holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Ensure that provider is not named main, default, local or unspec

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3892 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-05-07 15:04:29 +00:00
parent 17eff43202
commit 0e62b7338f
3 changed files with 30 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Shorewall/compiler
View File

@ -1161,7 +1161,7 @@ __EOF__
[ -n "$MANGLE_ENABLED" ] || fatal_error "Providers require mangle support in your kernel and iptables" [ -n "$MANGLE_ENABLED" ] || fatal_error "Providers require mangle support in your kernel and iptables"
for t in $PROVIDERS; do for t in $PROVIDERS local main default unspec; do
if [ "$t" = "$table" ]; then if [ "$t" = "$table" ]; then
fatal_error "Duplicate Provider: $table, provider: \"$provider\"" fatal_error "Duplicate Provider: $table, provider: \"$provider\""
fi fi
@ -1344,6 +1344,11 @@ __EOF__
progress_message "Routing rule \"$rule\" $DONE" progress_message "Routing rule \"$rule\" $DONE"
} }
local_number=255
main_number=254
default_number=253
unspec_number=0
strip_file providers $1 strip_file providers $1
if [ -s $TMP_DIR/providers ]; then if [ -s $TMP_DIR/providers ]; then
@ -1397,8 +1402,6 @@ __EOF__
if [ -f $f ]; then if [ -f $f ]; then
strip_file route_rules $f strip_file route_rules $f
main_number=254
if [ -s $TMP_DIR/route_rules ]; then if [ -s $TMP_DIR/route_rules ]; then
progress_message2 "$DOING $f..." progress_message2 "$DOING $f..."

4
Shorewall/providers
View File

@ -16,7 +16,9 @@
# #
# Columns are: # Columns are:
# #
# NAME The provider name. # NAME The provider name. Must be a valid shell variable name.
# The names 'local', 'main', 'default' and 'unspec' are
# reserved and may not be used as provider names.
# #
# NUMBER The provider number -- a number between 1 and 15 # NUMBER The provider number -- a number between 1 and 15
# #

29
Shorewall/releasenotes.txt
View File

@ -418,8 +418,9 @@ New Features:
Subzones are defined by following their name with ":" and a list of parent Subzones are defined by following their name with ":" and a list of parent
zones (in /etc/shorewall/zones). Normally, you want to have a set of zones (in /etc/shorewall/zones). Normally, you want to have a set of
special rules for the subzone and if a connection doesn't match any of special rules for the subzone and if a connection doesn't match any of
those subzone-specific rules then you want the parent zone rules to be those subzone-specific rules then you want the parent zone rules and
applied. With IMPLICIT_CONTINUE=Yes, that happens automatically. policies to be applied. With IMPLICIT_CONTINUE=Yes, that happens
automatically.
If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, then If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, then
subzones are not subject to this special treatment. subzones are not subject to this special treatment.
@ -432,13 +433,13 @@ New Features:
/etc/shorewall/zones: /etc/shorewall/zones:
par ipv4 prnt ipv4
chld:par ipv4 chld:prnt ipv4
Traffic to/from the 'chld' zone will first pass through the applicable Traffic to/from the 'chld' zone will first pass through the applicable
'chld' rules and if none of those rules match then it will be passed through 'chld' rules and if none of those rules match then it will be passed through
the appropriate 'par' rules. If the connection request does not match the appropriate 'prnt' rules. If the connection request does not match
any of the 'par' rules then the relevant 'par' policy is applied. any of the 'prnt' rules then the relevant 'prnt' policy is applied.
If you want the fw->chld policy to be ACCEPT, simply add this entry to If you want the fw->chld policy to be ACCEPT, simply add this entry to
/etc/shorewall/policy: /etc/shorewall/policy:
@ -472,7 +473,9 @@ New Features:
PROVIDER The provider to route the traffic through. PROVIDER The provider to route the traffic through.
May be expressed either as the provider name May be expressed either as the provider name
or the provider number. or the provider number. You may also specify
the 'main' routing table here, either by
name or by number (254).
PRIORITY PRIORITY
The rule's priority which determines the order The rule's priority which determines the order
@ -491,12 +494,22 @@ New Features:
Rules with equal priority are applied in Rules with equal priority are applied in
the order in which they appear in the file. the order in which they appear in the file.
Example: You want all traffic coming in on eth1 to be routed to the ISP1 Example 1: You want all traffic coming in on eth1 to be routed to the ISP1
provider: provider:
#PROVIDER PRIORITY SOURCE DEST #PROVIDER PRIORITY SOURCE DEST
ISP1 1000 eth1 ISP1 1000 eth1
Example 2: You use OpenVPN (routed setup /tunX) in combination with multiple
providers. In this case you have to set up a rule to ensure that
the OpenVPN traffic is routed back through the tunX interface(s)
rather than through any of the providers. 10.8.0.0/24 is the
subnet choosen in your OpenVPN configuration (server 10.8.0.0
255.255.255.0)
#SOURCE DEST PROVIDER PRIORITY
- 10.8.0.0/24 main 1000
11) Prior to now, it has not been possible to use connection marking in 11) Prior to now, it has not been possible to use connection marking in
/etc/shorewall/tcrules if you have a multi-ISP configuration that uses the /etc/shorewall/tcrules if you have a multi-ISP configuration that uses the
'track' option. 'track' option.