diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index d03fe1499..1cf471903 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -492,6 +492,10 @@ sub process_a_provider( $ ) { fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared; $gateway = get_interface_gateway $interface; $gatewaycase = 'detect'; + } elsif ( $gateway eq 'none' ) { + fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared; + $gatewaycase = 'none'; + $gateway = ''; } elsif ( $gateway && $gateway ne '-' ) { ( $gateway, $mac ) = split_host_list( $gateway, 0 ); validate_address $gateway, 0; @@ -506,7 +510,7 @@ sub process_a_provider( $ ) { $gatewaycase = 'specified'; } else { - $gatewaycase = 'none'; + $gatewaycase = 'omitted'; fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared; $gateway = ''; } @@ -529,10 +533,12 @@ sub process_a_provider( $ ) { } elsif ( $option eq 'notrack' ) { $track = 0; } elsif ( $option =~ /^balance=(\d+)$/ ) { + fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none'; fatal_error q('balance=' is not available in IPv6) if $family == F_IPV6; fatal_error 'The balance setting must be non-zero' unless $1; $balance = $1; } elsif ( $option eq 'balance' || $option eq 'primary') { + fatal_error qq('$option' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none'; $balance = 1; } elsif ( $option eq 'loose' ) { $loose = 1; @@ -550,11 +556,13 @@ sub process_a_provider( $ ) { } elsif ( $option =~ /^mtu=(\d+)$/ ) { $mtu = "mtu $1 "; } elsif ( $option =~ /^fallback=(\d+)$/ ) { + fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none'; fatal_error q('fallback=' is not available in IPv6) if $family == F_IPV6; $default = $1; $default_balance = 0; fatal_error 'fallback must be non-zero' unless $default; } elsif ( $option eq 'fallback' ) { + fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none'; $default = -1; $default_balance = 0; } elsif ( $option eq 'local' ) { @@ -567,6 +575,7 @@ sub process_a_provider( $ ) { $track = 0 if $config{TRACK_PROVIDERS}; $default_balance = 0 if $config{USE_DEFAULT_RT}; } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) { + fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none'; $load = sprintf "%1.8f", $1; require_capability 'STATISTIC_MATCH', "load=$1", 's'; } elsif ( $option eq 'autosrc' ) { @@ -596,13 +605,13 @@ sub process_a_provider( $ ) { fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)}; if ( $local ) { - fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none'; + fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'omitted'; fatal_error "'track' not valid with 'local'" if $track; fatal_error "DUPLICATE not valid with 'local'" if $duplicate ne '-'; fatal_error "'persistent' is not valid with 'local" if $persistent; } elsif ( $tproxy ) { fatal_error "Only one 'tproxy' provider is allowed" if $tproxies++; - fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none'; + fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted'; fatal_error "'track' not valid with 'tproxy'" if $track; fatal_error "DUPLICATE not valid with 'tproxy'" if $duplicate ne '-'; fatal_error "MARK not allowed with 'tproxy'" if $mark ne '-'; @@ -649,7 +658,7 @@ sub process_a_provider( $ ) { warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' ); } - $balance = $default_balance unless $balance; + $balance = $default_balance unless $balance || $gatewaycase eq 'none'; fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$interface}; @@ -789,7 +798,7 @@ sub add_a_provider( $$ ) { push_indent; - if ( $gatewaycase eq 'none' ) { + if ( $gatewaycase eq 'omitted' ) { if ( $tproxy ) { emit 'run_ip route add local ' . ALLIP . " dev $physical table $id"; } else { @@ -867,7 +876,7 @@ sub add_a_provider( $$ ) { } $provider_interfaces{$interface} = $table; - if ( $gatewaycase eq 'none' ) { + if ( $gatewaycase eq 'omitted' ) { if ( $tproxy ) { emit 'run_ip route add local ' . ALLIP . " dev $physical table $id"; } else { @@ -907,7 +916,7 @@ CEOF emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id", "echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" - ); + ); } if ( $duplicate ne '-' ) { diff --git a/Shorewall/manpages/shorewall-providers.xml b/Shorewall/manpages/shorewall-providers.xml index bafc3e37f..812469328 100644 --- a/Shorewall/manpages/shorewall-providers.xml +++ b/Shorewall/manpages/shorewall-providers.xml @@ -130,7 +130,7 @@ GATEWAY - {-|address[,mac]|detect} + role="bold">detect|none} The IP address of the provider's gateway router. Beginning @@ -139,8 +139,12 @@ interface. When the MAC is not specified, Shorewall will detect the MAC during firewall start or restart. - You can enter "detect" here and Shorewall will attempt to - detect the gateway automatically. + You can enter detect here and + Shorewall will attempt to detect the gateway automatically. + + Beginning with Shorewall 5.0.6, you may also enter none. This causes creation of a routing table + with no default route in it. For PPP devices, you may omit this column. diff --git a/Shorewall6/manpages/shorewall6-providers.xml b/Shorewall6/manpages/shorewall6-providers.xml index d6f5885a9..889e002eb 100644 --- a/Shorewall6/manpages/shorewall6-providers.xml +++ b/Shorewall6/manpages/shorewall6-providers.xml @@ -119,13 +119,17 @@ GATEWAY - {-|address|detect} + role="bold">detect|none} The IP address of the provider's gateway router. - You can enter "detect" here and Shorewall6 will attempt to - detect the gateway automatically. + You can enter detect here and + Shorewall6 will attempt to detect the gateway automatically. + + Beginning with Shorewall 5.0.6, you may also enter none. This causes creation of a routing table + with no default route in it. For PPP devices, you may omit this column.