mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 14:20:40 +01:00
Document how to avoid dhcp client setting default route
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
1d90ee174c
commit
53d66833b2
@ -1322,6 +1322,133 @@ shorewall 2 2 - eth0 192.168.1.254 track,balance=2,optional<
|
|||||||
999: from all lookup main
|
999: from all lookup main
|
||||||
10000: from all fwmark 0x100 lookup ISP1
|
10000: from all fwmark 0x100 lookup ISP1
|
||||||
10001: from all fwmark 0x200 lookup ISP2</programlisting>
|
10001: from all fwmark 0x200 lookup ISP2</programlisting>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>DHCP with USE_DEFAULT_RT</title>
|
||||||
|
|
||||||
|
<para>When USE_DEFAULT_RT=Yes, you don't want your DHCP client
|
||||||
|
inserting a default route into the main routing table.</para>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>Debian</title>
|
||||||
|
|
||||||
|
<para>In this Debian-specific example, eth0 is managed by
|
||||||
|
dhcpcd.</para>
|
||||||
|
|
||||||
|
<para><filename>/etc/default/dhcpcd</filename>:</para>
|
||||||
|
|
||||||
|
<programlisting># Config file for dhcpcd. Note that you have to edit the interface
|
||||||
|
# name below, or duplicate the configuration for different interfaces.
|
||||||
|
# If you are editing this file just to get DNS servers set by DHCP,
|
||||||
|
# then you should consider installing the resolvconf package instead.
|
||||||
|
|
||||||
|
case ${INTERFACE} in
|
||||||
|
<emphasis role="bold">eth0</emphasis>)
|
||||||
|
|
||||||
|
# Uncomment this to allow dhcpcd to set the DNS servers in /etc/resolv.conf
|
||||||
|
# If you are using resolvconf then you can leave this commented out.
|
||||||
|
#SET_DNS='yes'
|
||||||
|
|
||||||
|
# Uncomment this to allow dhcpcd to set hostname of the host to the
|
||||||
|
# hostname option supplied by DHCP server.
|
||||||
|
#SET_HOSTNAME='yes'
|
||||||
|
|
||||||
|
# Uncomment this to allow dhcpcd to set the NTP servers in /etc/ntp.conf
|
||||||
|
#SET_NTP='yes'
|
||||||
|
|
||||||
|
# Uncomment this to allow dhcpcd to set the YP servers in /etc/yp.conf
|
||||||
|
#SET_YP='yes'
|
||||||
|
|
||||||
|
# Add other options here, see man 8 dhcpcd-bin for details.
|
||||||
|
OPTIONS=(<emphasis role="bold">--nogateway</emphasis> --nodns --nontp <emphasis
|
||||||
|
role="bold">--script /etc/shorewall/dhcpcd.sh</emphasis>)
|
||||||
|
;;
|
||||||
|
|
||||||
|
# Add other interfaces here
|
||||||
|
*)
|
||||||
|
;;
|
||||||
|
|
||||||
|
esac
|
||||||
|
</programlisting>
|
||||||
|
|
||||||
|
<para><filename>/etc/shorewall/start</filename>:</para>
|
||||||
|
|
||||||
|
<programlisting>cat <<EOF > /var/lib/shorewall/eth0.info
|
||||||
|
ETH0_GATEWAY=$SW_ETH0_GATEWAY
|
||||||
|
ETH0_ADDRESS=$SW_ETH0_ADDRESS
|
||||||
|
EOF</programlisting>
|
||||||
|
|
||||||
|
<para><filename>/etc/shorewall/dhcpd.sh</filename>:</para>
|
||||||
|
|
||||||
|
<programlisting>#!/bin/sh
|
||||||
|
|
||||||
|
if [ $2 != down ]; then
|
||||||
|
if [ -f /var/lib/dhcpcd/dhcpcd-eth0.info ]; then
|
||||||
|
. /var/lib/dhcpcd/dhcpcd-eth0.info
|
||||||
|
else
|
||||||
|
logger -p daemon.err "/var/lib/dhcpcd/dhcpcd-eth0.info does not exist!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
logger -p daemon.info "DHCP-assigned address/gateway for eth0 is $IPADDR/$GATEWAYS"
|
||||||
|
|
||||||
|
[ -f /var/lib/shorewall/eth0.info ] && . /var/lib/shorewall/eth0.info
|
||||||
|
|
||||||
|
if [ "$GATEWAYS" != "$ETH0_GATEWAY" -o "$IPADDR" != "$ETH0_ADDRESS" ]; then
|
||||||
|
logger -p daemon.info "eth0 IP configuration changed - restarting lsm and Shorewall"
|
||||||
|
killall lsm
|
||||||
|
/sbin/shorewall restart
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
</programlisting>
|
||||||
|
|
||||||
|
<para>A couple of things to notice about
|
||||||
|
<filename>/etc/shorewall/dhcpcd.sh</filename>:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>It is hard-coded for eth0</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>It assumes the use of <link linkend="lsm">LSM</link>; If
|
||||||
|
you aren't using lSM, you can change the log message and remove
|
||||||
|
the 'killall lsm'</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>It restarts Shorewall if the current IPv4 address of eth0
|
||||||
|
and the gateway through eth0 are not the same as they were when
|
||||||
|
Shorewall was last started.</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>RedHat and Derivatives</title>
|
||||||
|
|
||||||
|
<para>On Redhat-based systems, specify DEFROUTE=No in the device's
|
||||||
|
ifcfg file.</para>
|
||||||
|
|
||||||
|
<para><filename>/etc/sysconfig/networking/network-scripts/ifcfg-eth2</filename>:</para>
|
||||||
|
|
||||||
|
<programlisting>BOOTPROTO=dhcp
|
||||||
|
<emphasis role="bold">PERSISTENT_DHCLIENT=yes</emphasis>
|
||||||
|
PEERDNS=no
|
||||||
|
PEERNTP=no
|
||||||
|
<emphasis role="bold">DEFROUTE=no</emphasis>
|
||||||
|
DHCLIENTARGS="-nc"
|
||||||
|
DEVICE=eth2
|
||||||
|
ONBOOT=yes</programlisting>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>SuSE and Derivatives</title>
|
||||||
|
|
||||||
|
<para>On these systems, set DHCLIENT_SET_DEFAULT_ROUTE=No in the
|
||||||
|
device's ifcfg file.</para>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="load">
|
<section id="load">
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user