mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 14:20:40 +01:00
Enable multi-ISP in Shorewall6
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9009 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
3e328daf0a
commit
ed244ba0b9
@ -125,7 +125,7 @@ EXPORTPARAMS=No
|
||||
|
||||
EXPAND_POLICIES=No
|
||||
|
||||
KEEP_RT_TABLES=No
|
||||
KEEP_RT_TABLES=Yes
|
||||
|
||||
DELETE_THEN_ADD=Yes
|
||||
|
||||
|
||||
@ -125,7 +125,7 @@ EXPORTPARAMS=No
|
||||
|
||||
EXPAND_POLICIES=No
|
||||
|
||||
KEEP_RT_TABLES=No
|
||||
KEEP_RT_TABLES=Yes
|
||||
|
||||
DELETE_THEN_ADD=Yes
|
||||
|
||||
|
||||
@ -4,6 +4,8 @@ Changes in Shorewall 4.3.2
|
||||
|
||||
2) Add 'allowBcast' and 'dropBcast' builtin actions to Shorewall6.
|
||||
|
||||
3) Enable multi-ISP in Shorewall6.
|
||||
|
||||
Changes in Shorewall 4.3.1
|
||||
|
||||
1) Allow addresses in rules to be enclosed in square brackets.
|
||||
|
||||
@ -22,6 +22,8 @@ Other changes in 4.3.2
|
||||
/etc/shorewall8/interfaces. The option drops incoming packets whose
|
||||
source address is an anycast or multicast addreess.
|
||||
|
||||
4) Multi-ISP is now enabled in Shorewall8.
|
||||
|
||||
Migration Issues.
|
||||
|
||||
None.
|
||||
@ -73,15 +75,16 @@ New Features in Shorewall 4.3
|
||||
routeback
|
||||
tcpflags
|
||||
|
||||
e) Traffic Shaping and Multi-ISP support are currently disabled. Packet
|
||||
marking and connection marking are available to feed your current
|
||||
traffic shaping defined in Shorewall.
|
||||
e) Traffic Shaping is currently disabled. Packet marking and
|
||||
connection marking are available to feed your current traffic
|
||||
shaping defined in Shorewall.
|
||||
|
||||
f) When both an interface and an address or address list need to
|
||||
be specified in a rule, the address or list must be enclosed in
|
||||
square brackets. Example:
|
||||
|
||||
ACCEPT net:eth0:[2001:19f0:feee::dead:beef:cafe] dmz
|
||||
#ACTION SOURCE DEST
|
||||
ACCEPT net:eth0:[2001:19f0:feee::dead:beef:cafe] dmz
|
||||
|
||||
Note that this includes MAC addresses as well as IPv6 addresses.
|
||||
|
||||
|
||||
@ -865,7 +865,7 @@ sub process_actions3 () {
|
||||
add_rule $chainref, '-j ACCEPT';
|
||||
}
|
||||
|
||||
my %builtinops = ( 'dropBcast' => \&dropBcast,
|
||||
my %builtinops = ( 'dropBcast' => \&dropBcast,
|
||||
'allowBcast' => \&allowBcast,
|
||||
'dropNotSyn' => \&dropNotSyn,
|
||||
'rejNotSyn' => \&rejNotSyn,
|
||||
|
||||
@ -129,9 +129,9 @@ sub copy_table( $$$ ) {
|
||||
my ( $duplicate, $number, $realm ) = @_;
|
||||
|
||||
if ( $realm ) {
|
||||
emit ( "ip -4 route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
|
||||
emit ( "ip -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
|
||||
} else {
|
||||
emit ( "ip -4 route show table $duplicate | while read net route; do" )
|
||||
emit ( "ip -$family route show table $duplicate | while read net route; do" )
|
||||
}
|
||||
|
||||
emit ( ' case $net in',
|
||||
@ -149,9 +149,9 @@ sub copy_and_edit_table( $$$$ ) {
|
||||
my ( $duplicate, $number, $copy, $realm) = @_;
|
||||
|
||||
if ( $realm ) {
|
||||
emit ( "ip route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
|
||||
emit ( "ip -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
|
||||
} else {
|
||||
emit ( "ip route show table $duplicate | while read net route; do" )
|
||||
emit ( "ip -$family route show table $duplicate | while read net route; do" )
|
||||
}
|
||||
|
||||
emit ( ' case $net in',
|
||||
@ -228,8 +228,8 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
emit "if interface_is_usable $interface; then";
|
||||
push_indent;
|
||||
|
||||
emit "qt ip route flush table $number";
|
||||
emit "echo \"qt ip route flush table $number\" >> \${VARDIR}/undo_routing";
|
||||
emit "qt ip -$family route flush table $number";
|
||||
emit "echo \"qt ip -$family route flush table $number\" >> \${VARDIR}/undo_routing";
|
||||
|
||||
if ( $gateway eq 'detect' ) {
|
||||
fatal_error "'detect' is not allowed with USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
|
||||
@ -265,10 +265,10 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
|
||||
my $pref = 10000 + $number - 1;
|
||||
|
||||
emit ( "qt ip rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
|
||||
emit ( "qt ip -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
|
||||
|
||||
emit ( "run_ip rule add fwmark $mark pref $pref table $number",
|
||||
"echo \"qt ip rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
|
||||
"echo \"qt ip -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
|
||||
);
|
||||
}
|
||||
|
||||
@ -360,23 +360,23 @@ sub add_a_provider( $$$$$$$$ ) {
|
||||
if ( $loose ) {
|
||||
if ( $config{DELETE_THEN_ADD} ) {
|
||||
emit ( "\nfind_interface_addresses $interface | while read address; do",
|
||||
' qt ip rule del from $address',
|
||||
" qt ip $family rule del from $address",
|
||||
'done'
|
||||
);
|
||||
}
|
||||
} elsif ( $shared ) {
|
||||
emit "qt ip rule del from $address" if $config{DELETE_THEN_ADD};
|
||||
emit( "run_ip rule add from $address pref 20000 table $number" ,
|
||||
"echo \"qt ip rule del from $address\" >> \${VARDIR}/undo_routing" );
|
||||
emit "qt ip -$family rule del from $address" if $config{DELETE_THEN_ADD};
|
||||
emit( "run_ip -$family rule add from $address pref 20000 table $number" ,
|
||||
"echo \"qt ip -$family rule del from $address\" >> \${VARDIR}/undo_routing" );
|
||||
} else {
|
||||
my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
|
||||
|
||||
emit "\nrulenum=0\n";
|
||||
|
||||
emit ( "find_interface_addresses $interface | while read address; do" );
|
||||
emit ( ' qt ip rule del from $address' ) if $config{DELETE_THEN_ADD};
|
||||
emit ( " qt ip $family rule del from $address" ) if $config{DELETE_THEN_ADD};
|
||||
emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
|
||||
" echo \"qt ip rule del from \$address\" >> \${VARDIR}/undo_routing",
|
||||
" echo \"qt ip -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
|
||||
' rulenum=$(($rulenum + 1))',
|
||||
'done'
|
||||
);
|
||||
@ -447,7 +447,7 @@ sub add_an_rtrule( $$$$ ) {
|
||||
|
||||
$priority = "priority $priority";
|
||||
|
||||
emit ( "qt ip rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
|
||||
emit ( "qt ip -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
|
||||
|
||||
my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
|
||||
|
||||
@ -457,8 +457,8 @@ sub add_an_rtrule( $$$$ ) {
|
||||
push_indent;
|
||||
}
|
||||
|
||||
emit ( "run_ip rule add $source $dest $priority table $number",
|
||||
"echo \"qt ip rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );
|
||||
emit ( "run_ip -$family rule add $source $dest $priority table $number",
|
||||
"echo \"qt ip -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );
|
||||
|
||||
pop_indent, emit ( "fi\n" ) if $optional;
|
||||
|
||||
@ -473,7 +473,7 @@ sub setup_null_routing() {
|
||||
save_progress_message "Null Routing the RFC 1918 subnets";
|
||||
for ( rfc1918_networks ) {
|
||||
emit( "run_ip route replace unreachable $_" );
|
||||
emit( "echo \"qt ip route del unreachable $_\" >> \${VARDIR}/undo_routing" );
|
||||
emit( "echo \"qt ip -$family route del unreachable $_\" >> \${VARDIR}/undo_routing" );
|
||||
}
|
||||
}
|
||||
|
||||
@ -485,7 +485,7 @@ sub setup_providers() {
|
||||
while ( read_a_line ) {
|
||||
unless ( $providers ) {
|
||||
progress_message2 "$doing $fn ...";
|
||||
fatal_error "Multi-ISP support is not yet available in Shorewall6" if $family == F_IPV6;
|
||||
fatal_error "Multi-ISP support is not yet available in Shorewall6";
|
||||
|
||||
require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' , 's' );
|
||||
|
||||
@ -512,7 +512,7 @@ sub setup_providers() {
|
||||
emit ( '#',
|
||||
'# Capture the default route(s) if we don\'t have it (them) already.',
|
||||
'#',
|
||||
'[ -f ${VARDIR}/default_route ] || ip route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route',
|
||||
'[ -f ${VARDIR}/default_route ] || ip -' . $family . ' route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route',
|
||||
'#',
|
||||
'# Initialize the file that holds \'undo\' commands',
|
||||
'#',
|
||||
@ -541,16 +541,16 @@ sub setup_providers() {
|
||||
|
||||
if ( $config{USE_DEFAULT_RT} ) {
|
||||
emit ( 'run_ip rule add from all table ' . MAIN_TABLE . ' pref 999',
|
||||
'ip rule del from all table ' . MAIN_TABLE . ' pref 32766',
|
||||
'echo "qt ip rule add from all table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing',
|
||||
'echo "qt ip rule del from all table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing',
|
||||
"ip -$family rule del from all table " . MAIN_TABLE . ' pref 32766',
|
||||
qq(echo "qt ip -$family rule add from all table ) . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing',
|
||||
qq(echo "qt ip -$family rule del from all table ) . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing',
|
||||
'' );
|
||||
$table = DEFAULT_TABLE;
|
||||
}
|
||||
|
||||
emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
|
||||
emit ( " run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
|
||||
emit ( ' qt ip route del default table ' . MAIN_TABLE ) if $config{USE_DEFAULT_RT};
|
||||
emit ( " qt ip -$family route del default table " . MAIN_TABLE ) if $config{USE_DEFAULT_RT};
|
||||
emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"",
|
||||
'else',
|
||||
' error_message "WARNING: No Default route added (all \'balance\' providers are down)"',
|
||||
|
||||
@ -125,7 +125,7 @@ EXPORTPARAMS=Yes
|
||||
|
||||
EXPAND_POLICIES=Yes
|
||||
|
||||
KEEP_RT_TABLES=No
|
||||
KEEP_RT_TABLES=Yes
|
||||
|
||||
DELETE_THEN_ADD=Yes
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user