1
0
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-01 19:19:10 +01:00

Documentation and error message tweaks

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7894 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-12-10 22:53:20 +00:00
parent 528ed44682
commit 954c1f00ba
5 changed files with 103 additions and 17 deletions
Shorewall-common
Shorewall-perl/Shorewall
docs

View File

@ -62,7 +62,7 @@ New Features in Shorewall 4.1.
d) This feature requires Realm Match support in your kernel and
iptables. If you use a capabilities file, you need to regenerate
the file with Shorewall 4.0.6 or Shorewall-lite 4.0.6.
the file with Shorewall 4.1 or Shorewall-lite 4.1.
e) You must add route_rules entries for networks that are accessed
through a particular provider.
@ -71,6 +71,9 @@ New Features in Shorewall 4.1.
you must add route_rules to direct traffic FROM each of those
addresses through the appropriate provider.
g) You must add MARK rules for any traffic that you know originates
from a particular provider.
Example:
Providers Blarg (1) and Avvanta (2) are both connected to
@ -100,6 +103,12 @@ New Features in Shorewall 4.1.
- 130.252.144.0/24 Avvanta 1000
206.124.146.177 - Blarg 26000
/etc/shorewall/tcrules
#MARK/CLASSIFY SOURCE DEST
1 eth0:206.124.146.0/24 0.0.0.0/0
2 eth0:130.242.144.0/24 0.0.0.0/0
2) You may now include the name of a table (nat, mangle or filter) in
a 'shorewall refresh' command by following the table name with a
colon (e.g., mangle:). This causes all non-builtin chains in the

View File

@ -1590,7 +1590,7 @@ sub interface_nets( $ ) {
}
#
# Record that the ruleset requires the first IP address on the passed interface
# Record that the ruleset requires the networks routed out of the passed interface
#
sub get_interface_nets ( $ ) {
my ( $interface ) = $_[0];

View File

@ -299,7 +299,7 @@ sub add_a_provider( $$$$$$$$ ) {
if ( $routemarked_interfaces{$interface} ) {
fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} > 1;
fatal_error "Multiple providers through the same interface must have the 'share' option" unless $shared;
fatal_error "Multiple providers through the same interface must their IP address specified in the INTERFACES" unless $shared;
} else {
$routemarked_interfaces{$interface} = $shared ? 1 : 2;
push @routemarked_interfaces, $interface;

View File

@ -148,12 +148,14 @@ ACCEPT - - tcp 135,139,445
</listitem>
</orderedlist>
<para>Shorewall supports default actions for the ACCEPT, REJECT, DROP and
QUEUE policies. These default actions are specified in the
<para>Shorewall supports default actions for the ACCEPT, REJECT, DROP,
QUEUE and NFQUEUE policies. These default actions are specified in the
/etc/shorewall/shorewall.conf file using the ACCEPT_DEFAULT,
REJECT_DEFAULT, DROP_DEFAULT and QUEUE_DEFAULT options respectively.
Policies whose default is set to a value of "none" have no default
action.</para>
REJECT_DEFAULT, DROP_DEFAULT, QUEUE_DEFAULT and NFQUEUE_DEFAULT options
respectively. Policies whose default is set to a value of "none" have no
default action.</para>
<para></para>
<para>In addition, the default specified in /etc/shorewall/shorewall.conf
may be overridden by specifying a different default in the POLICY column

View File

@ -251,15 +251,12 @@
<term>INTERFACE</term>
<listitem>
<para>The name of the interface to the provider.</para>
<caution>
<para>The Shorewall implementation of Multi-ISP support requires
that each provider has its own interface -- and remember that
"virtual interfaces" (e.g., eth0:0) are <ulink
url="Shorewall_and_Aliased_Interfaces.html">not
interfaces</ulink>.</para>
</caution>
<para>The name of the interface to the provider. Where multiple
providers share the same interface (which is not recommended), you
must follow the name of the interface by a colon (":") and the IP
address assigned by this provider (e.g., eth0:206.124.146.176).
See <link linkend="Shared">below</link> for additional
considerations.</para>
</listitem>
</varlistentry>
@ -932,5 +929,83 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
- 10.8.0.0/24 main 1000</programlisting>
</section>
</section>
<section id="Shared">
<title>Two Providers Sharing an Interface</title>
<para>Shared interface support is available only in Shorewall-perl 4.1.2
and later.</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>Only ethernet (or ethernet-like) interfaces can be used. For
inbound traffic, the MAC addresses of the gateway routers is used to
determine which provider a packet was received through. Note that
only routed traffic can be categorized using this technique.</para>
</listitem>
<listitem>
<para>You must specify the address on the interface that corresponds
to a particular provider in the INTERFACE column by following the
interface name with a colon (":") and the address.</para>
</listitem>
<listitem>
<para>Entries in <filename>/etc/shorewall/masq</filename> must be
qualified by the provider name (or number).</para>
</listitem>
<listitem>
<para>This feature requires Realm Match support in your kernel and
iptables.</para>
</listitem>
<listitem>
<para>You must add route_rules entries for networks that are
accessed through a particular provider.</para>
</listitem>
<listitem>
<para>If you have additional IP addresses through either provider,
you must add <filename>route_rules</filename> to direct traffic FROM
each of those addresses through the appropriate provider.</para>
</listitem>
<listitem>
<para>You must manually add MARK rules for traffic known to come
from each provider.</para>
</listitem>
</orderedlist>
<para>Example:</para>
<para>Providers <emphasis role="bold">Blarg</emphasis> (1) and <emphasis
role="bold">Avvanta</emphasis> (2) are both connected to eth0. The
firewall's IP address with <emphasis role="bold">Blarg</emphasis> is
206.124.146.176/24 (gateway 206.124.146.254) and the IP address from
<emphasis role="bold">Avvanta</emphasis> is 130.252.144.8/24 (gateway
130.252.144.254). We have a second IP address (206.124.146.177) from
<emphasis role="bold">Blarg</emphasis>.</para>
<para>/etc/shorewall/providers:<programlisting>#PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY
Blarg 1 1 main eth0:206.124.146.176 206.124.146.254 ...
Avvanta 2 2 main eth0:130.252.144.8 130.252.144.254 ... </programlisting></para>
<para>/etc/shorewall/masq:<programlisting>#INTERFACE SOURCE ADDRESS
eth0(Blarg) 130.252.144.8 206.124.146.176
eth0(Avvanta) 206.124.146.176 130.252.144.8
eth0(Blarg) eth1 206.124.146.176
eth0(Avvanta) eth1 130.252.144.8 </programlisting>
/etc/shorewall/route_rules:</para>
<programlisting>#SOURCE DEST PROVIDER PRIORITY
- 206.124.146.0/24 Blarg 1000
- 130.252.144.0/24 Avvanta 1000
206.124.146.177 - Blarg 26000</programlisting>
<para>/etc/shorewall/tcrules:<programlisting>#MARK/CLASSIFY SOURCE DEST PROTO
1:P eth0:206.124.146.0/24 0.0.0.0/0
2:P eth0:130.252.144.8/24 0.0.0.0/0</programlisting></para>
</section>
</section>
</article>