Update documentation for rp_filter change

2025-01-03 12:09:14 +01:00 · 2009-12-19 16:09:20 -08:00 · 2009-12-19 16:09:20 -08:00 · 436169f0b2
commit 436169f0b2
parent 9cf75a4253
3 changed files with 128 additions and 66 deletions
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -170,45 +170,10 @@ Shorewall 4.4.5
    then it may have no additional members in /etc/shorewall/hosts.
 ----------------------------------------------------------------------------
-          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 5
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 6
 ----------------------------------------------------------------------------
-1)  The change which removed the 15 port limitation on
+None.
    /etc/shorewall/routestopped was incomplete. The result was that if
    more than 15 ports were listed, an error was generated.
 2)  If any interfaces had the 'bridge' option specified, compilation
    failed with the error:
    Undefined subroutine &Shorewall::Rules::match_source_interface called 
    at /usr/share/shorewall/Shorewall/Rules.pm line 2319.
 3)  The compiler now flags port number 0 as an error in all
    contexts. Previously, port 0 was allowed with the result that
    invalid iptables-restore input could be generated in some cases.
 4)  The 'show policies' command now works in Shorewall6 and
    Shorewall6-lite.
 5)  Traffic shaping modules from /lib/modules/<version>/net/sched/ are
    now correctly loaded. Previously, that directory was not
    searched. Additionally, Shorewall6 now tries to load the cls_flow
    module; previously, only Shorewall attempts to load that module.
 6)  The Shorewall6-lite shorecap program was previously including the
    IPv4 base library rather than the IPv6 version. Also, Shorewall6
    capability detection was determing the availablity of the mangle
    capability before it had determined if ip6tables was installed.
 7)  The setting of MODULE_SUFFIX was previously ignored except when
    compiling for export.
 8)  Detection of the Enhanced Reject capability in the compiler was
    broken for IPv4 compilations.
 9)  The 'reload -c' command would ignore the setting of DONT_LOAD in
    shorewall.conf. The 'reload' command without '-c' worked as
    expected. 
 ----------------------------------------------------------------------------
             K N O W N   P R O B L E M S   R E M A I N I N G
@ -217,37 +182,53 @@ Shorewall 4.4.5
 None.
 ----------------------------------------------------------------------------
-                N E W   F E A T U R E S   I N   4 . 4 . 5
+                N E W   F E A T U R E S   I N   4 . 4 . 6
 ----------------------------------------------------------------------------
-1)  Shorewall now allows DNAT rules that change only the destination
+1)  In kernel 2.6.31, the handling of the rp_filter interface option was
-    port.
+    chan ged incompatibly. Previously, the effective value was determined
    by the setting of net.ipv4.config.dev.proxy_arp logically ANDed with
    the setting of net.ipv4.config.all.proxy_arp.
-    Example:
+    Beginning with kernel 2.6.31, the value is the arithmetic MAX of
    those two values. 
-	DNAT	loc	net::456	udp	234
+    Given that Shorewall sets net.ipv4.config.all.proxy_arp to 1 if
    there are any interfaces specifying 'routefilter', specifying
    'routefilter' on any interface has the effect of setting the option
    on all interfaces.
-    That rule will modify the destination port in UDP packets received
+    To allow Shorewall to handle this issue, a number of changes were
-    from the 'loc' zone from 456 to 234. Note that if the destination
+    necessary:
    is the firewall itself, then the destination port will be rewritten
    but that no ACCEPT rule from the loc zone to the $FW zone will have
    been created to handle the request. So such rules should probably
    exclude the firewall's IP addresses in the ORIGINAL DEST column.
-2)  Systems that do not log Netfilter messages locally can now set
+    a)  There is no way to safely determine if a kernel supports the
-    LOGFILE=/dev/null in shorewall.conf.
+        new semantics or the old so the Shorewall compiler uses the
        kernel version reported by uname.
-3)  The 'shorewall show connections' and 'shorewall dump' commands now
+    b)  This means that the kernel version is now recorded in
-    display the current number of connections and the max supported
+        the capabilities file. So if you use capabilities files, you
-    connections.
+        need to regenerate the file with Shorewall[-lite] 4.4.5.1 or
        later.
-    Example:
+    c)  If the capabilities file does not contain a kernel version,
        the compiler assumes version 2.6.30 (the old rp_filter
        behavior).
-	shorewall show connections
+    d)  The ROUTE_FILTER option in shorewall.conf now accepts the
-    	Shorewall 4.5.0 Connections (62 out of 65536) at gateway - Sat ...
+    	following values:
-    In that case, there were 62 current connections out of a maximum
+	0 or Yes - Shorewall sets net.ipv4.config.all.rp_filter to 0.
-    number supported of 65536.
+	1 or No  - Shorewall sets net.ipv4.config.all.rp_filter to 1.
 	2        - Shorewall sets net.ipv4.config.all.rp_filter to 2.
 	Keep	 - Shorewall does not change the setting of
 	           net.ipv4.config.all.rp_filter if the kernel version
 		   is 2.6.31 or later.
 	The default remains No.
    e)  The 'routefilter' interface option can have values 0,1 or 2. If
    	'routefilter' is specified without a value, the value 1 is
    	assumed. 
 ----------------------------------------------------------------------------
                N E W   F E A T U R E S   I N   4 . 4 . 0
@ -1367,3 +1348,77 @@ None.
    causes chain displays to include the rule number of each rule.
    (Type 'iptables -h' and look for '--line-number')
 ----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 5
 ----------------------------------------------------------------------------
 1)  The change which removed the 15 port limitation on
    /etc/shorewall/routestopped was incomplete. The result was that if
    more than 15 ports were listed, an error was generated.
 2)  If any interfaces had the 'bridge' option specified, compilation
    failed with the error:
    Undefined subroutine &Shorewall::Rules::match_source_interface called 
    at /usr/share/shorewall/Shorewall/Rules.pm line 2319.
 3)  The compiler now flags port number 0 as an error in all
    contexts. Previously, port 0 was allowed with the result that
    invalid iptables-restore input could be generated in some cases.
 4)  The 'show policies' command now works in Shorewall6 and
    Shorewall6-lite.
 5)  Traffic shaping modules from /lib/modules/<version>/net/sched/ are
    now correctly loaded. Previously, that directory was not
    searched. Additionally, Shorewall6 now tries to load the cls_flow
    module; previously, only Shorewall attempts to load that module.
 6)  The Shorewall6-lite shorecap program was previously including the
    IPv4 base library rather than the IPv6 version. Also, Shorewall6
    capability detection was determing the availablity of the mangle
    capability before it had determined if ip6tables was installed.
 7)  The setting of MODULE_SUFFIX was previously ignored except when
    compiling for export.
 8)  Detection of the Enhanced Reject capability in the compiler was
    broken for IPv4 compilations.
 9)  The 'reload -c' command would ignore the setting of DONT_LOAD in
    shorewall.conf. The 'reload' command without '-c' worked as
    expected. 
 ----------------------------------------------------------------------------
                N E W   F E A T U R E S   I N   4 . 4 . 5
 ----------------------------------------------------------------------------
 1)  Shorewall now allows DNAT rules that change only the destination
    port.
    Example:
 	DNAT	loc	net::456	udp	234
    That rule will modify the destination port in UDP packets received
    from the 'loc' zone from 456 to 234. Note that if the destination
    is the firewall itself, then the destination port will be rewritten
    but that no ACCEPT rule from the loc zone to the $FW zone will have
    been created to handle the request. So such rules should probably
    exclude the firewall's IP addresses in the ORIGINAL DEST column.
 2)  Systems that do not log Netfilter messages locally can now set
    LOGFILE=/dev/null in shorewall.conf.
 3)  The 'shorewall show connections' and 'shorewall dump' commands now
    display the current number of connections and the max supported
    connections.
    Example:
 	shorewall show connections
    	Shorewall 4.5.0 Connections (62 out of 65536) at gateway - Sat ...
    In that case, there were 62 current connections out of a maximum
    number supported of 65536.
--- a/manpages/shorewall-interfaces.xml
+++ b/manpages/shorewall-interfaces.xml
@ -499,7 +499,7 @@ loc     eth2            -</programlisting>
            <varlistentry>
              <term><emphasis
-              role="bold">routefilter[={0|1}]</emphasis></term>
+              role="bold">routefilter[={0|1|2}]</emphasis></term>
              <listitem>
                <para>Turn on kernel route filtering for this interface
@ -510,7 +510,10 @@ loc     eth2            -</programlisting>
                changes; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>
-                <para></para>
+                <para>The value 2 is only available with Shorewall 4.4.5.1 and
                later when the kernel version is 2.6.31 or later. It specifies
                a <firstterm>loose</firstterm> form of reverse path
                filtering.</para>
                <note>
                  <para>This option does not work with a wild-card
--- a/manpages/shorewall.conf.xml
+++ b/manpages/shorewall.conf.xml
@ -1291,24 +1291,28 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
      <varlistentry>
        <term><emphasis role="bold">ROUTE_FILTER=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis
+        role="bold">Yes</emphasis>|1|<emphasis
-        role="bold">No</emphasis>|Keep]</term>
+        role="bold">No|0</emphasis>|2|Keep]</term>
        <listitem>
          <para>If this parameter is given the value <emphasis
          role="bold">Yes</emphasis> or <emphasis role="bold">yes</emphasis>
-          then route filtering (anti-spoofing) is enabled on all network
+          or 1 then route filtering (anti-spoofing) is enabled on all network
          interfaces which are brought up while Shorewall is in the started
-          state. The default value is <emphasis
+          state. The default value is <emphasis role="bold">no</emphasis>
-          role="bold">no</emphasis>.</para>
+          (0).</para>
          <para>The value <emphasis role="bold">Keep</emphasis> causes
          Shorewall to ignore the option. If the option is set to <emphasis
-          role="bold">Yes</emphasis>, then route filtering occurs on all
+          role="bold">Yes</emphasis> or 1, then route filtering occurs on all
          interfaces. If the option is set to <emphasis
          role="bold">No</emphasis>, then route filtering is disabled on all
          interfaces except those specified in <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
          <para>The value 2 is only available with Shorewall 4.4.5.1 and later
          running on kernel 2.6.31 or later. It specifies a looser form of
          reverse path filtering than the value Yes (1).</para>
        </listitem>
      </varlistentry>