extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Make 'track' the default

Browse Source
This commit is contained in:
Tom Eastep 2009-10-20 12:24:28 -07:00
parent c4af105ee4
commit 49f361124e
9 changed files with 89 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -100,6 +100,7 @@ sub generate_script_1() {
EOF EOF
copy1 $lib; copy1 $lib;
emit "/n";
} }
emit <<'EOF'; emit <<'EOF';

4
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -316,12 +316,14 @@ sub add_a_provider( ) {
} }
my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu ) = (0,0,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' ); my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu ) = (0,1,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' );
unless ( $options eq '-' ) { unless ( $options eq '-' ) {
for my $option ( split_list $options, 'option' ) { for my $option ( split_list $options, 'option' ) {
if ( $option eq 'track' ) { if ( $option eq 'track' ) {
$track = 1; $track = 1;
} elsif ( $option eq 'notrack' ) {
$track = 0;
} elsif ( $option =~ /^balance=(\d+)$/ ) { } elsif ( $option =~ /^balance=(\d+)$/ ) {
fatal_error q('balance' is not available in IPv6) if $family == F_IPV6; fatal_error q('balance' is not available in IPv6) if $family == F_IPV6;
$balance = $1; $balance = $1;

11
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1621,7 +1621,7 @@ sub add_interface_jumps {
# Generate the rules matrix. # Generate the rules matrix.
# #
# Stealing a comment from the Burroughs B6700 MCP Operating System source, generate_matrix makes a sow's ear out of a silk purse. # Stealing a comment from the Burroughs B6700 MCP Operating System source, "generate_matrix makes a sow's ear out of a silk purse".
# #
# The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones). # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
# A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates. # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
@ -1683,10 +1683,17 @@ sub generate_matrix() {
my $zoneref = find_zone( $zone ); my $zoneref = find_zone( $zone );
next if @zones <= 2 && ! $zoneref->{options}{complex}; next if @zones <= 2 && ! $zoneref->{options}{complex};
#
# Complex zone and we have more than one non-firewall zone -- create a zone forwarding chain
#
my $frwd_ref = new_standard_chain zone_forward_chain( $zone ); my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
if ( $capabilities{POLICY_MATCH} ) { if ( $capabilities{POLICY_MATCH} ) {
#
# Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
# '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
# can match '--pol none --dir out' rules and send the packets down the wrong rules chain.
#
my $type = $zoneref->{type}; my $type = $zoneref->{type};
my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {}; my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};

2
Shorewall/changelog.txt
View File

@ -16,6 +16,8 @@ Changes in Shorewall 4.4.3
8) Remove superfluous variables from generated script 8) Remove superfluous variables from generated script
9) Make 'track' the default.
Changes in Shorewall 4.4.2 Changes in Shorewall 4.4.2
1) BUGFIX: Correct detection of Persistent SNAT support 1) BUGFIX: Correct detection of Persistent SNAT support

8
Shorewall/releasenotes.txt
View File

@ -169,6 +169,10 @@ Shorewall 4.4.3
now, if the zone has <interface>:0.0.0.0/0 (even with exclusions), now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
then it may have no additional members in /etc/shorewall/hosts. then it may have no additional members in /etc/shorewall/hosts.
13) Because the 'track' provider option is so useful, it is now the
default. If, for some reason, you don't want 'track' then specify
'notrack' for the provider.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 3 P R O B L E M S C O R R E C T E D I N 4 . 4 . 3
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
@ -218,6 +222,10 @@ None.
On non-Debian systems, new installs will now log all Shorewall On non-Debian systems, new installs will now log all Shorewall
commands to /var/log/shorewall-init.log. commands to /var/log/shorewall-init.log.
2) Because the 'track' provider option is so useful, it is now the
default. If, for some reason, you don't want 'track' then specify
'notrack' for the provider.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 . 0 N E W F E A T U R E S I N 4 . 4 . 0
---------------------------------------------------------------------------- ----------------------------------------------------------------------------

9
docs/LennyToSqueeze.xml
View File

@ -700,6 +700,15 @@ NONAT loc - tcp 80</programlisting>
earlier.</para> earlier.</para>
</section> </section>
<section>
<title>/etc/shorewall/providers</title>
<para>Beginnins with Shorewall 4.4.3, the <option>track</option> option
is now the default. If, for some reason, you don't want the
<option>track</option> option then specify
<option>notrack</option>.</para>
</section>
<section id="extension"> <section id="extension">
<title>Extension Scripts</title> <title>Extension Scripts</title>

40
docs/MultiISP.xml
View File

@ -143,11 +143,12 @@
Shorewall can set up the correct marking rules for you.</para> Shorewall can set up the correct marking rules for you.</para>
<para>When you use the <emphasis role="bold">track</emphasis> option in <para>When you use the <emphasis role="bold">track</emphasis> option in
<filename>/etc/shorewall/providers</filename>, connections from the <filename>/etc/shorewall/providers</filename> (which is the default,
Internet are automatically routed back out of the correct interface and beginning with Shorewall 4.4.3), connections from the Internet are
through the correct ISP gateway. This works whether the connection is automatically routed back out of the correct interface and through the
handled by the firewall itself or if it is routed or port-forwarded to a correct ISP gateway. This works whether the connection is handled by the
system behind the firewall.</para> firewall itself or if it is routed or port-forwarded to a system behind
the firewall.</para>
<para>Shorewall will set up the routing and will update the <para>Shorewall will set up the routing and will update the
<filename>/etc/iproute2/rt_tables</filename> to include the table names <filename>/etc/iproute2/rt_tables</filename> to include the table names
@ -163,7 +164,8 @@
<listitem> <listitem>
<para>Packet marking for traffic control purposes may not be done <para>Packet marking for traffic control purposes may not be done
in the PREROUTING table for connections involving providers with in the PREROUTING table for connections involving providers with
'track' specified (see below).</para> 'track' specified (see below -- note that 'track' defaults to on
beginning with Shorewall 4.4.3).</para>
</listitem> </listitem>
<listitem> <listitem>
@ -329,9 +331,14 @@
<term>track</term> <term>track</term>
<listitem> <listitem>
<para>If specified, connections FROM this interface are to <para><important>
be tracked so that responses may be routed back out this <para>Beginning with Shorwall 4.3.3, <emphasis
same interface.</para> role="bold">track</emphasis> is the default. To disable
this option, you must specify <emphasis
role="bold">notrack</emphasis> (see below).</para>
</important>If specified, connections FROM this interface
are to be tracked so that responses may be routed back out
this same interface.</para>
<para>You want to specify 'track' if Internet hosts will be <para>You want to specify 'track' if Internet hosts will be
connecting to local servers through this provider. Any time connecting to local servers through this provider. Any time
@ -350,7 +357,8 @@
support</emphasis>).</para> support</emphasis>).</para>
<important> <important>
<para>If you are using <para>If you are running a version of Shorewall earlier
than 4.4.3 and are using
<filename>/etc/shorewall/providers</filename> because you <filename>/etc/shorewall/providers</filename> because you
have multiple Internet connections, we recommend that you have multiple Internet connections, we recommend that you
specify <emphasis role="bold">track</emphasis> even if you specify <emphasis role="bold">track</emphasis> even if you
@ -441,6 +449,16 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>notrack</term>
<listitem>
<para>Added in Shorewall 4.4.3. This option turns off the
<emphasis role="bold">track</emphasis> option which is now
the default.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>optional</term> <term>optional</term>
@ -1410,7 +1428,7 @@ fi</programlisting></para>
<para>It is the responsibility of the script to perform any action <para>It is the responsibility of the script to perform any action
needed in reaction to the connection state change. The default script needed in reaction to the connection state change. The default script
supplied with LSM composes an email and sends it to $5. </para> supplied with LSM composes an email and sends it to $5.</para>
<para>I personally use LSM here at shorewall.net (configuration is <para>I personally use LSM here at shorewall.net (configuration is
described <link linkend="Complete">below</link>). I have set things up described <link linkend="Complete">below</link>). I have set things up

14
manpages/shorewall-providers.xml
View File

@ -163,6 +163,11 @@
<para>You want to specify <option>track</option> if internet <para>You want to specify <option>track</option> if internet
hosts will be connecting to local servers through this hosts will be connecting to local servers through this
provider.</para> provider.</para>
<para>Beginning with Shorewall 4.4.3, <option>track</option>
is the default. If, for some reason, you don't want
<option>track</option> then specify <option>notrack</option>
(see below).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -194,6 +199,15 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">notrack</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.3. When specified, turns off
<option>track</option> which is now the default.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">optional <term><emphasis role="bold">optional
(deprecated)</emphasis></term> (deprecated)</emphasis></term>

14
manpages6/shorewall6-providers.xml
View File

@ -152,6 +152,11 @@
<para>You want to specify <option>track</option> if internet <para>You want to specify <option>track</option> if internet
hosts will be connecting to local servers through this hosts will be connecting to local servers through this
provider.</para> provider.</para>
<para>Beginning with Shorewall 4.4.3, <option>track</option>
is the default. If, for some reason, you don't want
<option>track</option> then specify <option>notrack</option>
(see below).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -167,6 +172,15 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">notrack</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.3. When specified, turns off
<option>track</option> which is now the default.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">optional</emphasis></term> <term><emphasis role="bold">optional</emphasis></term>