Add 'default_rt' option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9249 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-01-06 18:33:19 +00:00
parent d4d8d79dc2
commit ee6cdfe001
5 changed files with 102 additions and 41 deletions

View File

@ -253,6 +253,21 @@ our $mode;
our $family;
#
# These are the zone-oriented builtin targets
#
our %builtin_target = ( ACCEPT => 1,
REJECT => 1,
DROP => 1,
RETURN => 1,
DNAT => 1,
SAME => 1,
LOG => 1,
NFLOG => 1,
QUEUE => 1,
NFQUEUE => 1,
REDIRECT => 1 );
#
# Initialize globals -- we take this novel approach to globals initialization to allow
# the compiler to run multiple times in the same process. The
@ -494,7 +509,7 @@ sub add_jump( $$$;$ ) {
#
# Ensure that we have the chain unless it is a builtin like 'ACCEPT'
#
$toref = ensure_chain( $fromref->{table} , $to ) unless ( $targets{$to} || 0 ) & STANDARD;
$toref = ensure_chain( $fromref->{table} , $to ) unless $builtin_target{ $to };
}
#
@ -525,7 +540,6 @@ sub insert_rule($$$)
$iprangematch = 0;
$chainref->{referenced} = 1;
}
#
@ -769,7 +783,7 @@ sub new_chain($$)
{
my ($table, $chain) = @_;
fatal_error "Internal error in new_chain()" if $chain_table{$table}{$chain};
fatal_error "Internal error in new_chain()" if $chain_table{$table}{$chain} || $builtin_target{ $chain };
$chain_table{$table}{$chain} = { name => $chain,
rules => [],
@ -1136,33 +1150,29 @@ sub newexclusionchain() {
# one for destination exclusion.
#
sub source_exclusion( $$ ) {
my ( $exclusions, $targetref ) = @_;
my ( $exclusions, $target ) = @_;
return $targetref unless @$exclusions;
return $target unless @$exclusions;
$targetref = ensure_filter_chain( $targetref, 0 ) unless reftype $targetref;
my $chainref = new_chain( $targetref->{table}, newexclusionchain );
my $chainref = new_chain( reftype $target ? $target->{table} : 'filter' , newexclusionchain );
add_rule( $chainref, match_source_net( $_ ) . '-j RETURN' ) for @$exclusions;
add_jump( $chainref, $targetref, 1 );
add_jump( $chainref, $target, 1 );
reftype $_[1] ? $chainref : $chainref->{name};
reftype $target ? $chainref : $chainref->{name};
}
sub dest_exclusion( $$ ) {
my ( $exclusions, $targetref ) = @_;
my ( $exclusions, $target ) = @_;
return $targetref unless @$exclusions;
return $target unless @$exclusions;
$targetref = ensure_filter_chain( $targetref, 0 ) unless reftype $targetref;
my $chainref = new_chain( $targetref->{table}, newexclusionchain );
my $chainref = new_chain( reftype $target ? $target->{table} : 'filter' , newexclusionchain );
add_rule( $chainref, match_dest_net( $_ ) . '-j RETURN' ) for @$exclusions;
add_jump( $chainref, $targetref, 1 );
add_jump( $chainref, $target, 1 );
reftype $_[1] ? $targetref : $targetref->{name};
reftype $target ? $chainref : $chainref->{name};
}
sub clearrule() {

View File

@ -299,7 +299,7 @@ sub initialize( $ ) {
LOGPARMS => '',
TC_SCRIPT => '',
EXPORT => 0,
VERSION => "4.2.4-RC3",
VERSION => "4.2.4",
CAPVERSION => 40203 ,
);
#
@ -995,7 +995,7 @@ sub create_temp_object( $ ) {
fatal_error "A compiled script may not be named 'shorewall'" if "$file" eq 'shorewall' && $suffix eq '';
eval {
$dir = abs_path $dir;
$dir = abs_path $dir unless $dir =~ m|^/|; # Work around http://rt.cpan.org/Public/Bug/Display.html?id=1385
( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
};

View File

@ -462,6 +462,20 @@
the INTERFACE column is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>default_rt (Added in Shorewall-perl 4.2.5)</term>
<listitem>
<para>Indicates that a default route through the provider
should be added to the default routing table (table 253).
The route is added with a metric equal to the provider
NUMBER so multiple providers can have this option. The
option is ignored with a warning message if
USE_DEFAULT_RT=Yes in
<filename>shorewall.conf</filename>.</para>
</listitem>
</varlistentry>
</variablelist>
<para>For those of you who are terminally confused
@ -1256,7 +1270,7 @@ wlan0 192.168.0.0/24</programlisting><note>
</section>
</section>
<section>
<section id="Complete">
<title>A Complete Working Example</title>
<para>This section describes the network at shorewall.net early in 2009.
@ -1298,9 +1312,30 @@ wlan0 192.168.0.0/24</programlisting><note>
<para>Because of the speed of the cable provider, all traffic uses that
provider unless there is a specific need for the traffic to use the DSL
line. As a consequence, I have disabled all route filtering on the
line.</para>
<itemizedlist>
<listitem>
<para>Responses to connections from the Internet to one of the DSL IP
addresses -- the <emphasis role="bold">track</emphasis> option takes
care of that.</para>
</listitem>
<listitem>
<para>Connections initiated by the server and connection requested by
clients on the firewall that have bound their local socket to one of
the DSL IP addresses. Two entries in
<filename>/etc/shorewall/route_rules</filename> take care of that
traffic.</para>
</listitem>
</itemizedlist>
<para>As a consequence, I have disabled all route filtering on the
firewall and do not use the <emphasis role="bold">balance</emphasis>
option in <filename>/etc/shorewall/providers</filename>.</para>
option in <filename>/etc/shorewall/providers</filename>. The default route
in the main table is established by DHCP. By specifying the
<emphasis>default_rt</emphasis> option on Avvanta, I ensure that there is
a default route when Comcast is down.</para>
<para><filename>/etc/sysctl.conf</filename>:</para>
@ -1309,7 +1344,7 @@ wlan0 192.168.0.0/24</programlisting><note>
<para><filename>/etc/shorewall/providers</filename>:</para>
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
Avvanta 1 0x100 main eth0 206.124.146.254 track,loose eth2,eth4,tun*
Avvanta 1 0x100 main eth0 206.124.146.254 track,loose,default_rt eth2,eth4,tun*
Comcast 2 0x200 main eth3 detect track eth2,eth4,tun*
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
@ -1370,6 +1405,8 @@ default via 71.227.156.1 dev eth3 src 71.227.156.229
Table default:
default via 206.124.146.254 dev eth0 metric 1
Table local:
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1

View File

@ -1,4 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-providers</refentrytitle>
@ -97,7 +99,7 @@
previously listed provider. You may select only certain entries from
the table to copy by using the COPY column below. This column should
contain a dash ("-') when USE_DEFAULT_RT=Yes in <ulink
url="shorewall.conf.html">shorewall.conf(5)</ulink>. </para>
url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
</listitem>
</varlistentry>
@ -199,7 +201,8 @@
</varlistentry>
<varlistentry>
<term>src=<replaceable>source-address</replaceable></term>
<term><emphasis
role="bold">src=</emphasis><replaceable>source-address</replaceable></term>
<listitem>
<para>Added in Shorewall-perl 4.1.5. Specifies the source
@ -213,7 +216,8 @@
</varlistentry>
<varlistentry>
<term>mtu=<replaceable>number</replaceable></term>
<term><emphasis
role="bold">mtu=</emphasis><replaceable>number</replaceable></term>
<listitem>
<para>Added in Shorewall-perl 4.1.5. Specifies the MTU when
@ -221,6 +225,20 @@
interface named in the INTERFACE column is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">default_rt</emphasis></term>
<listitem>
<para>Added in Shorewall-perl 4.2.5. Indicates that a default
route through the provider should be added to the default
routing table (table 253). The route is added with a metric
equal to the provider NUMBER so multiple providers can have
this option. The option is ignored with a warning message if
USE_DEFAULT_RT=Yes in
<filename>shorewall.conf</filename>.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>

View File

@ -8,7 +8,7 @@
<h1 style="text-align: left;">Shorewall Documentation</h1>
<span style="font-weight: bold;">Tom Eastep</span><br>
<span style="font-weight: bold;">
</span>Copyright © 2005-2007 Thomas M. Eastep<br>
</span>Copyright © 2005-2009 Thomas M. Eastep<br>
<p>Permission is granted to copy, distribute and/or modify this
document
under the terms of the GNU Free Documentation License, Version 1.2 or
@ -21,7 +21,7 @@ license is included in the section entitled “<span class="quote"><a
href="GnuCopyright.htm" target="_self">GNU Free Documentation
License</a></span>”.<br>
</p>
<p>2008-10-05<br>
<p>2009-01-02<br>
</p>
<hr style="width: 100%; height: 2px;"> <strong></strong>
<ul>
@ -53,7 +53,7 @@ released with Shorewall 3.4.0 and later <br>
<a href="/3.0/manpages/Manpages.html">Shorewall 3.x</a><br>
<a href="/4.0/Manpages.html">Shorewall 4.0</a><br>
<a href="Manpages.html">Shorewall 4.2</a><br>
<a href="Manpages6.html">Shorewall6 4.x (IPv6 Support)</a><br>
<a href="Manpages6.html">Shorewall6 4.2 (IPv6 Support)</a><br>
<br>
</li>
<li><a href="shorewall_features.htm">Shorewall <span
@ -70,11 +70,7 @@ Guide</a> -- Look here when "it doesn't work"<br>
<li><strong>PPPPPPPS</strong> ( or, Paul's Principles for Practical
Provision of Packet Processing with Shorewall ) <a
href="http://linuxman.wikispaces.com/PPPPPPS">http://linuxman.wikispaces.com/PPPPPPS</a>
-- Some very useful tips for dealing with Shorewall from Paul Gear<br>
</li>
-- Some very useful tips for dealing with Shorewall from Paul Gear</li>
</ul>
<div style="margin-left: 40px;">
<a href="2.0/">Shorewall 2.x Documentation</a> </div>
<br>
</body>
</html>