mirror of
https://gitlab.com/shorewall/code.git
synced 2025-02-22 20:51:15 +01:00
Add ROUTE_BALANCE support
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8596 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
04e6d01503
commit
b64ae44227
@ -4,6 +4,8 @@ Changes in 4.2.0-Beta3
|
||||
|
||||
2) Don't assume -f in /etc/init.d/shorewall-lite
|
||||
|
||||
3) Implement ROUTE_BALANCE
|
||||
|
||||
Changes in 4.2.0-Beta2
|
||||
|
||||
1) Only issue a warning on RFC 1918 violation.
|
||||
|
||||
@ -92,6 +92,39 @@ Other Changes in Shoreall 4.2.0 Beta 3.
|
||||
default for '/etc/init.d/shorewall start'. Beginning with 4.0.13
|
||||
and 4.2.0-Beta3, this is also true for Shoreawall-lite.
|
||||
|
||||
2) A new ROUTE_BALANCE option has been added to shorewall.conf. When
|
||||
set to 'Yes', it causes the Shorewall multi-ISP feature to create
|
||||
a different set of routing rules which are resilient to changes in
|
||||
the main routing table. Such changes can occur for a number of
|
||||
reasons, VPNs going up and down being an example.
|
||||
|
||||
The idea is to send packets through the main table prior to
|
||||
applying any of the Shorewall-generated routing rules. So changes
|
||||
to the main table will affect the routing of packets by default.
|
||||
|
||||
When ROUTE_BALANCE=Yes:
|
||||
|
||||
a) Both the DUPLICATE and the COPY columns in the providers file
|
||||
must remain empty (or contain "-").
|
||||
|
||||
b) The 'balance' option is assumed for all interfaces except those
|
||||
specified as 'loose'.
|
||||
|
||||
c) The default route is added to the the 'default' table rather
|
||||
than to the main table.
|
||||
|
||||
d) Packets are sent through the main routing table by a rule with
|
||||
priority 999. In /etc/shorewall/routing_rules, the range 1-998
|
||||
may be used for inserting rules that bypass the main table.
|
||||
|
||||
e) All provider gateways must be specified explicitly in the
|
||||
GATEWAY column. 'detect' may not be specified.
|
||||
|
||||
f) You should disable all default route management outside of
|
||||
Shorewall. If a default route is added to the mail table while
|
||||
Shorewall is started, then all policy routing will stop working
|
||||
(except for those routing rules in the priority range 1-998).
|
||||
|
||||
New Features in Shorewall 4.2.
|
||||
|
||||
1) Shorewall 4.2 contains support for multiple Internet providers
|
||||
|
||||
@ -184,6 +184,8 @@ AUTO_COMMENT=Yes
|
||||
|
||||
MANGLE_ENABLED=Yes
|
||||
|
||||
ROUTING_NG=No
|
||||
|
||||
###############################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
###############################################################################
|
||||
|
||||
@ -366,6 +366,7 @@ sub initialize() {
|
||||
AUTO_COMMENT => undef ,
|
||||
MANGLE_ENABLED => undef ,
|
||||
NULL_ROUTE_RFC1918 => undef ,
|
||||
ROUTE_BALANCE => undef ,
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
@ -1912,6 +1913,7 @@ sub get_configuration( $ ) {
|
||||
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
|
||||
default_yes_no 'MANGLE_ENABLED' , 'Yes';
|
||||
default_yes_no 'NULL_ROUTE_RFC1918' , '';
|
||||
default_yes_no 'ROUTE_BALANCE' , '';
|
||||
|
||||
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
|
||||
|
||||
|
||||
@ -228,6 +228,7 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
emit "echo \"qt ip route flush table $number\" >> \${VARDIR}/undo_routing";
|
||||
|
||||
if ( $gateway eq 'detect' ) {
|
||||
fatal_error "'detect' is not allowed with ROUTE_BALANCE=Yes" if $config{ROUTE_BALANCE};
|
||||
$gateway = get_interface_gateway $interface;
|
||||
} elsif ( $gateway && $gateway ne '-' ) {
|
||||
validate_address $gateway, 0;
|
||||
@ -266,7 +267,7 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
);
|
||||
}
|
||||
|
||||
my ( $loose, $track, $balance , $optional, $mtu ) = (0,0,0,interface_is_optional( $interface ), '' );
|
||||
my ( $loose, $track, $balance , $optional, $mtu ) = (0,0,$config{ROUTE_BALANCE} ? 1 : 0,interface_is_optional( $interface ), '' );
|
||||
|
||||
unless ( $options eq '-' ) {
|
||||
for my $option ( split_list $options, 'option' ) {
|
||||
@ -278,6 +279,7 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
$balance = 1;
|
||||
} elsif ( $option eq 'loose' ) {
|
||||
$loose = 1;
|
||||
$balance = 0 if $config{ROUTE_BALANCE};
|
||||
} elsif ( $option eq 'optional' ) {
|
||||
set_interface_option $interface, 'optional', 1;
|
||||
$optional = 1;
|
||||
@ -322,6 +324,7 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
}
|
||||
|
||||
if ( $duplicate ne '-' ) {
|
||||
fatal_error "The DUPLICATE column must be empty when ROUTE_BALANCE=Yes" if $config{ROUTE_BALANCE};
|
||||
if ( $copy eq '-' ) {
|
||||
copy_table ( $duplicate, $number, $realm );
|
||||
} else {
|
||||
@ -334,6 +337,7 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
copy_and_edit_table( $duplicate, $number ,$copy , $realm);
|
||||
}
|
||||
} else {
|
||||
fatal_error "The COPY column must be empty when ROUTE_BALANCE=Yes" if $config{ROUTE_BALANCE} && $copy ne '-';
|
||||
fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column' if $copy ne '-';
|
||||
}
|
||||
|
||||
@ -523,10 +527,21 @@ sub setup_providers() {
|
||||
|
||||
if ( $providers ) {
|
||||
if ( $balance ) {
|
||||
emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
|
||||
my $table = 254; # Main
|
||||
|
||||
emit ( ' run_ip route replace default scope global $DEFAULT_ROUTE',
|
||||
" progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"",
|
||||
if ( $config{ROUTE_BALANCE} ) {
|
||||
emit ( 'run_ip rule add from all table 254 pref 999',
|
||||
'ip rule del from all table 254 pref 32766',
|
||||
'echo "qt ip rule add from all table 254 pref 32766" >> ${VARDIR}/undo_routing',
|
||||
'echo "qt ip rule del from all table 254 pref 999" >> ${VARDIR}/undo_routing',
|
||||
'' );
|
||||
$table = 253; # Default
|
||||
}
|
||||
|
||||
emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
|
||||
emit ( " run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
|
||||
emit ( ' qt ip route del default table 254' ) if $config{ROUTE_BALANCE};
|
||||
emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"",
|
||||
'else',
|
||||
' error_message "WARNING: No Default route added (all \'balance\' providers are down)"',
|
||||
' restore_default_route',
|
||||
|
||||
@ -463,6 +463,21 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DISABLE_IPV6=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>If set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||
role="bold">yes</emphasis>, IPv6 traffic to, from and through the
|
||||
firewall system is disabled. If set to <emphasis
|
||||
role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
|
||||
Shorewall will take no action with respect to allowing or
|
||||
disallowing IPv6 traffic. If not specified or empty,
|
||||
“DISABLE_IPV6=No” is assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">DONT_LOAD=</emphasis>[<emphasis>module</emphasis>[,<emphasis>module</emphasis>]...]</term>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user