extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-16 11:20:53 +01:00
Code Issues Packages Projects Releases Wiki Activity

Default gateway detection in /etc/shorewall/init

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8342 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-03-23 16:08:34 +00:00
parent 680788433d
commit 5986d4db32
4 changed files with 196 additions and 199 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall-common/changelog.txt
View File

@ -1,3 +1,11 @@
Changes in 4.1.7
1) Fix port verification.
2) Fix number of columns calculation.
3) Allow user exits to detect gateway.
Changes in 4.1.6
1) Deprecate IMPLICIT_CONTINUE=Yes

373
Shorewall-common/releasenotes.txt
View File

@ -1,4 +1,4 @@
Shorewall 4.1 Patch Release 6.
Shorewall 4.1 Patch Release 7.
----------------------------------------------------------------------------
R E L E A S E 4 . 1 H I G H L I G H T S
@ -71,208 +71,40 @@ Migration Issues.
5) The value of IMPLICIT_CONTINUE in shorewall.conf (and samples) has
been changed from Yes to No.
Problems corrected in Shorewall-perl 4.1.6.
Problems corrected in Shorewall-perl 4.1.7.
1) A problem introduced in 4.1.5 would result in the following error
message.
1) Perl run-time errors occurred if an unknown service was named in
the /etc/shorewall/tcfilters file.
ERROR: Internal error in create_netfilter_load()
2) Trailing columns containing '-' would outwit Shorewall-perl's
detection of 'too few columns' errors.
2) Under Shorewall-perl, if an empty action was invoked or was named
in one of the DEFAULT_xxx options in shorewall.conf, an
iptables-restore error occured.
New Features in 4.1.7.
3) If $ADMIN was empty, then the rule:
1) If an interface fails when using balanced multi-ISP routing, the
default route is lost. If there are remaining working interfaces
with dynamic gateway addresses, Shorewall will be unable to
determine those gateways.
ACCEPT loc:$ADMIN all
Beginning with Shorewall (Shorewall-lite) 4.1.7, the 'init' script
may participate in gateway detection by setting variables with
pre-determined names as follows:
became
<gw>_GATEWAY
ACCEPT loc net
where <gw> is the interface name:
It is now flagged as an error.
- in upper case
- with any characters not allowed in shell variable names
replaced by '_'.
Problems corrected in Shorewall-shell 4.1.6.
Example (from OpenWRT):
1) Specifying a value for ACCEPT_DEFAULT or QUEUE_DEFAULT resulted in
a fatal error at compile time.
Interface: eth0.1
Variable: ETH0_1_GATEWAY
/etc/shorewall/init:
New Features in 4.1.6.
1) The default value for the IMPLICIT_CONTINUE option has been changed
to 'No'.
2) A REDIRECTED INTERFACES option has been added to the tcdevices file
to support using an IFB (Intermediate Functional Block) device.
IFBs can be used to shape incoming traffic by redirecting that
traffic through the IFB.
To use this feature:
a) Specify the name of your IFB in the INTERFACE column.
b) List the redirected device names (comma-separated) in the
REDIRECTED INTERFACES column.
Packets that are input from the redirected interface(s) will appear
as output packets on the IFB.
This support should be considered EXPERIMENTAL.
3) Shorewall-perl now supports an 'l2tp' tunnel type. It opens UDP
port 1701 in both directions and assumes that the source port will
also be 1701. Some implementations (particularly OS X) use a
different source port. In that case, you should use
'generic:udp:1701' rather than 'l2tp'.
4) The /etc/shorewall/tcdevices and /etc/shorewall/tcclasses files
have undergone some changes, especially when the 'classify' option
has been specified.
Normally Shorewall assigns interface numbers sequentially to
devices listed in /etc/shorewall/tcdevices. Beginning with
Shorewall 4.1.6, you can explicitly specify inteface numbers by
prefixing the interface name with the interface number and a colon:
Example:
#INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS
1:eth0 1300kbit 384kbit classify
2:eth1 5600kbit 1000kbit
In /etc/shorewall/tcclasses:
a) You can specify the INTERFACE using either the interface name
or interface number.
b) classes associated with devices which have the 'classify'
option _must_ specify a class number by following the interface
name/number with a colon (":") and the class number. The same
class number may be used for classes defined on different
interfaces but a class number may not be the same as any
interface number.
A class number may be specified when 'classify' has not been
specified for the associated device. When a class number has not
been given, the default class number remains the mark value
prefixed by "1".
5) Shorewall now supports Intermediate Functional Block (IFB) devices.
These devices allow shaping of incoming traffic.
The 'ifb' module is available in the kernels included with today's
distributions. You must load the module manually:
If your distribution has modprobe:
modprobe ifb [ numifbs=<number> ]
Otherwise:
insmod <path to net driver modules>/ifb.ko [ numifbs=<number> ]
By default, the module automatically creates two IFB devices (ifb0
and ifb1). To create only one, specify 'numifbs=1'.
Example:
ursa:~ # modprobe ifb numifbs=1
ursa:~ # ip link ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether cc:2b:cb:24:1b:00 brd ff:ff:ff:ff:ff:ff
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:1a:73:db:8c:35 brd ff:ff:ff:ff:ff:ff
4: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop qlen 32
link/ether 26:99:d8:7d:32:26 brd ff:ff:ff:ff:ff:ff
ursa:~ #
After you have created the IFB(s), you must bring it(them) up:
ip link set dev ifb0 up
You can place all of this in /etc/shorewall/init as follows:
modprobe ifb numifbs=1
ip link set dev ifb0 up
The /etc/shorewall/tcdevices file has been extended to include an
additional REDIRECTED DEVICES column. To convert your configuration
to use an IFB:
a) Look at your current /etc/shorewall/tcdevices file. Suppose you
have:
#INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS
eth0 1300kbit 384kbit -
Change it as follows:
#INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS REDIRECTED
# DEVICES
eth0 - 384kkbit -
ifb0 - 1300kbit - eth0
Note that the old IN-BANDWIDTH for eth0 has become the
OUT-BANDWIDTH for ifb0 and that neither device has an
IN-BANDWIDTH in the new configuration.
Finally note that eth0 has been specified as a REDIRECTED device
for the IFB.
b) There are no Netfilter hooks between the real device (eth0) and
the IFB (ifb0). So tcrules cannot be used to specify shaping of
traffic leaving the IFB. To allow that traffic to be classified,
a new /etc/shorewall/tcfilters file has been added.
/etc/shorewall/tcfilters can be used for classifying traffic on
any interface. When using entries in that file, it is important
to realize that those entries act on packets as they appear 'on
the wire'. That means that on output, SNAT/MASQUERADE has been
applied and on input (output to an IFB), DNAT has not yet been
applied.
Columns in the file are:
INTERFACE:CLASS
The interface name or number followed by a colon (":")
and the class number.
SOURCE
Source IP address. May be a host or network address.
Specify "-" if any SOURCE address should match.
DEST
Destination IP address. May be a host or network
address. Specify "-" if any DEST address should match.
PROTO
Protocol Name/Number. Specify "-" if any PROTO should
match.
DEST PORT(S)
A comma-separated list of destination ports. May only
be given if the PROTO is tcp, udp, icmp or
sctp. Port ranges may be used, except when the PROTO is
icmp. Specify "-" if any PORT should match.
SOURCE PORT(S)
A comma-separated list of source port. May only be
given if the PROTO is tcp, udp or sctp. Port ranges
may be used unless the protocol is icmp. Specify "-" if
any PORT should match.
Entries in /etc/shorewall/tcfilters generate U32 tc filters which
may be displayed using the "shorewall show filters" ("shorewall-lite
show filters") command. Note: The 'show filters' command is an
alias for the existing 'show classifiers' command.
Note that /etc/shorewall/tcfilters provides a usable alternative to
HIGH_ROUTE_MARKS=Yes. You can use marks to select between providers
and use entries in /etc/shorewall/tcfilters (or CLASSIFY tcrules)
for traffic shaping.
ETH0_1_GATEWAY=$(uci get /var/state/network.wan0.gateway)
New Features in Shorewall 4.1.
@ -699,3 +531,160 @@ New Features in Shorewall 4.1.
available under Shorewall-perl The option is ignored by
Shorewall-shell.
24) The default value for the IMPLICIT_CONTINUE option has been changed
to 'No'.
25) Shorewall-perl now supports an 'l2tp' tunnel type. It opens UDP
port 1701 in both directions and assumes that the source port will
also be 1701. Some implementations (particularly OS X) use a
different source port. In that case, you should use
'generic:udp:1701' rather than 'l2tp'.
26) The /etc/shorewall/tcdevices and /etc/shorewall/tcclasses files
have undergone some changes, especially when the 'classify' option
has been specified.
Normally Shorewall assigns interface numbers sequentially to
devices listed in /etc/shorewall/tcdevices. Beginning with
Shorewall 4.1.6, you can explicitly specify inteface numbers by
prefixing the interface name with the interface number and a colon:
Example:
#INTERFACE IN-BANDWITH OUT-BANDWIDTH OPTIONS
1:eth0 1300kbit 384kbit classify
2:eth1 5600kbit 1000kbit
In /etc/shorewall/tcclasses:
a) You can specify the INTERFACE using either the interface name
or interface number.
b) classes associated with devices which have the 'classify'
option _must_ specify a class number by following the interface
name/number with a colon (":") and the class number. The same
class number may be used for classes defined on different
interfaces but a class number may not be the same as any
interface number.
A class number may be specified when 'classify' has not been
specified for the associated device. When a class number has not
been given, the default class number remains the mark value
prefixed by "1".
27) Shorewall now supports Intermediate Functional Block (IFB) devices.
These devices allow shaping of incoming traffic.
The 'ifb' module is available in the kernels included with today's
distributions. You must load the module manually:
If your distribution has modprobe:
modprobe ifb [ numifbs=<number> ]
Otherwise:
insmod <path to net driver modules>/ifb.ko [ numifbs=<number> ]
By default, the module automatically creates two IFB devices (ifb0
and ifb1). To create only one, specify 'numifbs=1'.
Example:
ursa:~ # modprobe ifb numifbs=1
ursa:~ # ip link ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether cc:2b:cb:24:1b:00 brd ff:ff:ff:ff:ff:ff
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:1a:73:db:8c:35 brd ff:ff:ff:ff:ff:ff
4: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop qlen 32
link/ether 26:99:d8:7d:32:26 brd ff:ff:ff:ff:ff:ff
ursa:~ #
After you have created the IFB(s), you must bring it(them) up:
ip link set dev ifb0 up
You can place all of this in /etc/shorewall/init as follows:
modprobe ifb numifbs=1
ip link set dev ifb0 up
The /etc/shorewall/tcdevices file has been extended to include an
additional REDIRECTED DEVICES column. To convert your configuration
to use an IFB:
a) Look at your current /etc/shorewall/tcdevices file. Suppose you
have:
#INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS
eth0 1300kbit 384kbit -
Change it as follows:
#INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS REDIRECTED
# DEVICES
eth0 - 384kkbit -
ifb0 - 1300kbit - eth0
Note that the old IN-BANDWIDTH for eth0 has become the
OUT-BANDWIDTH for ifb0 and that neither device has an
IN-BANDWIDTH in the new configuration.
Finally note that eth0 has been specified as a REDIRECTED device
for the IFB.
b) There are no Netfilter hooks between the real device (eth0) and
the IFB (ifb0). So tcrules cannot be used to specify shaping of
traffic leaving the IFB. To allow that traffic to be classified,
a new /etc/shorewall/tcfilters file has been added.
/etc/shorewall/tcfilters can be used for classifying traffic on
any interface. When using entries in that file, it is important
to realize that those entries act on packets as they appear 'on
the wire'. That means that on output, SNAT/MASQUERADE has been
applied and on input (output to an IFB), DNAT has not yet been
applied.
Columns in the file are:
INTERFACE:CLASS
The interface name or number followed by a colon (":")
and the class number.
SOURCE
Source IP address. May be a host or network address.
Specify "-" if any SOURCE address should match.
DEST
Destination IP address. May be a host or network
address. Specify "-" if any DEST address should match.
PROTO
Protocol Name/Number. Specify "-" if any PROTO should
match.
DEST PORT(S)
A comma-separated list of destination ports. May only
be given if the PROTO is tcp, udp, icmp or
sctp. Port ranges may be used, except when the PROTO is
icmp. Specify "-" if any PORT should match.
SOURCE PORT(S)
A comma-separated list of source port. May only be
given if the PROTO is tcp, udp or sctp. Port ranges
may be used unless the protocol is icmp. Specify "-" if
any PORT should match.
Entries in /etc/shorewall/tcfilters generate U32 tc filters which
may be displayed using the "shorewall show filters" ("shorewall-lite
show filters") command. Note: The 'show filters' command is an
alias for the existing 'show classifiers' command.
Note that /etc/shorewall/tcfilters provides a usable alternative to
HIGH_ROUTE_MARKS=Yes. You can use marks to select between providers
and use entries in /etc/shorewall/tcfilters (or CLASSIFY tcrules)
for traffic shaping.

4
Shorewall-perl/Shorewall/Chains.pm
View File

@ -1574,9 +1574,9 @@ sub get_interface_gateway ( $ ) {
my $variable = interface_gateway( $interface );
if ( interface_is_optional $interface ) {
$interfacegateways{$interface} = qq($variable=\$(detect_gateway $interface)\n);
$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)\n);
} else {
$interfacegateways{$interface} = qq($variable=\$(detect_gateway $interface)
$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)
[ -n "\$$variable" ] || fatal_error "Unable to detect the gateway through interface $interface"
);
}

10
web/shorewall_index.htm
View File

@ -22,7 +22,7 @@ the
license is included in the section entitled <span
style="text-decoration: underline;">"</span><a href="GnuCopyright.htm"
target="_self">GNU Free Documentation License</a>".</p>
<p>2008-02-23</p>
<p>2008-03-21</p>
<hr style="width: 100%; height: 2px;">
<h2>Table of Contents</h2>
<p style="margin-bottom: 0in; margin-left: 0.42in;"><a href="#Intro">Introduction
@ -150,15 +150,15 @@ problems</a> and <a
</ul>
The <span style="font-weight: bold;">current Development Release</span>
is
4.1.5.
4.1.6.
<ul>
<li>Here are the <a
href="http://www1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.5/releasenotes.txt">release
href="http://www1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.6/releasenotes.txt">release
notes</a> </li>
<li>Here are the <a
href="http://www1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.5/known_problems.txt">known
href="http://www1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.6/known_problems.txt">known
problems</a> and <a
href="http://www1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.5/errata/">updates</a>.</li>
href="http://www1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.6/errata/">updates</a>.</li>
</ul>
</div>
<div style="margin-left: 40px;">