diff --git a/Samples6/three-interfaces/shorewall6.conf b/Samples6/three-interfaces/shorewall6.conf index 6997903a0..3f938315d 100644 --- a/Samples6/three-interfaces/shorewall6.conf +++ b/Samples6/three-interfaces/shorewall6.conf @@ -125,7 +125,7 @@ EXPORTPARAMS=No EXPAND_POLICIES=No -KEEP_RT_TABLES=No +KEEP_RT_TABLES=Yes DELETE_THEN_ADD=Yes diff --git a/Samples6/two-interfaces/shorewall6.conf b/Samples6/two-interfaces/shorewall6.conf index 6997903a0..3f938315d 100644 --- a/Samples6/two-interfaces/shorewall6.conf +++ b/Samples6/two-interfaces/shorewall6.conf @@ -125,7 +125,7 @@ EXPORTPARAMS=No EXPAND_POLICIES=No -KEEP_RT_TABLES=No +KEEP_RT_TABLES=Yes DELETE_THEN_ADD=Yes diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 7af3e0568..88c9596c7 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -4,6 +4,8 @@ Changes in Shorewall 4.3.2 2) Add 'allowBcast' and 'dropBcast' builtin actions to Shorewall6. +3) Enable multi-ISP in Shorewall6. + Changes in Shorewall 4.3.1 1) Allow addresses in rules to be enclosed in square brackets. diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 807b55b6b..b4a6bce84 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -22,6 +22,8 @@ Other changes in 4.3.2 /etc/shorewall8/interfaces. The option drops incoming packets whose source address is an anycast or multicast addreess. +4) Multi-ISP is now enabled in Shorewall8. + Migration Issues. None. @@ -73,15 +75,16 @@ New Features in Shorewall 4.3 routeback tcpflags - e) Traffic Shaping and Multi-ISP support are currently disabled. Packet - marking and connection marking are available to feed your current - traffic shaping defined in Shorewall. + e) Traffic Shaping is currently disabled. Packet marking and + connection marking are available to feed your current traffic + shaping defined in Shorewall. f) When both an interface and an address or address list need to be specified in a rule, the address or list must be enclosed in square brackets. Example: - ACCEPT net:eth0:[2001:19f0:feee::dead:beef:cafe] dmz + #ACTION SOURCE DEST + ACCEPT net:eth0:[2001:19f0:feee::dead:beef:cafe] dmz Note that this includes MAC addresses as well as IPv6 addresses. diff --git a/Shorewall-perl/Shorewall/Actions.pm b/Shorewall-perl/Shorewall/Actions.pm index c4214bae9..ed614ed8d 100644 --- a/Shorewall-perl/Shorewall/Actions.pm +++ b/Shorewall-perl/Shorewall/Actions.pm @@ -865,7 +865,7 @@ sub process_actions3 () { add_rule $chainref, '-j ACCEPT'; } - my %builtinops = ( 'dropBcast' => \&dropBcast, + my %builtinops = ( 'dropBcast' => \&dropBcast, 'allowBcast' => \&allowBcast, 'dropNotSyn' => \&dropNotSyn, 'rejNotSyn' => \&rejNotSyn, diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm index 816d2cff0..750f25dde 100644 --- a/Shorewall-perl/Shorewall/Providers.pm +++ b/Shorewall-perl/Shorewall/Providers.pm @@ -129,9 +129,9 @@ sub copy_table( $$$ ) { my ( $duplicate, $number, $realm ) = @_; if ( $realm ) { - emit ( "ip -4 route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) + emit ( "ip -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) } else { - emit ( "ip -4 route show table $duplicate | while read net route; do" ) + emit ( "ip -$family route show table $duplicate | while read net route; do" ) } emit ( ' case $net in', @@ -149,9 +149,9 @@ sub copy_and_edit_table( $$$$ ) { my ( $duplicate, $number, $copy, $realm) = @_; if ( $realm ) { - emit ( "ip route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) + emit ( "ip -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) } else { - emit ( "ip route show table $duplicate | while read net route; do" ) + emit ( "ip -$family route show table $duplicate | while read net route; do" ) } emit ( ' case $net in', @@ -228,8 +228,8 @@ sub add_a_provider( $$$$$$$$ ) { emit "if interface_is_usable $interface; then"; push_indent; - emit "qt ip route flush table $number"; - emit "echo \"qt ip route flush table $number\" >> \${VARDIR}/undo_routing"; + emit "qt ip -$family route flush table $number"; + emit "echo \"qt ip -$family route flush table $number\" >> \${VARDIR}/undo_routing"; if ( $gateway eq 'detect' ) { fatal_error "'detect' is not allowed with USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT}; @@ -265,10 +265,10 @@ sub add_a_provider( $$$$$$$$ ) { my $pref = 10000 + $number - 1; - emit ( "qt ip rule del fwmark $mark" ) if $config{DELETE_THEN_ADD}; + emit ( "qt ip -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD}; emit ( "run_ip rule add fwmark $mark pref $pref table $number", - "echo \"qt ip rule del fwmark $mark\" >> \${VARDIR}/undo_routing" + "echo \"qt ip -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing" ); } @@ -360,23 +360,23 @@ sub add_a_provider( $$$$$$$$ ) { if ( $loose ) { if ( $config{DELETE_THEN_ADD} ) { emit ( "\nfind_interface_addresses $interface | while read address; do", - ' qt ip rule del from $address', + " qt ip $family rule del from $address", 'done' ); } } elsif ( $shared ) { - emit "qt ip rule del from $address" if $config{DELETE_THEN_ADD}; - emit( "run_ip rule add from $address pref 20000 table $number" , - "echo \"qt ip rule del from $address\" >> \${VARDIR}/undo_routing" ); + emit "qt ip -$family rule del from $address" if $config{DELETE_THEN_ADD}; + emit( "run_ip -$family rule add from $address pref 20000 table $number" , + "echo \"qt ip -$family rule del from $address\" >> \${VARDIR}/undo_routing" ); } else { my $rulebase = 20000 + ( 256 * ( $number - 1 ) ); emit "\nrulenum=0\n"; emit ( "find_interface_addresses $interface | while read address; do" ); - emit ( ' qt ip rule del from $address' ) if $config{DELETE_THEN_ADD}; + emit ( " qt ip $family rule del from $address" ) if $config{DELETE_THEN_ADD}; emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number", - " echo \"qt ip rule del from \$address\" >> \${VARDIR}/undo_routing", + " echo \"qt ip -$family rule del from \$address\" >> \${VARDIR}/undo_routing", ' rulenum=$(($rulenum + 1))', 'done' ); @@ -447,7 +447,7 @@ sub add_an_rtrule( $$$$ ) { $priority = "priority $priority"; - emit ( "qt ip rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD}; + emit ( "qt ip -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD}; my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} ); @@ -457,8 +457,8 @@ sub add_an_rtrule( $$$$ ) { push_indent; } - emit ( "run_ip rule add $source $dest $priority table $number", - "echo \"qt ip rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" ); + emit ( "run_ip -$family rule add $source $dest $priority table $number", + "echo \"qt ip -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" ); pop_indent, emit ( "fi\n" ) if $optional; @@ -473,7 +473,7 @@ sub setup_null_routing() { save_progress_message "Null Routing the RFC 1918 subnets"; for ( rfc1918_networks ) { emit( "run_ip route replace unreachable $_" ); - emit( "echo \"qt ip route del unreachable $_\" >> \${VARDIR}/undo_routing" ); + emit( "echo \"qt ip -$family route del unreachable $_\" >> \${VARDIR}/undo_routing" ); } } @@ -485,7 +485,7 @@ sub setup_providers() { while ( read_a_line ) { unless ( $providers ) { progress_message2 "$doing $fn ..."; - fatal_error "Multi-ISP support is not yet available in Shorewall6" if $family == F_IPV6; + fatal_error "Multi-ISP support is not yet available in Shorewall6"; require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' , 's' ); @@ -512,7 +512,7 @@ sub setup_providers() { emit ( '#', '# Capture the default route(s) if we don\'t have it (them) already.', '#', - '[ -f ${VARDIR}/default_route ] || ip route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route', + '[ -f ${VARDIR}/default_route ] || ip -' . $family . ' route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route', '#', '# Initialize the file that holds \'undo\' commands', '#', @@ -541,16 +541,16 @@ sub setup_providers() { if ( $config{USE_DEFAULT_RT} ) { emit ( 'run_ip rule add from all table ' . MAIN_TABLE . ' pref 999', - 'ip rule del from all table ' . MAIN_TABLE . ' pref 32766', - 'echo "qt ip rule add from all table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing', - 'echo "qt ip rule del from all table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing', + "ip -$family rule del from all table " . MAIN_TABLE . ' pref 32766', + qq(echo "qt ip -$family rule add from all table ) . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing', + qq(echo "qt ip -$family rule del from all table ) . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing', '' ); $table = DEFAULT_TABLE; } emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' ); emit ( " run_ip route replace default scope global table $table \$DEFAULT_ROUTE" ); - emit ( ' qt ip route del default table ' . MAIN_TABLE ) if $config{USE_DEFAULT_RT}; + emit ( " qt ip -$family route del default table " . MAIN_TABLE ) if $config{USE_DEFAULT_RT}; emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"", 'else', ' error_message "WARNING: No Default route added (all \'balance\' providers are down)"', diff --git a/Shorewall6/shorewall6.conf b/Shorewall6/shorewall6.conf index c0ec64144..b89d1eea1 100644 --- a/Shorewall6/shorewall6.conf +++ b/Shorewall6/shorewall6.conf @@ -125,7 +125,7 @@ EXPORTPARAMS=Yes EXPAND_POLICIES=Yes -KEEP_RT_TABLES=No +KEEP_RT_TABLES=Yes DELETE_THEN_ADD=Yes