From ee6cdfe00154fab5363047d88c3e9d05c44530ba Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 6 Jan 2009 18:33:19 +0000 Subject: [PATCH] Add 'default_rt' option git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9249 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-perl/Shorewall/Chains.pm | 52 ++++++++++++++++++------------ Shorewall-perl/Shorewall/Config.pm | 4 +-- docs/MultiISP.xml | 49 ++++++++++++++++++++++++---- manpages/shorewall-providers.xml | 26 ++++++++++++--- web/Documentation.html | 12 +++---- 5 files changed, 102 insertions(+), 41 deletions(-) diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 3c440f289..e542cb139 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -253,6 +253,21 @@ our $mode; our $family; +# +# These are the zone-oriented builtin targets +# +our %builtin_target = ( ACCEPT => 1, + REJECT => 1, + DROP => 1, + RETURN => 1, + DNAT => 1, + SAME => 1, + LOG => 1, + NFLOG => 1, + QUEUE => 1, + NFQUEUE => 1, + REDIRECT => 1 ); + # # Initialize globals -- we take this novel approach to globals initialization to allow # the compiler to run multiple times in the same process. The @@ -471,7 +486,7 @@ sub add_rule($$;$) push_rule ( $chainref, $rule ); } } - + # # Add a jump from the chain represented by the reference in the first argument to # the target in the second argument. The optional third argument specifies any @@ -494,7 +509,7 @@ sub add_jump( $$$;$ ) { # # Ensure that we have the chain unless it is a builtin like 'ACCEPT' # - $toref = ensure_chain( $fromref->{table} , $to ) unless ( $targets{$to} || 0 ) & STANDARD; + $toref = ensure_chain( $fromref->{table} , $to ) unless $builtin_target{ $to }; } # @@ -525,7 +540,6 @@ sub insert_rule($$$) $iprangematch = 0; $chainref->{referenced} = 1; - } # @@ -769,7 +783,7 @@ sub new_chain($$) { my ($table, $chain) = @_; - fatal_error "Internal error in new_chain()" if $chain_table{$table}{$chain}; + fatal_error "Internal error in new_chain()" if $chain_table{$table}{$chain} || $builtin_target{ $chain }; $chain_table{$table}{$chain} = { name => $chain, rules => [], @@ -1136,33 +1150,29 @@ sub newexclusionchain() { # one for destination exclusion. # sub source_exclusion( $$ ) { - my ( $exclusions, $targetref ) = @_; - - return $targetref unless @$exclusions; - - $targetref = ensure_filter_chain( $targetref, 0 ) unless reftype $targetref; - - my $chainref = new_chain( $targetref->{table}, newexclusionchain ); + my ( $exclusions, $target ) = @_; + return $target unless @$exclusions; + + my $chainref = new_chain( reftype $target ? $target->{table} : 'filter' , newexclusionchain ); + add_rule( $chainref, match_source_net( $_ ) . '-j RETURN' ) for @$exclusions; - add_jump( $chainref, $targetref, 1 ); + add_jump( $chainref, $target, 1 ); - reftype $_[1] ? $chainref : $chainref->{name}; + reftype $target ? $chainref : $chainref->{name}; } sub dest_exclusion( $$ ) { - my ( $exclusions, $targetref ) = @_; + my ( $exclusions, $target ) = @_; - return $targetref unless @$exclusions; - - $targetref = ensure_filter_chain( $targetref, 0 ) unless reftype $targetref; - - my $chainref = new_chain( $targetref->{table}, newexclusionchain ); + return $target unless @$exclusions; + my $chainref = new_chain( reftype $target ? $target->{table} : 'filter' , newexclusionchain ); + add_rule( $chainref, match_dest_net( $_ ) . '-j RETURN' ) for @$exclusions; - add_jump( $chainref, $targetref, 1 ); + add_jump( $chainref, $target, 1 ); - reftype $_[1] ? $targetref : $targetref->{name}; + reftype $target ? $chainref : $chainref->{name}; } sub clearrule() { diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 6dad88427..5305a5ce6 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -299,7 +299,7 @@ sub initialize( $ ) { LOGPARMS => '', TC_SCRIPT => '', EXPORT => 0, - VERSION => "4.2.4-RC3", + VERSION => "4.2.4", CAPVERSION => 40203 , ); # @@ -995,7 +995,7 @@ sub create_temp_object( $ ) { fatal_error "A compiled script may not be named 'shorewall'" if "$file" eq 'shorewall' && $suffix eq ''; eval { - $dir = abs_path $dir; + $dir = abs_path $dir unless $dir =~ m|^/|; # Work around http://rt.cpan.org/Public/Bug/Display.html?id=1385 ( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir ); }; diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index ec6c87125..49613d307 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -462,6 +462,20 @@ the INTERFACE column is assumed. + + + default_rt (Added in Shorewall-perl 4.2.5) + + + Indicates that a default route through the provider + should be added to the default routing table (table 253). + The route is added with a metric equal to the provider + NUMBER so multiple providers can have this option. The + option is ignored with a warning message if + USE_DEFAULT_RT=Yes in + shorewall.conf. + + For those of you who are terminally confused @@ -1256,7 +1270,7 @@ wlan0 192.168.0.0/24 -
+
A Complete Working Example This section describes the network at shorewall.net early in 2009. @@ -1298,9 +1312,30 @@ wlan0 192.168.0.0/24 Because of the speed of the cable provider, all traffic uses that provider unless there is a specific need for the traffic to use the DSL - line. As a consequence, I have disabled all route filtering on the + line. + + + + Responses to connections from the Internet to one of the DSL IP + addresses -- the track option takes + care of that. + + + + Connections initiated by the server and connection requested by + clients on the firewall that have bound their local socket to one of + the DSL IP addresses. Two entries in + /etc/shorewall/route_rules take care of that + traffic. + + + + As a consequence, I have disabled all route filtering on the firewall and do not use the balance - option in /etc/shorewall/providers. + option in /etc/shorewall/providers. The default route + in the main table is established by DHCP. By specifying the + default_rt option on Avvanta, I ensure that there is + a default route when Comcast is down. /etc/sysctl.conf: @@ -1308,9 +1343,9 @@ wlan0 192.168.0.0/24 /etc/shorewall/providers: - #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY -Avvanta 1 0x100 main eth0 206.124.146.254 track,loose eth2,eth4,tun* -Comcast 2 0x200 main eth3 detect track eth2,eth4,tun* + #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY +Avvanta 1 0x100 main eth0 206.124.146.254 track,loose,default_rt eth2,eth4,tun* +Comcast 2 0x200 main eth3 detect track eth2,eth4,tun* #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE The loose option on Avvanta results @@ -1370,6 +1405,8 @@ default via 71.227.156.1 dev eth3 src 71.227.156.229 Table default: +default via 206.124.146.254 dev eth0 metric 1 + Table local: broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 diff --git a/manpages/shorewall-providers.xml b/manpages/shorewall-providers.xml index 4c23394f1..ae5609051 100644 --- a/manpages/shorewall-providers.xml +++ b/manpages/shorewall-providers.xml @@ -1,4 +1,6 @@ + shorewall-providers @@ -97,7 +99,7 @@ previously listed provider. You may select only certain entries from the table to copy by using the COPY column below. This column should contain a dash ("-') when USE_DEFAULT_RT=Yes in shorewall.conf(5). + url="shorewall.conf.html">shorewall.conf(5). @@ -199,7 +201,8 @@ - src=source-address + src=source-address Added in Shorewall-perl 4.1.5. Specifies the source @@ -213,7 +216,8 @@ - mtu=number + mtu=number Added in Shorewall-perl 4.1.5. Specifies the MTU when @@ -221,6 +225,20 @@ interface named in the INTERFACE column is assumed. + + + default_rt + + + Added in Shorewall-perl 4.2.5. Indicates that a default + route through the provider should be added to the default + routing table (table 253). The route is added with a metric + equal to the provider NUMBER so multiple providers can have + this option. The option is ignored with a warning message if + USE_DEFAULT_RT=Yes in + shorewall.conf. + + @@ -301,4 +319,4 @@ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) - \ No newline at end of file + diff --git a/web/Documentation.html b/web/Documentation.html index 03124bee4..1af207669 100644 --- a/web/Documentation.html +++ b/web/Documentation.html @@ -8,7 +8,7 @@

Shorewall Documentation

Tom Eastep
-Copyright © 2005-2007 Thomas M. Eastep
+Copyright © 2005-2009 Thomas M. Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or @@ -21,7 +21,7 @@ license is included in the section entitled “GNU Free Documentation License”.

-

2008-10-05
+

2009-01-02

- -