Add logical->physical mapping to Shorewall::Providers

This commit is contained in:
Tom Eastep 2009-11-08 07:00:43 -08:00
parent ca1dd1416d
commit 09f1b6501c
3 changed files with 48 additions and 35 deletions

View File

@ -108,12 +108,13 @@ sub setup_route_marking() {
for my $providerref ( @routemarked_providers ) { for my $providerref ( @routemarked_providers ) {
my $interface = $providerref->{interface}; my $interface = $providerref->{interface};
my $physical = $providerref->{physical};
my $mark = $providerref->{mark}; my $mark = $providerref->{mark};
my $base = uc chain_base $interface; my $base = uc chain_base $physical;
if ( $providerref->{optional} ) { if ( $providerref->{optional} ) {
if ( $providerref->{shared} ) { if ( $providerref->{shared} ) {
add_commands( $chainref, qq(if [ interface_is_usable $interface -a -n "$providerref->{mac}" ]; then) ); add_commands( $chainref, qq(if [ interface_is_usable $physical -a -n "$providerref->{mac}" ]; then) );
} else { } else {
add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ); add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
} }
@ -122,16 +123,16 @@ sub setup_route_marking() {
} }
unless ( $marked_interfaces{$interface} ) { unless ( $marked_interfaces{$interface} ) {
add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark"; add_rule $mangle_table->{PREROUTING} , "-i $physical -m mark --mark 0/$mask -j routemark";
add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $interface -m mark --mark $mark/$mask "; add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $physical -m mark --mark $mark/$mask ";
add_jump $mangle_table->{OUTPUT} , $chainref2, 0, "-m mark --mark $mark/$mask "; add_jump $mangle_table->{OUTPUT} , $chainref2, 0, "-m mark --mark $mark/$mask ";
$marked_interfaces{$interface} = 1; $marked_interfaces{$interface} = 1;
} }
if ( $providerref->{shared} ) { if ( $providerref->{shared} ) {
add_rule $chainref, " -i $interface -m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}"; add_rule $chainref, match_source_dev( $interface ) . "-m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}";
} else { } else {
add_rule $chainref, " -i $interface -j MARK --set-mark $providerref->{mark}"; add_rule $chainref, match_source_dev( $interface ) . "-j MARK --set-mark $providerref->{mark}";
} }
decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional}; decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
@ -170,6 +171,10 @@ sub copy_and_edit_table( $$$$ ) {
# Hack to work around problem in iproute # Hack to work around problem in iproute
# #
my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : ''; my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
#
# Map physical names to logical names in $copy
#
$copy = join( '|' , map( physical_name($_) , split( ',' , $copy ) ) );
if ( $realm ) { if ( $realm ) {
emit ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" ) emit ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
@ -280,7 +285,8 @@ sub add_a_provider( ) {
fatal_error "Unknown Interface ($interface)" unless known_interface $interface; fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface; fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
my $base = uc chain_base $interface; my $physical = get_physical $interface;
my $base = uc chain_base $physical;
my $gatewaycase = ''; my $gatewaycase = '';
if ( $gateway eq 'detect' ) { if ( $gateway eq 'detect' ) {
@ -383,6 +389,7 @@ sub add_a_provider( ) {
number => $number , number => $number ,
mark => $val ? in_hex($val) : $val , mark => $val ? in_hex($val) : $val ,
interface => $interface , interface => $interface ,
physical => $physical ,
optional => $optional , optional => $optional ,
gateway => $gateway , gateway => $gateway ,
gatewaycase => $gatewaycase , gatewaycase => $gatewaycase ,
@ -410,19 +417,19 @@ sub add_a_provider( ) {
if ( $shared ) { if ( $shared ) {
my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table ); my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
$realm = "realm $number"; $realm = "realm $number";
start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$variable" ]; then) ); start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
} else { } else {
if ( $optional ) { if ( $optional ) {
start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ); start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
} elsif ( $gatewaycase eq 'detect' ) { } elsif ( $gatewaycase eq 'detect' ) {
start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) ); start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
} else { } else {
start_provider( $table, $number, "if interface_is_usable $interface; then" ); start_provider( $table, $number, "if interface_is_usable $physical; then" );
} }
$provider_interfaces{$interface} = $table; $provider_interfaces{$interface} = $table;
emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none'; emit "run_ip route add default dev $physical table $number" if $gatewaycase eq 'none';
} }
if ( $mark ne '-' ) { if ( $mark ne '-' ) {
@ -441,8 +448,7 @@ sub add_a_provider( ) {
if ( $copy eq 'none' ) { if ( $copy eq 'none' ) {
$copy = $interface; $copy = $interface;
} else { } else {
$copy =~ tr/,/|/; $copy = "$interface,$copy";
$copy = "$interface|$copy";
} }
copy_and_edit_table( $duplicate, $number ,$copy , $realm); copy_and_edit_table( $duplicate, $number ,$copy , $realm);
@ -454,28 +460,28 @@ sub add_a_provider( ) {
if ( $gateway ) { if ( $gateway ) {
$address = get_interface_address $interface unless $address; $address = get_interface_address $interface unless $address;
emit "run_ip route replace $gateway src $address dev $interface ${mtu}table $number $realm"; emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm";
emit "run_ip route add default via $gateway src $address dev $interface ${mtu}table $number $realm"; emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm";
} }
balance_default_route $balance , $gateway, $interface, $realm if $balance; balance_default_route $balance , $gateway, $physical, $realm if $balance;
if ( $default > 0 ) { if ( $default > 0 ) {
balance_fallback_route $default , $gateway, $interface, $realm; balance_fallback_route $default , $gateway, $physical, $realm;
} elsif ( $default ) { } elsif ( $default ) {
emit ''; emit '';
if ( $gateway ) { if ( $gateway ) {
emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number); emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing); emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
} else { } else {
emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number); emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
emit qq(echo "qt \$IP -$family route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing); emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
} }
} }
if ( $loose ) { if ( $loose ) {
if ( $config{DELETE_THEN_ADD} ) { if ( $config{DELETE_THEN_ADD} ) {
emit ( "\nfind_interface_addresses $interface | while read address; do", emit ( "\nfind_interface_addresses $physical | while read address; do",
" qt \$IP -$family rule del from \$address", " qt \$IP -$family rule del from \$address",
'done' 'done'
); );
@ -489,7 +495,7 @@ sub add_a_provider( ) {
emit "\nrulenum=0\n"; emit "\nrulenum=0\n";
emit ( "find_interface_addresses $interface | while read address; do" ); emit ( "find_interface_addresses $physical | while read address; do" );
emit ( " qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD}; emit ( " qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number", emit ( " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
" echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_routing", " echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
@ -561,6 +567,7 @@ sub add_an_rtrule( ) {
( my $interface, $source , my $remainder ) = split( /:/, $source, 3 ); ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
fatal_error "Invalid SOURCE" if defined $remainder; fatal_error "Invalid SOURCE" if defined $remainder;
validate_net ( $source, 0 ); validate_net ( $source, 0 );
$interface = physical_name $interface;
$source = "iif $interface from $source"; $source = "iif $interface from $source";
} elsif ( $source =~ /\..*\..*/ ) { } elsif ( $source =~ /\..*\..*/ ) {
validate_net ( $source, 0 ); validate_net ( $source, 0 );
@ -571,6 +578,7 @@ sub add_an_rtrule( ) {
} elsif ( $source =~ /^(.+?):<(.+)>\s*$/ ) { } elsif ( $source =~ /^(.+?):<(.+)>\s*$/ ) {
my ($interface, $source ) = ($1, $2); my ($interface, $source ) = ($1, $2);
validate_net ($source, 0); validate_net ($source, 0);
$interface = physical_name $interface;
$source = "iif $interface from $source"; $source = "iif $interface from $source";
} elsif ( $source =~ /:.*:/ || $source =~ /\..*\..*/ ) { } elsif ( $source =~ /:.*:/ || $source =~ /\..*\..*/ ) {
validate_net ( $source, 0 ); validate_net ( $source, 0 );
@ -588,7 +596,7 @@ sub add_an_rtrule( ) {
my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} ); my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
if ( $optional ) { if ( $optional ) {
my $base = uc chain_base( $providers{$provider}{interface} ); my $base = uc chain_base( $providers{$provider}{physical} );
emit ( '', "if [ -n \$${base}_IS_USABLE ]; then" ); emit ( '', "if [ -n \$${base}_IS_USABLE ]; then" );
push_indent; push_indent;
} }
@ -804,8 +812,9 @@ sub handle_optional_interfaces() {
if ( @$interfaces ) { if ( @$interfaces ) {
for my $interface ( @$interfaces ) { for my $interface ( @$interfaces ) {
my $base = uc chain_base( $interface );
my $provider = $provider_interfaces{$interface}; my $provider = $provider_interfaces{$interface};
my $physical = physical_name $interface;
my $base = uc chain_base( $physical );
emit ''; emit '';
@ -816,15 +825,15 @@ sub handle_optional_interfaces() {
my $providerref = $providers{$provider}; my $providerref = $providers{$provider};
if ( $providerref->{gatewaycase} eq 'detect' ) { if ( $providerref->{gatewaycase} eq 'detect' ) {
emit qq(if interface_is_usable $interface && [ -n "$providerref->{gateway}" ]; then); emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
} else { } else {
emit qq(if interface_is_usable $interface; then); emit qq(if interface_is_usable $physical; then);
} }
} else { } else {
# #
# Not a provider interface # Not a provider interface
# #
emit qq(if interface_is_usable $interface; then); emit qq(if interface_is_usable $physical; then);
} }
emit( " ${base}_IS_USABLE=Yes" , emit( " ${base}_IS_USABLE=Yes" ,
@ -856,7 +865,7 @@ sub handle_stickiness( $ ) {
for my $providerref ( @routemarked_providers ) { for my $providerref ( @routemarked_providers ) {
my $interface = $providerref->{interface}; my $interface = $providerref->{physical};
my $base = uc chain_base $interface; my $base = uc chain_base $interface;
my $mark = $providerref->{mark}; my $mark = $providerref->{mark};

View File

@ -227,13 +227,6 @@ sub initialize( $ ) {
$sticky = 0; $sticky = 0;
} }
sub physical_name( $ ) {
my $device = shift;
my $devref = known_interface $device;
$devref ? $devref->{physical} : $device;
}
sub process_tc_rule( ) { sub process_tc_rule( ) {
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file'; my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file';

View File

@ -61,6 +61,7 @@ our @EXPORT = qw( NOTHING
find_interface find_interface
known_interface known_interface
get_physical get_physical
physical_name
have_bridges have_bridges
port_to_bridge port_to_bridge
source_port_to_bridge source_port_to_bridge
@ -1066,6 +1067,16 @@ sub get_physical( $ ) {
known_interface( $_[0] )->{physical}; known_interface( $_[0] )->{physical};
} }
#
# This one doesn't insist that the passed name be the name of a configured interface
#
sub physical_name( $ ) {
my $device = shift;
my $devref = known_interface $device;
$devref ? $devref->{physical} : $device;
}
# #
# Returns true if there are bridge port zones defined in the config # Returns true if there are bridge port zones defined in the config
# #