed to "Shorewall2" so that Shorewall version 1 and Shorewall version 2 may coexist on a system. The following name changes have occured: @@ -21,11 +21,11 @@ To switch from shorewall version 1 to shorewall version 2: To switch back: - shoewall restart + shorewall restart In the first release candidate, the product name will return to "Shorewall". The installer (install.sh) will only be able to upgrade -to Shoreall 2.0 from Shorewall version 1.4.0 or later. +to Shorewall 2.0 from Shorewall version 1.4.0 or later. During the Alpha and Beta periods, there will be no RPMs nor will there be any documentation tarballs. Note that the installer does NOT attempt @@ -50,17 +50,12 @@ Issues when migrating from Shorewall to Shorewall2: NAT_BEFORE_RULES=No had been specified. In other words, DNAT rules now always take precidence over one-to-one NAT specifications. -3) The HAVEROUTE column has been removed from - /etc/shorewall2/proxyarp. Shorewall2 will no longer automatically add - routes for Proxy ARP hosts. Use your distribution's static route - capability to add these routes instead. - -4) The default value for the ALL INTERFACES column in +3) The default value for the ALL INTERFACES column in /etc/shorewall2/nat has changed. In Shorewall, if the column was left empty, a value of "Yes" was assumed. This has been changed so that a value of "No" is now assumed. -5) The following files don't exist in Shorewall2: +4) The following files don't exist in Shorewall2: /etc/shorewall2/common.def /etc/shorewall2/common @@ -142,7 +137,7 @@ Issues when migrating from Shorewall to Shorewall2: Drop:DROP Reject:REJECT -6) The /etc/shorewall2 directory no longer contains a 'users' file or a +5) The /etc/shorewall2 directory no longer contains a 'users' file or a 'usersets' file. Similar functionality is now available using user-defined actions. @@ -160,10 +155,10 @@ Issues when migrating from Shorewall to Shorewall2: [!]: [!]: [!]: - [!]: + [!]: [!]: -7) It is no longer possible to specify rate limiting in the ACTION +6) It is no longer possible to specify rate limiting in the ACTION column of /etc/shorewall2/rules -- you must use the RATE LIMIT column. @@ -182,5 +177,9 @@ New Features: simply add a fw->fw policy and fw->fw rules. If you have neither a fw->fw policy nor fw->fw rules, all fw->fw traffic is allowed. +4) There is a new PERSISTENT column in the proxyarp file. A value of + "Yes" in this column means that the route added by Shorewall for + this host will remain after a "shorewall stop" or "shorewall clear". +