diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index 0b0212a93..39c84cd4d 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -62,7 +62,7 @@ New Features in Shorewall 4.1.
d) This feature requires Realm Match support in your kernel and
iptables. If you use a capabilities file, you need to regenerate
- the file with Shorewall 4.0.6 or Shorewall-lite 4.0.6.
+ the file with Shorewall 4.1 or Shorewall-lite 4.1.
e) You must add route_rules entries for networks that are accessed
through a particular provider.
@@ -71,6 +71,9 @@ New Features in Shorewall 4.1.
you must add route_rules to direct traffic FROM each of those
addresses through the appropriate provider.
+ g) You must add MARK rules for any traffic that you know originates
+ from a particular provider.
+
Example:
Providers Blarg (1) and Avvanta (2) are both connected to
@@ -100,6 +103,12 @@ New Features in Shorewall 4.1.
- 130.252.144.0/24 Avvanta 1000
206.124.146.177 - Blarg 26000
+ /etc/shorewall/tcrules
+
+ #MARK/CLASSIFY SOURCE DEST
+ 1 eth0:206.124.146.0/24 0.0.0.0/0
+ 2 eth0:130.242.144.0/24 0.0.0.0/0
+
2) You may now include the name of a table (nat, mangle or filter) in
a 'shorewall refresh' command by following the table name with a
colon (e.g., mangle:). This causes all non-builtin chains in the
diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm
index 881e8decc..08c7e9fe0 100644
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@@ -1590,7 +1590,7 @@ sub interface_nets( $ ) {
}
#
-# Record that the ruleset requires the first IP address on the passed interface
+# Record that the ruleset requires the networks routed out of the passed interface
#
sub get_interface_nets ( $ ) {
my ( $interface ) = $_[0];
diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm
index e330eef3a..a181812a1 100644
--- a/Shorewall-perl/Shorewall/Providers.pm
+++ b/Shorewall-perl/Shorewall/Providers.pm
@@ -299,7 +299,7 @@ sub add_a_provider( $$$$$$$$ ) {
if ( $routemarked_interfaces{$interface} ) {
fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} > 1;
- fatal_error "Multiple providers through the same interface must have the 'share' option" unless $shared;
+ fatal_error "Multiple providers through the same interface must their IP address specified in the INTERFACES" unless $shared;
} else {
$routemarked_interfaces{$interface} = $shared ? 1 : 2;
push @routemarked_interfaces, $interface;
diff --git a/docs/Actions.xml b/docs/Actions.xml
index 8c9bd46b1..7a8796c80 100644
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -148,12 +148,14 @@ ACCEPT - - tcp 135,139,445
- Shorewall supports default actions for the ACCEPT, REJECT, DROP and
- QUEUE policies. These default actions are specified in the
+ Shorewall supports default actions for the ACCEPT, REJECT, DROP,
+ QUEUE and NFQUEUE policies. These default actions are specified in the
/etc/shorewall/shorewall.conf file using the ACCEPT_DEFAULT,
- REJECT_DEFAULT, DROP_DEFAULT and QUEUE_DEFAULT options respectively.
- Policies whose default is set to a value of "none" have no default
- action.
+ REJECT_DEFAULT, DROP_DEFAULT, QUEUE_DEFAULT and NFQUEUE_DEFAULT options
+ respectively. Policies whose default is set to a value of "none" have no
+ default action.
+
+ In addition, the default specified in /etc/shorewall/shorewall.conf
may be overridden by specifying a different default in the POLICY column
diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml
index 7ed72c4e4..83d0e607f 100644
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -251,15 +251,12 @@
INTERFACE
- The name of the interface to the provider.
-
-
- The Shorewall implementation of Multi-ISP support requires
- that each provider has its own interface -- and remember that
- "virtual interfaces" (e.g., eth0:0) are not
- interfaces.
-
+ The name of the interface to the provider. Where multiple
+ providers share the same interface (which is not recommended), you
+ must follow the name of the interface by a colon (":") and the IP
+ address assigned by this provider (e.g., eth0:206.124.146.176).
+ See below for additional
+ considerations.
@@ -932,5 +929,83 @@ gateway:~ #Note that because we used a priority of 1000, the
- 10.8.0.0/24 main 1000
+
+
+ Two Providers Sharing an Interface
+
+ Shared interface support is available only in Shorewall-perl 4.1.2
+ and later.
+
+
+
+ Only ethernet (or ethernet-like) interfaces can be used. For
+ inbound traffic, the MAC addresses of the gateway routers is used to
+ determine which provider a packet was received through. Note that
+ only routed traffic can be categorized using this technique.
+
+
+
+ You must specify the address on the interface that corresponds
+ to a particular provider in the INTERFACE column by following the
+ interface name with a colon (":") and the address.
+
+
+
+ Entries in /etc/shorewall/masq must be
+ qualified by the provider name (or number).
+
+
+
+ This feature requires Realm Match support in your kernel and
+ iptables.
+
+
+
+ You must add route_rules entries for networks that are
+ accessed through a particular provider.
+
+
+
+ If you have additional IP addresses through either provider,
+ you must add route_rules to direct traffic FROM
+ each of those addresses through the appropriate provider.
+
+
+
+ You must manually add MARK rules for traffic known to come
+ from each provider.
+
+
+
+ Example:
+
+ Providers Blarg (1) and Avvanta (2) are both connected to eth0. The
+ firewall's IP address with Blarg is
+ 206.124.146.176/24 (gateway 206.124.146.254) and the IP address from
+ Avvanta is 130.252.144.8/24 (gateway
+ 130.252.144.254). We have a second IP address (206.124.146.177) from
+ Blarg.
+
+ /etc/shorewall/providers:#PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY
+Blarg 1 1 main eth0:206.124.146.176 206.124.146.254 ...
+Avvanta 2 2 main eth0:130.252.144.8 130.252.144.254 ...
+
+ /etc/shorewall/masq:#INTERFACE SOURCE ADDRESS
+eth0(Blarg) 130.252.144.8 206.124.146.176
+eth0(Avvanta) 206.124.146.176 130.252.144.8
+eth0(Blarg) eth1 206.124.146.176
+eth0(Avvanta) eth1 130.252.144.8
+ /etc/shorewall/route_rules:
+
+ #SOURCE DEST PROVIDER PRIORITY
+- 206.124.146.0/24 Blarg 1000
+- 130.252.144.0/24 Avvanta 1000
+206.124.146.177 - Blarg 26000
+
+ /etc/shorewall/tcrules:#MARK/CLASSIFY SOURCE DEST PROTO
+1:P eth0:206.124.146.0/24 0.0.0.0/0
+2:P eth0:130.252.144.8/24 0.0.0.0/0
+
\ No newline at end of file