extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-08 22:58:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Enable multi-ISP in Shorewall6

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9009 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-12 23:20:47 +00:00
parent 3e328daf0a
commit ed244ba0b9
7 changed files with 37 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Samples6/three-interfaces/shorewall6.conf
View File

@ -125,7 +125,7 @@ EXPORTPARAMS=No
EXPAND_POLICIES=No EXPAND_POLICIES=No
KEEP_RT_TABLES=No KEEP_RT_TABLES=Yes
DELETE_THEN_ADD=Yes DELETE_THEN_ADD=Yes

2
Samples6/two-interfaces/shorewall6.conf
View File

@ -125,7 +125,7 @@ EXPORTPARAMS=No
EXPAND_POLICIES=No EXPAND_POLICIES=No
KEEP_RT_TABLES=No KEEP_RT_TABLES=Yes
DELETE_THEN_ADD=Yes DELETE_THEN_ADD=Yes

2
Shorewall-common/changelog.txt
View File

@ -4,6 +4,8 @@ Changes in Shorewall 4.3.2
2) Add 'allowBcast' and 'dropBcast' builtin actions to Shorewall6. 2) Add 'allowBcast' and 'dropBcast' builtin actions to Shorewall6.
3) Enable multi-ISP in Shorewall6.
Changes in Shorewall 4.3.1 Changes in Shorewall 4.3.1
1) Allow addresses in rules to be enclosed in square brackets. 1) Allow addresses in rules to be enclosed in square brackets.

11
Shorewall-common/releasenotes.txt
View File

@ -22,6 +22,8 @@ Other changes in 4.3.2
/etc/shorewall8/interfaces. The option drops incoming packets whose /etc/shorewall8/interfaces. The option drops incoming packets whose
source address is an anycast or multicast addreess. source address is an anycast or multicast addreess.
4) Multi-ISP is now enabled in Shorewall8.
Migration Issues. Migration Issues.
None. None.
@ -73,15 +75,16 @@ New Features in Shorewall 4.3
routeback routeback
tcpflags tcpflags
e) Traffic Shaping and Multi-ISP support are currently disabled. Packet e) Traffic Shaping is currently disabled. Packet marking and
marking and connection marking are available to feed your current connection marking are available to feed your current traffic
traffic shaping defined in Shorewall. shaping defined in Shorewall.
f) When both an interface and an address or address list need to f) When both an interface and an address or address list need to
be specified in a rule, the address or list must be enclosed in be specified in a rule, the address or list must be enclosed in
square brackets. Example: square brackets. Example:
ACCEPT net:eth0:[2001:19f0:feee::dead:beef:cafe] dmz #ACTION SOURCE DEST
ACCEPT net:eth0:[2001:19f0:feee::dead:beef:cafe] dmz
Note that this includes MAC addresses as well as IPv6 addresses. Note that this includes MAC addresses as well as IPv6 addresses.

48
Shorewall-perl/Shorewall/Providers.pm
View File

@ -129,9 +129,9 @@ sub copy_table( $$$ ) {
my ( $duplicate, $number, $realm ) = @_; my ( $duplicate, $number, $realm ) = @_;
if ( $realm ) { if ( $realm ) {
emit ( "ip -4 route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) emit ( "ip -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
} else { } else {
emit ( "ip -4 route show table $duplicate | while read net route; do" ) emit ( "ip -$family route show table $duplicate | while read net route; do" )
} }
emit ( ' case $net in', emit ( ' case $net in',
@ -149,9 +149,9 @@ sub copy_and_edit_table( $$$$ ) {
my ( $duplicate, $number, $copy, $realm) = @_; my ( $duplicate, $number, $copy, $realm) = @_;
if ( $realm ) { if ( $realm ) {
emit ( "ip route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) emit ( "ip -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
} else { } else {
emit ( "ip route show table $duplicate | while read net route; do" ) emit ( "ip -$family route show table $duplicate | while read net route; do" )
} }
emit ( ' case $net in', emit ( ' case $net in',
@ -228,8 +228,8 @@ sub add_a_provider( $$$$$$$$ ) {
emit "if interface_is_usable $interface; then"; emit "if interface_is_usable $interface; then";
push_indent; push_indent;
emit "qt ip route flush table $number"; emit "qt ip -$family route flush table $number";
emit "echo \"qt ip route flush table $number\" >> \${VARDIR}/undo_routing"; emit "echo \"qt ip -$family route flush table $number\" >> \${VARDIR}/undo_routing";
if ( $gateway eq 'detect' ) { if ( $gateway eq 'detect' ) {
fatal_error "'detect' is not allowed with USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT}; fatal_error "'detect' is not allowed with USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
@ -265,10 +265,10 @@ sub add_a_provider( $$$$$$$$ ) {
my $pref = 10000 + $number - 1; my $pref = 10000 + $number - 1;
emit ( "qt ip rule del fwmark $mark" ) if $config{DELETE_THEN_ADD}; emit ( "qt ip -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
emit ( "run_ip rule add fwmark $mark pref $pref table $number", emit ( "run_ip rule add fwmark $mark pref $pref table $number",
"echo \"qt ip rule del fwmark $mark\" >> \${VARDIR}/undo_routing" "echo \"qt ip -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
); );
} }
@ -360,23 +360,23 @@ sub add_a_provider( $$$$$$$$ ) {
if ( $loose ) { if ( $loose ) {
if ( $config{DELETE_THEN_ADD} ) { if ( $config{DELETE_THEN_ADD} ) {
emit ( "\nfind_interface_addresses $interface | while read address; do", emit ( "\nfind_interface_addresses $interface | while read address; do",
' qt ip rule del from $address', " qt ip $family rule del from $address",
'done' 'done'
); );
} }
} elsif ( $shared ) { } elsif ( $shared ) {
emit "qt ip rule del from $address" if $config{DELETE_THEN_ADD}; emit "qt ip -$family rule del from $address" if $config{DELETE_THEN_ADD};
emit( "run_ip rule add from $address pref 20000 table $number" , emit( "run_ip -$family rule add from $address pref 20000 table $number" ,
"echo \"qt ip rule del from $address\" >> \${VARDIR}/undo_routing" ); "echo \"qt ip -$family rule del from $address\" >> \${VARDIR}/undo_routing" );
} else { } else {
my $rulebase = 20000 + ( 256 * ( $number - 1 ) ); my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
emit "\nrulenum=0\n"; emit "\nrulenum=0\n";
emit ( "find_interface_addresses $interface | while read address; do" ); emit ( "find_interface_addresses $interface | while read address; do" );
emit ( ' qt ip rule del from $address' ) if $config{DELETE_THEN_ADD}; emit ( " qt ip $family rule del from $address" ) if $config{DELETE_THEN_ADD};
emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number", emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
" echo \"qt ip rule del from \$address\" >> \${VARDIR}/undo_routing", " echo \"qt ip -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
' rulenum=$(($rulenum + 1))', ' rulenum=$(($rulenum + 1))',
'done' 'done'
); );
@ -447,7 +447,7 @@ sub add_an_rtrule( $$$$ ) {
$priority = "priority $priority"; $priority = "priority $priority";
emit ( "qt ip rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD}; emit ( "qt ip -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} ); my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
@ -457,8 +457,8 @@ sub add_an_rtrule( $$$$ ) {
push_indent; push_indent;
} }
emit ( "run_ip rule add $source $dest $priority table $number", emit ( "run_ip -$family rule add $source $dest $priority table $number",
"echo \"qt ip rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" ); "echo \"qt ip -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );
pop_indent, emit ( "fi\n" ) if $optional; pop_indent, emit ( "fi\n" ) if $optional;
@ -473,7 +473,7 @@ sub setup_null_routing() {
save_progress_message "Null Routing the RFC 1918 subnets"; save_progress_message "Null Routing the RFC 1918 subnets";
for ( rfc1918_networks ) { for ( rfc1918_networks ) {
emit( "run_ip route replace unreachable $_" ); emit( "run_ip route replace unreachable $_" );
emit( "echo \"qt ip route del unreachable $_\" >> \${VARDIR}/undo_routing" ); emit( "echo \"qt ip -$family route del unreachable $_\" >> \${VARDIR}/undo_routing" );
} }
} }
@ -485,7 +485,7 @@ sub setup_providers() {
while ( read_a_line ) { while ( read_a_line ) {
unless ( $providers ) { unless ( $providers ) {
progress_message2 "$doing $fn ..."; progress_message2 "$doing $fn ...";
fatal_error "Multi-ISP support is not yet available in Shorewall6" if $family == F_IPV6; fatal_error "Multi-ISP support is not yet available in Shorewall6";
require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' , 's' ); require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' , 's' );
@ -512,7 +512,7 @@ sub setup_providers() {
emit ( '#', emit ( '#',
'# Capture the default route(s) if we don\'t have it (them) already.', '# Capture the default route(s) if we don\'t have it (them) already.',
'#', '#',
'[ -f ${VARDIR}/default_route ] || ip route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route', '[ -f ${VARDIR}/default_route ] || ip -' . $family . ' route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route',
'#', '#',
'# Initialize the file that holds \'undo\' commands', '# Initialize the file that holds \'undo\' commands',
'#', '#',
@ -541,16 +541,16 @@ sub setup_providers() {
if ( $config{USE_DEFAULT_RT} ) { if ( $config{USE_DEFAULT_RT} ) {
emit ( 'run_ip rule add from all table ' . MAIN_TABLE . ' pref 999', emit ( 'run_ip rule add from all table ' . MAIN_TABLE . ' pref 999',
'ip rule del from all table ' . MAIN_TABLE . ' pref 32766', "ip -$family rule del from all table " . MAIN_TABLE . ' pref 32766',
'echo "qt ip rule add from all table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing', qq(echo "qt ip -$family rule add from all table ) . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing',
'echo "qt ip rule del from all table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing', qq(echo "qt ip -$family rule del from all table ) . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing',
'' ); '' );
$table = DEFAULT_TABLE; $table = DEFAULT_TABLE;
} }
emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' ); emit ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
emit ( " run_ip route replace default scope global table $table \$DEFAULT_ROUTE" ); emit ( " run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
emit ( ' qt ip route del default table ' . MAIN_TABLE ) if $config{USE_DEFAULT_RT}; emit ( " qt ip -$family route del default table " . MAIN_TABLE ) if $config{USE_DEFAULT_RT};
emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"", emit ( " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"",
'else', 'else',
' error_message "WARNING: No Default route added (all \'balance\' providers are down)"', ' error_message "WARNING: No Default route added (all \'balance\' providers are down)"',

2
Shorewall6/shorewall6.conf
View File

@ -125,7 +125,7 @@ EXPORTPARAMS=Yes
EXPAND_POLICIES=Yes EXPAND_POLICIES=Yes
KEEP_RT_TABLES=No KEEP_RT_TABLES=Yes
DELETE_THEN_ADD=Yes DELETE_THEN_ADD=Yes