Add ROUTE_BALANCE support

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8596 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/changelog.txt

@@ -4,6 +4,8 @@ Changes in 4.2.0-Beta3
 
 2)  Don't assume -f in /etc/init.d/shorewall-lite
 
+3)  Implement ROUTE_BALANCE
+
 Changes in 4.2.0-Beta2
 
 1)  Only issue a warning on RFC 1918 violation.

Shorewall-common/releasenotes.txt

@@ -92,6 +92,39 @@ Other Changes in Shoreall 4.2.0 Beta 3.
     default for '/etc/init.d/shorewall start'. Beginning with 4.0.13
     and 4.2.0-Beta3, this is also true for Shoreawall-lite.
 
+2)  A new ROUTE_BALANCE option has been added to shorewall.conf. When
+    set to 'Yes', it causes the Shorewall multi-ISP feature to create
+    a different set of routing rules which are resilient to changes in
+    the main routing table. Such changes can occur for a number of
+    reasons,  VPNs going up and down being an example.
+
+    The idea is to send packets through the main table prior to
+    applying any of the Shorewall-generated routing rules. So changes
+    to the main table will affect the routing of packets by default. 
+
+    When ROUTE_BALANCE=Yes:
+
+    a) Both the DUPLICATE and the COPY columns in the providers file
+       must remain empty (or contain "-").
+
+    b) The 'balance' option is assumed for all interfaces except those
+       specified as 'loose'.
+
+    c) The default route is added to the the 'default' table rather
+       than to the main table.
+
+    d) Packets are sent through the main routing table by a rule with
+       priority 999. In /etc/shorewall/routing_rules, the range 1-998
+       may be used for inserting rules that bypass the main table.
+
+    e) All provider gateways must be specified explicitly in the
+       GATEWAY column. 'detect' may not be specified.
+
+    f) You should disable all default route management outside of 
+       Shorewall. If a default route is added to the mail table while
+       Shorewall is started, then all policy routing will stop working
+       (except for those routing rules in the priority range 1-998).
+
 New Features in Shorewall 4.2.
 
 1)  Shorewall 4.2 contains support for multiple Internet providers

Shorewall-common/shorewall.conf

@@ -184,6 +184,8 @@ AUTO_COMMENT=Yes
 
 MANGLE_ENABLED=Yes
 
+ROUTING_NG=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall-perl/Shorewall/Config.pm

@@ -366,6 +366,7 @@ sub initialize() {
 		AUTO_COMMENT => undef ,
 		MANGLE_ENABLED => undef ,
 		NULL_ROUTE_RFC1918 => undef ,
+		ROUTE_BALANCE => undef ,
 		#
 		# Packet Disposition
 		#
@@ -1912,6 +1913,7 @@ sub get_configuration( $ ) {
     default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
     default_yes_no 'MANGLE_ENABLED'             , 'Yes';
     default_yes_no 'NULL_ROUTE_RFC1918'         , '';
+    default_yes_no 'ROUTE_BALANCE'              , '';
     
     $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
 

Shorewall-perl/Shorewall/Providers.pm

@@ -228,6 +228,7 @@ sub add_a_provider( $$$$$$$$ ) {
     emit "echo \"qt ip route flush table $number\" >> \${VARDIR}/undo_routing";
 
     if ( $gateway eq 'detect' ) {
+	fatal_error "'detect' is not allowed with ROUTE_BALANCE=Yes" if $config{ROUTE_BALANCE};
 	$gateway = get_interface_gateway $interface;
     } elsif ( $gateway && $gateway ne '-' ) {
 	validate_address $gateway, 0;
@@ -266,7 +267,7 @@ sub add_a_provider( $$$$$$$$ ) {
 	     );
     }
 
-    my ( $loose, $track, $balance , $optional, $mtu ) = (0,0,0,interface_is_optional( $interface ), '' );
+    my ( $loose, $track, $balance , $optional, $mtu ) = (0,0,$config{ROUTE_BALANCE} ? 1 : 0,interface_is_optional( $interface ), '' );
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -278,6 +279,7 @@ sub add_a_provider( $$$$$$$$ ) {
 		$balance = 1;
 	    } elsif ( $option eq 'loose' ) {
 		$loose   = 1;
+		$balance = 0 if $config{ROUTE_BALANCE};
 	    } elsif ( $option eq 'optional' ) {
 		set_interface_option $interface, 'optional', 1;
 		$optional = 1;
@@ -322,6 +324,7 @@ sub add_a_provider( $$$$$$$$ ) {
     }
 
     if ( $duplicate ne '-' ) {
+	fatal_error "The DUPLICATE column must be empty when ROUTE_BALANCE=Yes" if $config{ROUTE_BALANCE};
 	if ( $copy eq '-' ) {
 	    copy_table ( $duplicate, $number, $realm );
 	} else {
@@ -334,6 +337,7 @@ sub add_a_provider( $$$$$$$$ ) {
 	    copy_and_edit_table( $duplicate, $number ,$copy , $realm);
 	}
     } else {
+	fatal_error "The COPY column must be empty when ROUTE_BALANCE=Yes" if $config{ROUTE_BALANCE} && $copy ne '-';
 	fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column' if $copy ne '-';
     }
 
@@ -523,10 +527,21 @@ sub setup_providers() {
 
     if ( $providers ) {
 	if ( $balance ) {
-	    emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
+	    my $table = 254; # Main
 
-	    emit  ( '    run_ip route replace default scope global $DEFAULT_ROUTE',
+	    if ( $config{ROUTE_BALANCE} ) {
-		    "    progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"",
+		emit ( 'run_ip rule add from all table 254 pref 999',
+		       'ip rule del from all table 254 pref 32766',
+		       'echo "qt ip rule add from all table 254 pref 32766" >> ${VARDIR}/undo_routing',
+		       'echo "qt ip rule del from all table 254 pref 999" >> ${VARDIR}/undo_routing',
+		       '' );
+		$table = 253; # Default
+	    }
+
+	    emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
+	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
+	    emit  ( '    qt ip route del default table 254' ) if $config{ROUTE_BALANCE};
+	    emit  ( "    progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"",
 		    'else',
 		    '    error_message "WARNING: No Default route added (all \'balance\' providers are down)"',
 		    '    restore_default_route',

manpages/shorewall.conf.xml

@@ -463,6 +463,21 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">DISABLE_IPV6=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis
+          role="bold">yes</emphasis>, IPv6 traffic to, from and through the
+          firewall system is disabled. If set to <emphasis
+          role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
+          Shorewall will take no action with respect to allowing or
+          disallowing IPv6 traffic. If not specified or empty,
+          “DISABLE_IPV6=No” is assumed.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">DONT_LOAD=</emphasis>[<emphasis>module</emphasis>[,<emphasis>module</emphasis>]...]</term>