From 636629a063103edae363e89f43ccdd982198aef8 Mon Sep 17 00:00:00 2001
From: teastep
Date: Wed, 21 Nov 2007 16:28:36 +0000
Subject: [PATCH] Allow IP address of interface to be specified in
/etc/shorewall/providers
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7709 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
Shorewall-common/changelog.txt | 2 ++
Shorewall-common/releasenotes.txt | 32 +++++++++++++++++++--------
Shorewall-perl/Shorewall/Providers.pm | 12 +++++-----
web/shorewall_index.htm | 5 +++--
4 files changed, 35 insertions(+), 16 deletions(-)
diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt
index e0dc861f8..dfc1f1ae8 100644
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@@ -4,6 +4,8 @@ Changes in 4.1.1
2) Fix NFQUEUE() in Policy file.
+3) Allow specifying an address in the Providers file.
+
Changes in 4.1.0.
1) Add 'shared' provider option.
diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index 1af9c8d56..48ee41df8 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -19,7 +19,8 @@ Problems corrected in Shorewall 4.1.1.
Other changes in Shorewall 4.1.1.
-None.
+1) You may now specify an interface address in the INTERFACE column of
+ /etc/shorewall/providers. See New Feature 1) below.
New Features in Shorewall 4.1.
@@ -42,26 +43,39 @@ New Features in Shorewall 4.1.
iptables. If you use a capabilities file, you need to regenerate
the file with Shorewall 4.0.6 or Shorewall-lite 4.0.6.
+ e) You specify the address on the interface that corresponds to a
+ particular provider in the INTERFACE column by following the
+ interface name with a colon (":") and the address.
+
+ f) You must add route_rules entries for networks that are accessed
+ through a particular provider.
+
Example:
Providers Blarg (1) and Avvanta (2) are both connected to
- eth0. The firewall's IP address with Blarg is 206.124.146.176
+ eth0. The firewall's IP address with Blarg is 206.124.146.176/24
(gateway 206.124.146.254) and the IP address from Avvanta is
- 130.252.144.8 (gateway 130.252.144.254).
+ 130.252.144.8/24 (gateway 130.252.144.254).
/etc/shorewall/providers:
- #PROVIDER NUMBER MARK DUPLICATE GATEWAY OPTIONS
- Blarg 1 1 main 206.124.146.254 shared,...
- Avvanta 2 2 main 130.252.144.254 shared,...
+ #PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
+ Blarg 1 1 main eth0:206.124.146.176 206.124.146.254 shared,...
+ Avvanta 2 2 main eth0:130.252.144.8 130.252.144.254 shared,...
/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS
- eth0(Blarg) 130.252.144.254 206.124.146.176
- eth0(Avvanta) 206.124.146.176 130.252.144.254
+ eth0(Blarg) 130.252.144.8 206.124.146.176
+ eth0(Avvanta) 206.124.146.176 130.252.144.8
eth0(Blarg) eth1 206.124.146.176
- eth0(Avvanta) eth1 130.252.144.254
+ eth0(Avvanta) eth1 130.252.144.8
+
+ /etc/shorewall/route_rules:
+
+ #SOURCE DEST PROVIDER PRIORITY
+ - 206.124.146.0/24 Blarg 1000
+ - 130.252.144.0/24 Avvanta 1000
2) You may now include the name of a table (nat, mangle or filter) in
a 'shorewall refresh' command by following the name with a colon
diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm
index b0ae6480f..4e087ff4b 100644
--- a/Shorewall-perl/Shorewall/Providers.pm
+++ b/Shorewall-perl/Shorewall/Providers.pm
@@ -198,6 +198,10 @@ sub add_a_provider( $$$$$$$$ ) {
fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
}
+ ( $interface, my $address ) = split /:/, $interface;
+
+ validate_address $address, 0 if defined $address;
+
fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
my $provider = chain_base $table;
@@ -211,14 +215,12 @@ sub add_a_provider( $$$$$$$$ ) {
emit "qt ip route flush table $number";
emit "echo \"qt ip route flush table $number\" >> \${VARDIR}/undo_routing";
- my $variable;
-
if ( $gateway eq 'detect' ) {
- $variable = get_interface_address $interface;
+ $address = get_interface_address $interface unless $address;
$gateway = get_interface_gateway $interface;
} elsif ( $gateway && $gateway ne '-' ) {
validate_address $gateway, 0;
- $variable = get_interface_address $interface;
+ $address = get_interface_address $interface unless $address;
} else {
$gateway = '';
emit "run_ip route add default dev $interface table $number";
@@ -324,7 +326,7 @@ sub add_a_provider( $$$$$$$$ ) {
}
if ( $gateway ) {
- emit "run_ip route replace $gateway src $variable dev $interface table $number $realm";
+ emit "run_ip route replace $gateway src $address dev $interface table $number $realm";
emit "run_ip route add default via $gateway dev $interface table $number $realm";
}
diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm
index eebd6a6e2..8f9dd6774 100644
--- a/web/shorewall_index.htm
+++ b/web/shorewall_index.htm
@@ -21,7 +21,7 @@ Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the
license is included in the section entitled “GNU Free Documentation License”.
-2007-11-19
+2007-11-20
Table of Contents
@@ -145,7 +145,8 @@ The current Development Release is
notes
Here are the known
- problems
+ problems and updates.