#!/bin/sh # # Shorewall 3.3 -- /usr/share/shorewall/lib.providers # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # # (c) 1999,2000,2001,2002,2003,2004,2005,2006 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # # This library is loaded by /usr/share/shorewall/compiler when the providers file is # non-empty. # # # Process the providers file # setup_providers() { local table number mark duplicate interface gateway options provider address copy route loose addresses rulenum rulebase echobin=$(mywhich echo) balance save_indent="$INDENT" mask= first=Yes save_indent1= copy_table() { indent >&3 << __EOF__ ip route show table $duplicate | while read net route; do case \$net in default|nexthop) ;; *) run_ip route add table $number \$net \$route ;; esac done __EOF__ } copy_and_edit_table() { indent >&3 << __EOF__ ip route show table $duplicate | while read net route; do case \$net in default|nexthop) ;; *) case \$(find_device \$route) in `echo $copy\) | sed 's/ /|/g'` run_ip route add table $number \$net \$route ;; esac ;; esac done __EOF__ } balance_default_route() # $1 = weight { balance=yes save_command if [ -n "$first" ]; then if [ -n "$gateway" ] ; then save_command "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $1\"" else save_command "DEFAULT_ROUTE=\"nexthop dev $interface weight $1\"" fi first= else if [ -n "$gateway" ] ; then save_command "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $1\"" else save_command "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop dev $interface weight $1\"" fi fi } add_a_provider() { local t n iface option optional= [ -n "$MANGLE_ENABLED" ] || fatal_error "Providers require mangle support in your kernel and iptables" for t in $PROVIDERS local main default unspec; do if [ "$t" = "$table" ]; then fatal_error "Duplicate Provider: $table, provider: \"$provider\"" fi eval n=\$${t}_number # # The following is because the %$#@ shell doesn't accept hex numbers in '-eq' tests # if [ $(($n)) -eq $(($number)) ]; then fatal_error "Duplicate Provider number: $number, provider: \"$provider\"" fi done eval ${table}_number=$number indent >&3 << __EOF__ # # Add Provider $table ($number) # __EOF__ save_command "if interface_is_up $interface && [ \"\$(find_first_interface_address_if_any $interface)\" != 0.0.0.0 ]; then" save_indent1="$INDENT" INDENT="$INDENT " iface=$(chain_base $interface) save_command "${iface}_up=Yes" save_command "qt ip route flush table $number" if [ "x${duplicate:=-}" != x- ]; then if [ "x${copy:=-}" != "x-" ]; then if [ "x${copy}" = xnone ]; then copy=$interface else copy="$interface $(separate_list $copy)" fi copy_and_edit_table else copy_table fi fi if [ "x$gateway" = xdetect ] ; then gateway='$gateway' indent >&3 << __EOF__ gateway=\$(detect_gateway $interface) if [ -n "\$gateway" ]; then run_ip route replace \$gateway src \$(find_first_interface_address $interface) dev $interface table $number run_ip route add default via \$gateway dev $interface table $number else fatal_error "Unable to detect the gateway through interface $interface" fi __EOF__ elif [ "x$gateway" != "x-" -a -n "$gateway" ]; then indent >&3 << __EOF__ run_ip route replace $gateway src \$(find_first_interface_address $interface) dev $interface table $number run_ip route add default via $gateway dev $interface table $number __EOF__ else gateway= save_command "run_ip route add default dev $interface table $number" fi if [ x${mark} != x- ]; then verify_mark $mark if [ $(($mark)) -lt 256 ]; then if [ -n "$HIGH_ROUTE_MARKS" ]; then fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" fi elif [ -z "$HIGH_ROUTE_MARKS" ]; then fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No" fi eval ${table}_mark=$mark save_command "qt ip rule del fwmark $mark" save_command "run_ip rule add fwmark $mark pref $((10000 + $mark)) table $number" fi loose= for option in $(separate_list $options); do case $option in -) ;; track) list_search $interface $ROUTEMARK_INTERFACES && \ fatal_error "Interface $interface is tracked through an earlier provider" [ x${mark} = x- ] && fatal_error "The 'track' option requires a numeric value in the MARK column - Provider \"$provider\"" eval ${iface}_routemark=$mark ROUTEMARK_INTERFACES="$ROUTEMARK_INTERFACES $interface" ;; balance=*) balance_default_route ${option#*=} ;; balance) balance_default_route 1 ;; loose) loose=Yes ;; optional) optional=Yes ;; *) error_message "WARNING: Invalid option ($option) ignored in provider \"$provider\"" ;; esac done rulenum=0 if [ -z "$loose" ]; then rulebase=$(( 20000 + ( 256 * ($number-1) ) )) indent >&3 << __EOF__ rulenum=0 find_interface_addresses $interface | while read address; do qt ip rule del from \$address run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number rulenum=\$((\$rulenum + 1)) done __EOF__ else indent >&3 << __EOF__ find_interface_addresses $interface | while read address; do qt ip rule del from \$address done __EOF__ fi indent >&3 << __EOF__ progress_message " Provider $table ($number) Added" __EOF__ INDENT="$save_indent1" save_command else if [ -n "$optional" ]; then save_command " error_message \"WARNING: Interface $interface is not configured -- Provider $table ($number) not Added\"" save_command " ${iface}_up=" else save_command " fatal_error \"ERROR: Interface $interface is not configured -- Provider $table ($number) Cannot be Added\"" fi save_command fi save_command } verify_provider() { local p n for p in $PROVIDERS main; do [ "$p" = "$1" ] && return 0 eval n=\$${p}_number} [ "$n" = "$1" ] && return 0 done fatal_error "Unknown provider $1 in route rule \"$rule\"" } add_an_rtrule() { verify_provider $provider [ "x$source" = x- ] && source= [ "x$dest" = x- ] && dest= || dest="to $dest" [ -n "${source}${dest}" ] || fatal_error "You must specify either the source or destination in an rt rule: \"$rule\"" [ -n "$source" ] && case $source in *:*) source="iif ${source%:*} from ${source#*:}" ;; *.*.*) source="from $source" ;; *) source="iif $source" ;; esac case "$priority" in [0-9][0-9][0-9][0-9]|[0-9][0-9][0-9][0-9][0-9]) ;; *) fatal_error "Invalid priority ($priority) in rule \"$rule\"" ;; esac priority="priority $priority" save_command "qt ip rule del $source $dest $priority" save_command "run_ip rule add $source $dest $priority table $provider" progress_message "Routing rule \"$rule\" $DONE" } local_number=255 main_number=254 default_number=253 unspec_number=0 balance= progress_message2 "$DOING $1..." save_command save_command "if [ -z \"\$NOROUTES\" ]; then" INDENT="$INDENT " save_progress_message "Adding Providers..." save_command "DEFAULT_ROUTE=" while read table number mark duplicate interface gateway options copy; do expandv table number mark duplicate interface gateway options copy provider="$table $number $mark $duplicate $interface $gateway $options $copy" add_a_provider PROVIDERS="$PROVIDERS $table" progress_message "Provider $provider $DONE" done < $TMP_DIR/providers if [ -n "$PROVIDERS" ]; then if [ -n "$balance" ]; then save_command "if [ -n \"\$DEFAULT_ROUTE\" ]; then" save_command " run_ip route replace default scope global \$DEFAULT_ROUTE" save_command " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"" save_command "else" save_command " error_message \"WARNING: No Default route added (all 'balance' providers are down)\"" save_command "fi" save_command fi cat >&3 << __EOF__ ${INDENT}cat > /etc/iproute2/rt_tables <&3 << __EOF__ \${echobin:-echo} -e "$number\t$table" >> /etc/iproute2/rt_tables __EOF__ done f=$(find_file route_rules) if [ -f $f ]; then strip_file route_rules $f if [ -s $TMP_DIR/route_rules ]; then progress_message2 "$DOING $f..." save_command while read source dest provider priority; do expandv source dest provider priority rule="$source $dest $priority $provider" add_an_rtrule done < $TMP_DIR/route_rules fi fi fi save_command "run_ip route flush cache" INDENT="$save_indent" save_command "fi" save_command } # # Set up Routing # setup_routes() { local mask=0xFF mark_op="--set-mark" save_indent="$INDENT" [ -n "$HIGH_ROUTE_MARKS" ] && mask=0xFF00 && mark_op="--or-mark" run_iptables -t mangle -A PREROUTING -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask run_iptables -t mangle -A OUTPUT -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask createmanglechain routemark if [ -n "$ROUTEMARK_INTERFACES" ]; then for interface in $ROUTEMARK_INTERFACES ; do iface=$(chain_base $interface) eval mark_value=\$${iface}_routemark save_command save_command "if [ -n \"\$${iface}_up\" ]; then" INDENT="$INDENT " run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0/$mask -j routemark run_iptables -t mangle -A routemark -i $interface -j MARK $mark_op $mark_value INDENT="$save_indent" save_command "fi" done save_command fi run_iptables -t mangle -A routemark -m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask }