extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-21 23:23:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Clarify the relationship between ROUTE_FILTER and routefilter.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-07-27 08:09:23 -07:00
parent 36a4ef1676
commit bf15b859bc
2 changed files with 36 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
Shorewall/manpages/shorewall-interfaces.xml
View File

@ -624,10 +624,27 @@ loc eth2 -</programlisting>
the INTERFACE column.</para>
</note>
<para>This option can also be enabled globally in the <ulink
<para>This option can also be enabled globally via the
ROUTE_FILTER option in the <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)
file.</para>
<important>
<para>If ROUTE_FILTER=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5), or if
your distribution sets net.ipv4.conf.all.rp_filter=1 in
<filename>/etc/sysctl.conf</filename>, then setting
<emphasis role="bold">routefilter</emphasis>=0 in an
<replaceable>interface</replaceable> entry will not disable
route filtering on that
<replaceable>interface</replaceable>! The effective setting
for an <replaceable>interface</replaceable> is the maximum
of the contents of
<filename>/proc/sys/net/ipv4/conf/all/rp_filter</filename>
and the routefilter setting specified in this file
(/proc/sys/net/ipv4/conf/<replaceable>interface</replaceable>/rp_filter).</para>
</important>
<note>
<para>There are certain cases where
<option>routefilter</option> cannot be used on an

27
Shorewall/manpages/shorewall.conf.xml
View File

@ -478,7 +478,7 @@
facility has the drawback that the compiler will attempt to run a
non-script file just because it has the same name as a chain. To
disable this facility, set CHAIN_SCRIPTS=No. If not specified or
specified as the empty value, CHAIN_SCRIPTS=Yes is assumed. </para>
specified as the empty value, CHAIN_SCRIPTS=Yes is assumed.</para>
</listitem>
</varlistentry>
@ -1927,9 +1927,9 @@ LOG:info:,bar net fw</programlisting>
<listitem>
<para>Rules with comments &lt;empty&gt;, "FOO" and "BAR"
would result in the combined comment "Others and FOO, BAR".
Note: Optimize level 16 requires "Extended Multi-port
Match" in your iptables and kernel.</para>
would result in the combined comment "Others and FOO,
BAR". Note: Optimize level 16 requires "Extended
Multi-port Match" in your iptables and kernel.</para>
</listitem>
</varlistentry>
</variablelist>
@ -2190,6 +2190,15 @@ LOG:info:,bar net fw</programlisting>
role="bold">No</emphasis>, then route filtering is disabled on all
interfaces except those specified in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
<important>
<para>If you need to disable route filtering on any interface,
then you must set ROUTE_FILTER=No then set routefilter=1 or
routefilter=2 on those interfaces where you want route filtering.
See <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
for additional details.</para>
</important>
</listitem>
</varlistentry>
@ -2625,11 +2634,11 @@ LOG:info:,bar net fw</programlisting>
<listitem>
<para>Added in Shorewall 4.4.27. Normally, when Shorewall creates a
Netfilter chain that relates to an interface, it uses the
interface's logical name as the base of the chain name. For
example, if the logical name for an interface is OAKLAND, then the
input chain for traffic arriving on that interface would be
'OAKLAND_in'. If this option is set to Yes, then the physical name
of the interface will be used the base of the chain name.</para>
interface's logical name as the base of the chain name. For example,
if the logical name for an interface is OAKLAND, then the input
chain for traffic arriving on that interface would be 'OAKLAND_in'.
If this option is set to Yes, then the physical name of the
interface will be used the base of the chain name.</para>
</listitem>
</varlistentry>