From bf15b859bcd29719502c7e9f15ce44c4b9677204 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 27 Jul 2013 08:09:23 -0700 Subject: [PATCH] Clarify the relationship between ROUTE_FILTER and routefilter. Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall-interfaces.xml | 19 ++++++++++++++- Shorewall/manpages/shorewall.conf.xml | 27 ++++++++++++++------- 2 files changed, 36 insertions(+), 10 deletions(-) diff --git a/Shorewall/manpages/shorewall-interfaces.xml b/Shorewall/manpages/shorewall-interfaces.xml index 6429defce..479a7941c 100644 --- a/Shorewall/manpages/shorewall-interfaces.xml +++ b/Shorewall/manpages/shorewall-interfaces.xml @@ -624,10 +624,27 @@ loc eth2 - the INTERFACE column. - This option can also be enabled globally in the This option can also be enabled globally via the + ROUTE_FILTER option in the shorewall.conf(5) file. + + If ROUTE_FILTER=Yes in shorewall.conf(5), or if + your distribution sets net.ipv4.conf.all.rp_filter=1 in + /etc/sysctl.conf, then setting + routefilter=0 in an + interface entry will not disable + route filtering on that + interface! The effective setting + for an interface is the maximum + of the contents of + /proc/sys/net/ipv4/conf/all/rp_filter + and the routefilter setting specified in this file + (/proc/sys/net/ipv4/conf/interface/rp_filter). + + There are certain cases where cannot be used on an diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 5779d9a87..b840ff784 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -478,7 +478,7 @@ facility has the drawback that the compiler will attempt to run a non-script file just because it has the same name as a chain. To disable this facility, set CHAIN_SCRIPTS=No. If not specified or - specified as the empty value, CHAIN_SCRIPTS=Yes is assumed. + specified as the empty value, CHAIN_SCRIPTS=Yes is assumed. @@ -1927,9 +1927,9 @@ LOG:info:,bar net fw Rules with comments <empty>, "FOO" and "BAR" - would result in the combined comment "Others and FOO, BAR". - Note: Optimize level 16 requires "Extended Multi-port - Match" in your iptables and kernel. + would result in the combined comment "Others and FOO, + BAR". Note: Optimize level 16 requires "Extended + Multi-port Match" in your iptables and kernel. @@ -2190,6 +2190,15 @@ LOG:info:,bar net fw role="bold">No, then route filtering is disabled on all interfaces except those specified in shorewall-interfaces(5). + + + If you need to disable route filtering on any interface, + then you must set ROUTE_FILTER=No then set routefilter=1 or + routefilter=2 on those interfaces where you want route filtering. + See shorewall-interfaces(5) + for additional details. + @@ -2625,11 +2634,11 @@ LOG:info:,bar net fw Added in Shorewall 4.4.27. Normally, when Shorewall creates a Netfilter chain that relates to an interface, it uses the - interface's logical name as the base of the chain name. For - example, if the logical name for an interface is OAKLAND, then the - input chain for traffic arriving on that interface would be - 'OAKLAND_in'. If this option is set to Yes, then the physical name - of the interface will be used the base of the chain name. + interface's logical name as the base of the chain name. For example, + if the logical name for an interface is OAKLAND, then the input + chain for traffic arriving on that interface would be 'OAKLAND_in'. + If this option is set to Yes, then the physical name of the + interface will be used the base of the chain name.