diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index c122f0827..6990ce44a 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -121,7 +121,7 @@ Other Changes in Shoreall 4.2.0 Beta 3.
GATEWAY column. 'detect' may not be specified.
f) You should disable all default route management outside of
- Shorewall. If a default route is added to the mail table while
+ Shorewall. If a default route is added to the main table while
Shorewall is started, then all policy routing will stop working
(except for those routing rules in the priority range 1-998).
diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml
index c4600cc26..4e6d46851 100644
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -960,12 +960,12 @@ gateway:~ #Note that because we used a priority of 1000, the
test for eth1 is inserted
before the fwmark tests.
- Example 2: You use OpenVPN
- (routed setup w/tunX) in combination with multiple providers. In this
- case you have to set up a rule to ensure that the OpenVPN traffic is
- routed back through the tunX interface(s) rather than through any of
- the providers. 10.8.0.0/24 is the subnet choosen in your OpenVPN
- configuration (server 10.8.0.0 255.255.255.0).
+ Example 2: You use
+ OpenVPN (routed setup w/tunX) in combination with multiple providers.
+ In this case you have to set up a rule to ensure that the OpenVPN
+ traffic is routed back through the tunX interface(s) rather than
+ through any of the providers. 10.8.0.0/24 is the subnet choosen in
+ your OpenVPN configuration (server 10.8.0.0 255.255.255.0).#SOURCE DEST PROVIDER PRIORITY
- 10.8.0.0/24 main 1000
@@ -1050,4 +1050,82 @@ eth0(Avvanta) eth1 130.252.144.8
2:P eth0:130.252.144.8/24 0.0.0.0/0
+
+
+ ROUTE_BALANCE (Experimental)
+
+ Beginning with Shorewall 4.2.0 Beta3, Shorewall-perl has supported a
+ ROUTE_BALANCE option in shorewall.conf (5).
+
+ ROUTE_BALANCE=Yes is marked as Experimental currently. This means
+ that it is a 'use at your own risk' feature; if you encounter problems,
+ the Shorewall support staff may not be able to provide you with a quick
+ solution.
+
+ One of the drawbacks of the Mulit-ISP support as described in the
+ preceding section is that changes to the main table made by applications
+ are not added to the individual provider tables. This makes route rules
+ such as described in one of the examples
+ above necessary.
+
+ ROUTE_BALANCE=Yes works around that problem by passing packets
+ through the main table first rather than last. This has a number of
+ implications:
+
+
+
+ Both the DUPLICATE and the COPY columns in the providers file
+ must remain empty or contain "-". The individual provider routing
+ tables generated when ROUTE_BALANCE=Yes contain only a host route to
+ the gateway and a default route via the gateway.
+
+
+
+ The balance option is assumed for all interfaces that do not
+ have the loose option.
+
+
+
+ The default route generated by Shorewall is added to the
+ default routing table (253) rather than to the
+ main routing table (254).
+
+
+
+ Packets are sent through the main routing table by a routing
+ rule with priority 999. In ), the priority range 1-998 may be used for
+ inserting rules that bypass the main table.
+
+
+
+ All provider gateways must be specified explicitly in the
+ GATEWAY column. 'detect' may not be specified. Note that for ppp
+ interfaces, the GATEWAY may remain unspecified ("-").
+
+
+
+ You should disable all default route management outside of
+ Shorewall. If a default should be added to the main table while
+ Shorewall is started, then all policy routing will stop working except
+ for those routing rules in the priority range 1-998.
+
+
+
+ Although 'balance' is automatically assumed when ROUTE_BALANCE=Yes,
+ you can easily cause all traffic to use one provider except when you
+ explicitly direct it to use the other provider via shorewall-route_rules
+ (5) or shorewall-tcrules
+ (5).
+
+ Example (send all traffic through the 'shorewall' provider unless
+ otherwise directed).
+
+ /etc/shorewall/providers:#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
+linksys 1 1 - wlan0 172.20.1.1 track,balance=1,optional
+shorewall 2 2 - eth0 192.168.1.254 track,balance=2,optional/etc/shorewall/rules:#SOURCE DEST PROVIDER PRIORITY
+- - shorewall 11999
+
\ No newline at end of file
diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml
index 24fdc5d42..2215c923e 100644
--- a/manpages/shorewall.conf.xml
+++ b/manpages/shorewall.conf.xml
@@ -1353,6 +1353,30 @@ net all DROP infothen the chain name is 'net2all'
+
+ ROUTE_FILTER=[Yes|No|Keep]
+
+
+ If this parameter is given the value Yes or yes
+ then route filtering (anti-spoofing) is enabled on all network
+ interfaces which are brought up while Shorewall is in the started
+ state. The default value is no.
+
+ The value Keep is only
+ allowed under Shorewall-perl. It causes Shorewall to ignore the
+ option. If the option is set to Yes, then route filtering occurs on all
+ interfaces. If the option is set to No, then route filtering is disabled on all
+ interfaces except those specified in shorewall-interfaces(5).
+
+
+
SAVE_IPSETS={Yes|No}