From d0cda6b6ea4c5fcd48810aa8d36ea7f52cdb9154 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 20 Oct 2009 13:24:17 -0700 Subject: [PATCH] Add TRACK_PROVIDERS option --- Samples/one-interface/shorewall.conf | 2 ++ Samples/three-interfaces/shorewall.conf | 2 ++ Samples/two-interfaces/shorewall.conf | 2 ++ Samples6/one-interface/shorewall6.conf | 2 ++ Samples6/three-interfaces/shorewall6.conf | 2 ++ Samples6/two-interfaces/shorewall6.conf | 2 ++ Shorewall/Perl/Shorewall/Config.pm | 3 +++ Shorewall/Perl/Shorewall/Providers.pm | 3 ++- Shorewall/changelog.txt | 2 ++ Shorewall/configfiles/shorewall.conf | 2 ++ Shorewall/releasenotes.txt | 6 ++--- Shorewall6/shorewall6.conf | 2 ++ docs/LennyToSqueeze.xml | 9 -------- docs/MultiISP.xml | 27 ++++++++++++----------- manpages/shorewall-providers.xml | 9 +++++++- manpages6/shorewall6-providers.xml | 10 +++++---- 16 files changed, 54 insertions(+), 31 deletions(-) diff --git a/Samples/one-interface/shorewall.conf b/Samples/one-interface/shorewall.conf index 7c92395ca..4c0d234ab 100644 --- a/Samples/one-interface/shorewall.conf +++ b/Samples/one-interface/shorewall.conf @@ -191,6 +191,8 @@ AUTOMAKE=No WIDE_TC_MARKS=Yes +TRACK_PROVIDERS=Yes + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Samples/three-interfaces/shorewall.conf b/Samples/three-interfaces/shorewall.conf index 2f22a0e60..3d2256bea 100644 --- a/Samples/three-interfaces/shorewall.conf +++ b/Samples/three-interfaces/shorewall.conf @@ -191,6 +191,8 @@ AUTOMAKE=No WIDE_TC_MARKS=Yes +TRACK_PROVIDERS=Yes + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Samples/two-interfaces/shorewall.conf b/Samples/two-interfaces/shorewall.conf index 1df60024a..3bfb589be 100644 --- a/Samples/two-interfaces/shorewall.conf +++ b/Samples/two-interfaces/shorewall.conf @@ -198,6 +198,8 @@ AUTOMAKE=No WIDE_TC_MARKS=Yes +TRACK_PROVIDERS=Yes + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Samples6/one-interface/shorewall6.conf b/Samples6/one-interface/shorewall6.conf index 239c0ec7f..eafb77a0a 100644 --- a/Samples6/one-interface/shorewall6.conf +++ b/Samples6/one-interface/shorewall6.conf @@ -139,6 +139,8 @@ AUTOMAKE=No WIDE_TC_MARKS=Yes +TRACK_PROVIDERS=Yes + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Samples6/three-interfaces/shorewall6.conf b/Samples6/three-interfaces/shorewall6.conf index 3f49c09d9..a1576f5c9 100644 --- a/Samples6/three-interfaces/shorewall6.conf +++ b/Samples6/three-interfaces/shorewall6.conf @@ -139,6 +139,8 @@ AUTOMAKE=No WIDE_TC_MARKS=Yes +TRACK_PROVIDERS=Yes + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Samples6/two-interfaces/shorewall6.conf b/Samples6/two-interfaces/shorewall6.conf index 0d6f7c65a..6d369784f 100644 --- a/Samples6/two-interfaces/shorewall6.conf +++ b/Samples6/two-interfaces/shorewall6.conf @@ -139,6 +139,8 @@ AUTOMAKE=No WIDE_TC_MARKS=Yes +TRACK_PROVIDERS=Yes + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 5a62a797a..e1f335b8c 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -439,6 +439,7 @@ sub initialize( $ ) { FAST_STOP => undef , AUTOMAKE => undef , WIDE_TC_MARKS => undef, + TRACK_PROVIDERS => undef, # # Packet Disposition # @@ -545,6 +546,7 @@ sub initialize( $ ) { MANGLE_ENABLED => undef , AUTOMAKE => undef , WIDE_TC_MARKS => undef, + TRACK_PROVIDERS => undef, # # Packet Disposition # @@ -2404,6 +2406,7 @@ sub get_configuration( $ ) { default_yes_no 'RESTORE_DEFAULT_ROUTE' , 'Yes'; default_yes_no 'AUTOMAKE' , ''; default_yes_no 'WIDE_TC_MARKS' , ''; + default_yes_no 'TRACK_PROVIDERS' , ''; $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK}; diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 353422460..493064392 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -316,7 +316,8 @@ sub add_a_provider( ) { } - my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu ) = (0,1,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' ); + my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu ) = + (0, $config{TRACK_PROVIDERS}, 0 , 0, $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' ); unless ( $options eq '-' ) { for my $option ( split_list $options, 'option' ) { diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 55a3c1352..913d17a30 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -18,6 +18,8 @@ Changes in Shorewall 4.4.3 9) Make 'track' the default. +10) Add TRACK_PROVIDERS option. + Changes in Shorewall 4.4.2 1) BUGFIX: Correct detection of Persistent SNAT support diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 1106ae6f4..952f83a19 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -189,6 +189,8 @@ AUTOMAKE=No WIDE_TC_MARKS=No +TRACK_PROVIDERS=No + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 4583441a5..614e839c9 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -222,9 +222,9 @@ None. On non-Debian systems, new installs will now log all Shorewall commands to /var/log/shorewall-init.log. -2) Because the 'track' provider option is so useful, it is now the - default. If, for some reason, you don't want 'track' then specify - 'notrack' for the provider. +2) A new TRACK_PROVIDERS option has been added in shorewall.conf. + The value of this option becomes the default for the 'track' + provider option in /etc/shorewall/providers. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 4 . 0 diff --git a/Shorewall6/shorewall6.conf b/Shorewall6/shorewall6.conf index 19b00b3b3..b58a1a254 100644 --- a/Shorewall6/shorewall6.conf +++ b/Shorewall6/shorewall6.conf @@ -145,6 +145,8 @@ AUTOMAKE=No WIDE_TC_MARKS=No +TRACK_PROVIDERS=No + ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### diff --git a/docs/LennyToSqueeze.xml b/docs/LennyToSqueeze.xml index ffb5a30e2..9793e7727 100644 --- a/docs/LennyToSqueeze.xml +++ b/docs/LennyToSqueeze.xml @@ -700,15 +700,6 @@ NONAT loc - tcp 80 earlier. -
- /etc/shorewall/providers - - Beginnins with Shorewall 4.4.3, the option - is now the default. If, for some reason, you don't want the - option then specify - . -
-
Extension Scripts diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index 9449fadb8..f706438a2 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -143,12 +143,11 @@ Shorewall can set up the correct marking rules for you. When you use the track option in - /etc/shorewall/providers (which is the default, - beginning with Shorewall 4.4.3), connections from the Internet are - automatically routed back out of the correct interface and through the - correct ISP gateway. This works whether the connection is handled by the - firewall itself or if it is routed or port-forwarded to a system behind - the firewall. + /etc/shorewall/providers, connections from the + Internet are automatically routed back out of the correct interface and + through the correct ISP gateway. This works whether the connection is + handled by the firewall itself or if it is routed or port-forwarded to a + system behind the firewall. Shorewall will set up the routing and will update the /etc/iproute2/rt_tables to include the table names @@ -164,8 +163,7 @@ Packet marking for traffic control purposes may not be done in the PREROUTING table for connections involving providers with - 'track' specified (see below -- note that 'track' defaults to on - beginning with Shorewall 4.4.3). + 'track' specified (see below). @@ -333,9 +331,13 @@ Beginning with Shorwall 4.3.3, track is the default. To disable - this option, you must specify notrack (see below). + role="bold">track defaults to the setting of + the option in shorewall.conf + (5). To disable this option when you have + specified TRACK_PROVIDERS=Yes, you must specify + notrack (see + below). If specified, connections FROM this interface are to be tracked so that responses may be routed back out this same interface. @@ -454,8 +456,7 @@ Added in Shorewall 4.4.3. This option turns off the - track option which is now - the default. + track option. diff --git a/manpages/shorewall-providers.xml b/manpages/shorewall-providers.xml index 39422b1b3..eb53d3cbd 100644 --- a/manpages/shorewall-providers.xml +++ b/manpages/shorewall-providers.xml @@ -168,6 +168,13 @@ is the default. If, for some reason, you don't want then specify (see below). + + Beginning with Shorewall 4.4.3, + defaults to the setting of the TRACK_PROVIDERS option in + shorewall.conf (5). + If you set TRACK_PROVIDERS=Yes and want to override that + setting for an individual provider, then specify + (see below). @@ -204,7 +211,7 @@ Added in Shorewall 4.4.3. When specified, turns off - which is now the default. + . diff --git a/manpages6/shorewall6-providers.xml b/manpages6/shorewall6-providers.xml index bd137bc93..62e25680f 100644 --- a/manpages6/shorewall6-providers.xml +++ b/manpages6/shorewall6-providers.xml @@ -154,9 +154,11 @@ provider. Beginning with Shorewall 4.4.3, - is the default. If, for some reason, you don't want - then specify - (see below). + defaults to the setting of the TRACK_PROVIDERS option in + shorewall6.conf + (5). If you set TRACK_PROVIDERS=Yes and want to override that + setting for an individual provider, then specify + (see below). @@ -177,7 +179,7 @@ Added in Shorewall 4.4.3. When specified, turns off - which is now the default. + .