diff --git a/Shorewall-common/shorewall.conf b/Shorewall-common/shorewall.conf index 4eb5cb91b..bc03b5c0c 100644 --- a/Shorewall-common/shorewall.conf +++ b/Shorewall-common/shorewall.conf @@ -165,6 +165,8 @@ EXPORTPARAMS=Yes EXPAND_POLICIES=Yes +KEEP_RT_TABLES=No + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 9d7be8370..34baac915 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -288,7 +288,7 @@ sub initialize() { EXPORTPARAMS => undef, SHOREWALL_COMPILER => undef, EXPAND_POLICIES => undef, - ACCOUNTING_EXPERT => undef, + KEEP_RT_TABLES => undef, # # Packet Disposition # diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm index 666775aeb..330115acf 100644 --- a/Shorewall-perl/Shorewall/Zones.pm +++ b/Shorewall-perl/Shorewall/Zones.pm @@ -76,7 +76,7 @@ use constant { NOTHING => 'NOTHING', # # @zones contains the ordered list of zones with sub-zones appearing before their parents. # -# %zones{ => {type = > 'firewall', 'ipv4', 'ipsec4', 'bport4'; +# %zones{ => {type = > # options => { complex => 0|1 # in_out => < policy match string > # in => < policy match string > @@ -110,6 +110,16 @@ our %reservedName = ( all => 1, SOURCE => 1, DEST => 1 ); +se constant ( ZT_IPV4 => 1, + ZT_IPSEC => 2, + ZT_BPORT => 4, + ZT_IPV6 => 8, + ZT_FIREWALL => 16, + ZT_IPSEC4 => ZT_IPV4 | ZT_IPSEC + ZT_IPSEC6 => ZT_IPV6 | ZT_IPSEC + ZT_BPORT4 => ZT_IPV4 | ZT_BPORT + ZT_BPORT6 => ZT_IPV6 | ZT_BPORT + ); # # Interface Table. # @@ -209,7 +219,7 @@ sub parse_zone_option_list($$) if ( $key{$e} ) { $h{$e} = $val; } else { - fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype eq 'ipsec4'; + fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype & ZT_IPSEC; $options .= $invert; $options .= "--$e "; $options .= "$val "if defined $val; @@ -251,7 +261,7 @@ sub determine_zones() for my $p ( @parents ) { fatal_error "Invalid Parent List ($2)" unless $p; fatal_error "Unknown parent zone ($p)" unless $zones{$p}; - fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} eq 'firewall'; + fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} & ZT_FIREWALL; push @{$zones{$p}{children}}, $zone; } } @@ -263,20 +273,20 @@ sub determine_zones() $type = "ipv4" unless $type; if ( $type =~ /ipv4/i ) { - $type = 'ipv4'; + $type = ZT_IPV4; } elsif ( $type =~ /^ipsec4?$/i ) { - $type = 'ipsec4'; + $type = ZT_IPSEC4; } elsif ( $type =~ /^bport4?$/i ) { warning_message "Bridge Port zones should have a parent zone" unless @parents; - $type = 'bport4'; + $type = ZT_BPORT4; } elsif ( $type eq 'firewall' ) { fatal_error 'Firewall zone may not be nested' if @parents; fatal_error "Only one firewall zone may be defined ($zone)" if $firewall_zone; $firewall_zone = $zone; $ENV{FW} = $zone; - $type = "firewall"; + $type = ZT_FIREWALL; } elsif ( $type eq '-' ) { - $type = 'ipv4'; + $type = ZT_IPV4; } else { fatal_error "Invalid zone type ($type)" ; } @@ -292,7 +302,7 @@ sub determine_zones() options => { in_out => parse_zone_option_list( $options || '', $type ) , in => parse_zone_option_list( $in_options || '', $type ) , out => parse_zone_option_list( $out_options || '', $type ) , - complex => ($type eq 'ipsec4' || $options || $in_options || $out_options ? 1 : 0) } , + complex => ($type & ZT_IPSEC || $options || $in_options || $out_options ? 1 : 0) } , interfaces => {} , children => [] , hosts => {} @@ -327,12 +337,22 @@ sub determine_zones() # sub haveipseczones() { for my $zoneref ( values %zones ) { - return 1 if $zoneref->{type} eq 'ipsec4'; + return 1 if $zoneref->{type} & ZT_IPSEC; } 0; } +my @typenames = ( Untyped, #0 + firewall, #1 + ipv4, #2 + Invalid, #3 + Invalid, #4 + Invalid, #5 + ipsec4, #6 + Invalid, #7 + Invalid, #8 + # # Report about zones. # diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index f0aaf1f9f..a8d664f01 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -406,6 +406,12 @@ an interface is in a state that Shorewall can [re]start without error doesn't mean that traffic can actually be sent through the interface. + + Beginning with Shorewall-perl 4.0.3, you can supply + an 'isusable' extension + script to extend Shorewall's interface state + detection. diff --git a/docs/shorewall_extension_scripts.xml b/docs/shorewall_extension_scripts.xml index fec5bad05..d2132e8d4 100644 --- a/docs/shorewall_extension_scripts.xml +++ b/docs/shorewall_extension_scripts.xml @@ -122,6 +122,40 @@ logging rule is added to the current chain (the name of that chain will be in $CHAIN). + + + isusable -- (Added in Shorewall-perl version 4.0.3) invoked when + Shorewall is trying to determine the usability of the network + interface associated with an optional entry in + /etc/shorewall/providers. $1 is the name of the interface which will + have been determined to be up and configured before the script is + invoked. The return value from the script indicates whether or not the + interface is usable (0 = usable, other = unusable). + + Example:# Ping a gateway through the passed interface +case $1 in + eth0) + ping -c 4 -I eth0 206.124.146.254 > /dev/null 2>&1 + return + ;; + eth1) + ping -c 4 -I eth1 192.168.12.254 > /dev/null 2>&1 + return + ;; + *) + # No additional testing of other interfaces + return 0 + ;; +esac + The firewall state when this script is invoked is + indeterminent. So if you have ADMINISABSENTMINDED=No in shorewall.conf(8) and + output on an interface is not allowed by routestopped(8) then + the script must blow it's own holes in the firewall before + probing. + + If your version of Shorewall doesn't have the @@ -373,7 +407,7 @@ maclog - initdone + isusable