extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-22 06:10:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

Documentation and error message tweaks

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7894 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-12-10 22:53:20 +00:00
parent 528ed44682
commit 954c1f00ba
5 changed files with 103 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Shorewall-common/releasenotes.txt
View File

@ -62,7 +62,7 @@ New Features in Shorewall 4.1.
d) This feature requires Realm Match support in your kernel and d) This feature requires Realm Match support in your kernel and
iptables. If you use a capabilities file, you need to regenerate iptables. If you use a capabilities file, you need to regenerate
the file with Shorewall 4.0.6 or Shorewall-lite 4.0.6. the file with Shorewall 4.1 or Shorewall-lite 4.1.
e) You must add route_rules entries for networks that are accessed e) You must add route_rules entries for networks that are accessed
through a particular provider. through a particular provider.
@ -71,6 +71,9 @@ New Features in Shorewall 4.1.
you must add route_rules to direct traffic FROM each of those you must add route_rules to direct traffic FROM each of those
addresses through the appropriate provider. addresses through the appropriate provider.
g) You must add MARK rules for any traffic that you know originates
from a particular provider.
Example: Example:
Providers Blarg (1) and Avvanta (2) are both connected to Providers Blarg (1) and Avvanta (2) are both connected to
@ -100,6 +103,12 @@ New Features in Shorewall 4.1.
- 130.252.144.0/24 Avvanta 1000 - 130.252.144.0/24 Avvanta 1000
206.124.146.177 - Blarg 26000 206.124.146.177 - Blarg 26000
/etc/shorewall/tcrules
#MARK/CLASSIFY SOURCE DEST
1 eth0:206.124.146.0/24 0.0.0.0/0
2 eth0:130.242.144.0/24 0.0.0.0/0
2) You may now include the name of a table (nat, mangle or filter) in 2) You may now include the name of a table (nat, mangle or filter) in
a 'shorewall refresh' command by following the table name with a a 'shorewall refresh' command by following the table name with a
colon (e.g., mangle:). This causes all non-builtin chains in the colon (e.g., mangle:). This causes all non-builtin chains in the

2
Shorewall-perl/Shorewall/Chains.pm
View File

@ -1590,7 +1590,7 @@ sub interface_nets( $ ) {
} }
# #
# Record that the ruleset requires the first IP address on the passed interface # Record that the ruleset requires the networks routed out of the passed interface
# #
sub get_interface_nets ( $ ) { sub get_interface_nets ( $ ) {
my ( $interface ) = $_[0]; my ( $interface ) = $_[0];

2
Shorewall-perl/Shorewall/Providers.pm
View File

@ -299,7 +299,7 @@ sub add_a_provider( $$$$$$$$ ) {
if ( $routemarked_interfaces{$interface} ) { if ( $routemarked_interfaces{$interface} ) {
fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} > 1; fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} > 1;
fatal_error "Multiple providers through the same interface must have the 'share' option" unless $shared; fatal_error "Multiple providers through the same interface must their IP address specified in the INTERFACES" unless $shared;
} else { } else {
$routemarked_interfaces{$interface} = $shared ? 1 : 2; $routemarked_interfaces{$interface} = $shared ? 1 : 2;
push @routemarked_interfaces, $interface; push @routemarked_interfaces, $interface;

12
docs/Actions.xml
View File

@ -148,12 +148,14 @@ ACCEPT - - tcp 135,139,445
</listitem> </listitem>
</orderedlist> </orderedlist>
<para>Shorewall supports default actions for the ACCEPT, REJECT, DROP and <para>Shorewall supports default actions for the ACCEPT, REJECT, DROP,
QUEUE policies. These default actions are specified in the QUEUE and NFQUEUE policies. These default actions are specified in the
/etc/shorewall/shorewall.conf file using the ACCEPT_DEFAULT, /etc/shorewall/shorewall.conf file using the ACCEPT_DEFAULT,
REJECT_DEFAULT, DROP_DEFAULT and QUEUE_DEFAULT options respectively. REJECT_DEFAULT, DROP_DEFAULT, QUEUE_DEFAULT and NFQUEUE_DEFAULT options
Policies whose default is set to a value of "none" have no default respectively. Policies whose default is set to a value of "none" have no
action.</para> default action.</para>
<para></para>
<para>In addition, the default specified in /etc/shorewall/shorewall.conf <para>In addition, the default specified in /etc/shorewall/shorewall.conf
may be overridden by specifying a different default in the POLICY column may be overridden by specifying a different default in the POLICY column

93
docs/MultiISP.xml
View File

@ -251,15 +251,12 @@
<term>INTERFACE</term> <term>INTERFACE</term>
<listitem> <listitem>
<para>The name of the interface to the provider.</para> <para>The name of the interface to the provider. Where multiple
providers share the same interface (which is not recommended), you
<caution> must follow the name of the interface by a colon (":") and the IP
<para>The Shorewall implementation of Multi-ISP support requires address assigned by this provider (e.g., eth0:206.124.146.176).
that each provider has its own interface -- and remember that See <link linkend="Shared">below</link> for additional
"virtual interfaces" (e.g., eth0:0) are <ulink considerations.</para>
url="Shorewall_and_Aliased_Interfaces.html">not
interfaces</ulink>.</para>
</caution>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -932,5 +929,83 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
- 10.8.0.0/24 main 1000</programlisting> - 10.8.0.0/24 main 1000</programlisting>
</section> </section>
</section> </section>
<section id="Shared">
<title>Two Providers Sharing an Interface</title>
<para>Shared interface support is available only in Shorewall-perl 4.1.2
and later.</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>Only ethernet (or ethernet-like) interfaces can be used. For
inbound traffic, the MAC addresses of the gateway routers is used to
determine which provider a packet was received through. Note that
only routed traffic can be categorized using this technique.</para>
</listitem>
<listitem>
<para>You must specify the address on the interface that corresponds
to a particular provider in the INTERFACE column by following the
interface name with a colon (":") and the address.</para>
</listitem>
<listitem>
<para>Entries in <filename>/etc/shorewall/masq</filename> must be
qualified by the provider name (or number).</para>
</listitem>
<listitem>
<para>This feature requires Realm Match support in your kernel and
iptables.</para>
</listitem>
<listitem>
<para>You must add route_rules entries for networks that are
accessed through a particular provider.</para>
</listitem>
<listitem>
<para>If you have additional IP addresses through either provider,
you must add <filename>route_rules</filename> to direct traffic FROM
each of those addresses through the appropriate provider.</para>
</listitem>
<listitem>
<para>You must manually add MARK rules for traffic known to come
from each provider.</para>
</listitem>
</orderedlist>
<para>Example:</para>
<para>Providers <emphasis role="bold">Blarg</emphasis> (1) and <emphasis
role="bold">Avvanta</emphasis> (2) are both connected to eth0. The
firewall's IP address with <emphasis role="bold">Blarg</emphasis> is
206.124.146.176/24 (gateway 206.124.146.254) and the IP address from
<emphasis role="bold">Avvanta</emphasis> is 130.252.144.8/24 (gateway
130.252.144.254). We have a second IP address (206.124.146.177) from
<emphasis role="bold">Blarg</emphasis>.</para>
<para>/etc/shorewall/providers:<programlisting>#PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY
Blarg 1 1 main eth0:206.124.146.176 206.124.146.254 ...
Avvanta 2 2 main eth0:130.252.144.8 130.252.144.254 ... </programlisting></para>
<para>/etc/shorewall/masq:<programlisting>#INTERFACE SOURCE ADDRESS
eth0(Blarg) 130.252.144.8 206.124.146.176
eth0(Avvanta) 206.124.146.176 130.252.144.8
eth0(Blarg) eth1 206.124.146.176
eth0(Avvanta) eth1 130.252.144.8 </programlisting>
/etc/shorewall/route_rules:</para>
<programlisting>#SOURCE DEST PROVIDER PRIORITY
- 206.124.146.0/24 Blarg 1000
- 130.252.144.0/24 Avvanta 1000
206.124.146.177 - Blarg 26000</programlisting>
<para>/etc/shorewall/tcrules:<programlisting>#MARK/CLASSIFY SOURCE DEST PROTO
1:P eth0:206.124.146.0/24 0.0.0.0/0
2:P eth0:130.252.144.8/24 0.0.0.0/0</programlisting></para>
</section>
</section> </section>
</article> </article>