diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index a6011f883..ffb69fc78 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -15,6 +15,8 @@ Changes in 4.1.5 7) Generate an error when mac match is used in the POSTROUTING or OUTPUT chains. +8) Add 'BROKEN_ROUTING' option. + Changes in 4.1.4 1) Fix do_test() to accept 0 and to use the same mask as diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 35e8f9451..5d29fdb65 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -108,6 +108,18 @@ New Features in 4.1.5. 3) The /usr/share/shorewall/modules file has been updated to reflect module renaming in kernel 2.6.25. +4) Some users are experiencing 'File Exists' errors when Shorewall + executes 'ip route replace' commands. I consider this a bug in + either kernel 2.6.24 or in iproute2 but until the issue is + resolved, I've added a hack to work around the problem. + + If you are experiencing these problems then add the following line + to your shorewall.conf file: + + BROKEN_ROUTING=Yes + + Note: This hack is only available in Shorewall-perl. + 4) Shorewall-perl now generates an error when a MAC address appears in a traffic shaping rule in the OUTPUT or POSTROUTING chains. diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 5c995b3dd..a9a0288b3 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -352,6 +352,7 @@ sub initialize() { DELETE_THEN_ADD => undef, MULTICAST => undef, DONT_LOAD => '', + BROKEN_ROUTING => '', # # Packet Disposition # @@ -1878,6 +1879,7 @@ sub get_configuration( $ ) { default_yes_no 'EXPAND_POLICIES' , ''; default_yes_no 'KEEP_RT_TABLES' , ''; default_yes_no 'DELETE_THEN_ADD' , 'Yes'; + default_yes_no 'BROKEN_ROUTING' , ''; default_yes_no 'MULTICAST' , ''; default_yes_no 'MARK_IN_FORWARD_CHAIN' , ''; diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm index f671999fc..d2cff44a4 100644 --- a/Shorewall-perl/Shorewall/Providers.pm +++ b/Shorewall-perl/Shorewall/Providers.pm @@ -339,7 +339,12 @@ sub add_a_provider( $$$$$$$$ ) { if ( $gateway ) { $address = get_interface_address $interface unless $address; - emit "run_ip route replace $gateway src $address dev $interface ${mtu}table $number $realm"; + if ( $config{BROKEN_ROUTING} ) { + emit "qt ip route delete $gateway table $number"; + emit "run_ip route add $gateway src $address dev $interface ${mtu}table $number $realm"; + } else { + emit "run_ip route replace $gateway src $address dev $interface ${mtu}table $number $realm"; + } emit "run_ip route add default via $gateway dev $interface table $number $realm"; } @@ -509,9 +514,16 @@ sub setup_providers() { if ( $providers ) { if ( $balance ) { - emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then', - ' run_ip route replace default scope global $DEFAULT_ROUTE', - " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"", + emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' ); + + if ( $config{BROKEN_ROUTING} ) { + emit( ' run_ip route del default' ); + emit( ' run_ip route add default scope global $DEFAULT_ROUTE' ); + } else { + emit( ' run_ip route replace default scope global $DEFAULT_ROUTE' ); + } + + emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"", 'else', ' error_message "WARNING: No Default route added (all \'balance\' providers are down)"', ' restore_default_route', diff --git a/Shorewall-perl/Shorewall/Proxyarp.pm b/Shorewall-perl/Shorewall/Proxyarp.pm index 280ff633c..688ab8efc 100644 --- a/Shorewall-perl/Shorewall/Proxyarp.pm +++ b/Shorewall-perl/Shorewall/Proxyarp.pm @@ -76,7 +76,14 @@ sub setup_one_proxy_arp( $$$$$ ) { } unless ( $haveroute ) { - emit "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface"; + + if ( $config{BROKEN_ROUTING} ) { + emit "[ -n \"\$NOROUTES\" ] || qt ip route del $address"; + emit "[ -n \"\$NOROUTES\" ] || run_ip route add $address dev $interface"; + } else { + emit "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface"; + } + $haveroute = 1 if $persistent; }