forked from extern/shorewall_code
Implement USE_DEFAULT_RT=Exact
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
b36b07b567
commit
2ca1ae734a
@ -6282,11 +6282,20 @@ sub get_configuration( $$$$ ) {
|
||||
require_capability 'COMMENTS', 'TRACK_RULES=Yes', 's' if $config{TRACK_RULES};
|
||||
|
||||
default_yes_no 'MANGLE_ENABLED' , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : '';
|
||||
default_yes_no 'USE_DEFAULT_RT' , '';
|
||||
default_yes_no 'RESTORE_DEFAULT_ROUTE' , 'Yes';
|
||||
default_yes_no 'AUTOMAKE' , '';
|
||||
default_yes_no 'TRACK_PROVIDERS' , '';
|
||||
|
||||
if ( supplied( $val = $config{USE_DEFAULT_RT} ) ) {
|
||||
if ( lc( $val ) eq 'exact' ) {
|
||||
$config{USE_DEFAULT_RT} = 'exact';
|
||||
} else {
|
||||
default_yes_no 'USE_DEFAULT_RT' , '';
|
||||
}
|
||||
} else {
|
||||
default_yes_no 'USE_DEFAULT_RT' , '';
|
||||
}
|
||||
|
||||
unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
|
||||
default_yes_no( 'NULL_ROUTE_RFC1918', '' );
|
||||
$config{NULL_ROUTE_RFC1918} = 'blackhole' if $config{NULL_ROUTE_RFC1918};
|
||||
|
||||
@ -519,11 +519,11 @@ sub process_a_provider( $ ) {
|
||||
my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );
|
||||
|
||||
if ( $pseudo ) {
|
||||
( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $local, $load, $what , $hostroute, $persistent ) =
|
||||
( 0, 0 , 0 , 0, 0, 1 , '' , 0 , 0, 0, 'interface', 0, 0);
|
||||
( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $local, $load, $what , $hostroute, $persistent ) =
|
||||
( 0, 0 , 0 , 0, 0, 1 , '' , 0 , 0, 0, 'interface', 0, 0);
|
||||
} else {
|
||||
( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $local, $load, $what , $hostroute, $persistent )=
|
||||
( 0, $config{TRACK_PROVIDERS}, 0 , 0, $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' , 0 , 0, 0, 'provider', 1, 0);
|
||||
( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $local, $load, $what , $hostroute, $persistent )=
|
||||
( 0, $config{TRACK_PROVIDERS}, 0 , 0, $config{USE_DEFAULT_RT} eq 'Yes' ? 1 : 0, interface_is_optional( $interface ), '' , 0 , 0, 0, 'provider', 1, 0);
|
||||
}
|
||||
|
||||
unless ( $options eq '-' ) {
|
||||
|
||||
@ -240,7 +240,7 @@ TRACK_PROVIDERS=Yes
|
||||
|
||||
TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=Yes
|
||||
USE_DEFAULT_RT=Exact
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
|
||||
@ -251,7 +251,7 @@ TRACK_PROVIDERS=Yes
|
||||
|
||||
TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=Yes
|
||||
USE_DEFAULT_RT=Exact
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
|
||||
@ -248,7 +248,7 @@ TRACK_PROVIDERS=Yes
|
||||
|
||||
TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=Yes
|
||||
USE_DEFAULT_RT=Exact
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
|
||||
@ -251,7 +251,7 @@ TRACK_PROVIDERS=Yes
|
||||
|
||||
TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=Yes
|
||||
USE_DEFAULT_RT=Exact
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
|
||||
@ -240,7 +240,7 @@ TRACK_PROVIDERS=No
|
||||
|
||||
TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=Yes
|
||||
USE_DEFAULT_RT=Exact
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
|
||||
@ -208,6 +208,14 @@
|
||||
<option>balance=</option><replaceable>weight</replaceable>
|
||||
where <replaceable>weight</replaceable> is the weight of the
|
||||
route out of this interface.</para>
|
||||
|
||||
<para>The setting <option>balance=1</option> is the default
|
||||
when USE_DEFAULT_RT=Yes in and neither
|
||||
<option>balance</option>[=], <option>primary</option>,
|
||||
<option>fallback</option>, <option>loose</option> nor
|
||||
<option>tproxy</option> is specified. To suppress this
|
||||
behavior, set USE_DEFAULT_RT=Strict (Shorewall 5.1.1 or
|
||||
later).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@ -2307,9 +2307,10 @@ INLINE - - - ;; -j REJECT
|
||||
|
||||
<para>RESTORE_DEFAULT_ROUTE=No is appropriate when you don't want a
|
||||
default route in the main table (USE_DEFAULT_RT=No) or in the
|
||||
default table (USE_DEFAULT_RT=Yes) when there are no balance
|
||||
providers available. In that case, RESTORE_DEFAULT_ROUTE=No will
|
||||
cause any default route in the relevant table to be deleted.</para>
|
||||
default table (USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact) when
|
||||
there are no balance providers available. In that case,
|
||||
RESTORE_DEFAULT_ROUTE=No will cause any default route in the
|
||||
relevant table to be deleted.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -2805,7 +2806,8 @@ INLINE - - - ;; -j REJECT
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
role="bold">Yes</emphasis>|<emphasis
|
||||
role="bold">No|Exact</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>When set to 'Yes', this option causes the Shorewall multi-ISP
|
||||
@ -2816,7 +2818,8 @@ INLINE - - - ;; -j REJECT
|
||||
the Shorewall-generated routing rules. So changes to the main table
|
||||
will affect the routing of packets by default.</para>
|
||||
|
||||
<para>When USE_DEFAULT_RT=Yes:</para>
|
||||
<para>When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact (Shorewall
|
||||
5.1.1 or later):</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
@ -2831,8 +2834,11 @@ INLINE - - - ;; -j REJECT
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">balance</emphasis> is assumed unless
|
||||
<emphasis role="bold">loose</emphasis> is specified.</para>
|
||||
<para>The <emphasis role="bold">balance</emphasis> provider
|
||||
option is assumed unless <emphasis role="bold">loose</emphasis>,
|
||||
<option>fallback</option>,<option> load=</option> or
|
||||
<option>tproxy</option> is specified for the provider or unless
|
||||
USE_DEFAULT_RT=Exact.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
@ -211,7 +211,7 @@ TRACK_PROVIDERS=Yes
|
||||
|
||||
TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=Yes
|
||||
USE_DEFAULT_RT=Exact
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
|
||||
@ -212,7 +212,7 @@ TRACK_PROVIDERS=Yes
|
||||
|
||||
TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=Yes
|
||||
USE_DEFAULT_RT=Exact
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
|
||||
@ -211,7 +211,7 @@ TRACK_PROVIDERS=Yes
|
||||
|
||||
TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=Yes
|
||||
USE_DEFAULT_RT=Exact
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
|
||||
@ -211,7 +211,7 @@ TRACK_PROVIDERS=Yes
|
||||
|
||||
TRACK_RULES=No
|
||||
|
||||
USE_DEFAULT_RT=Yes
|
||||
USE_DEFAULT_RT=Exact
|
||||
|
||||
USE_PHYSICAL_NAMES=No
|
||||
|
||||
|
||||
@ -173,6 +173,14 @@
|
||||
where <replaceable>weight</replaceable> is the weight of the
|
||||
route out of this interface. Prior to Shorewall 5.0.13, only
|
||||
one provider can specify this option.</para>
|
||||
|
||||
<para>The setting <option>balance=1</option> is the default
|
||||
when USE_DEFAULT_RT=Yes in and neither
|
||||
<option>balance</option>[=], <option>primary</option>,
|
||||
<option>fallback</option>[=], <option>loose</option> nor
|
||||
<option>tproxy</option> is specified. To suppress this
|
||||
behavior, set USE_DEFAULT_RT=Strict (Shorewall 5.1.1 or
|
||||
later).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@ -2448,7 +2448,8 @@ INLINE - - - ;; -j REJECT
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
role="bold">Yes</emphasis>|<emphasis
|
||||
role="bold">No</emphasis>|Exact]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall6 4.4.25. When set to 'Yes', this option
|
||||
@ -2460,7 +2461,8 @@ INLINE - - - ;; -j REJECT
|
||||
changes to the main table will affect the routing of packets by
|
||||
default.</para>
|
||||
|
||||
<para>When USE_DEFAULT_RT=Yes:</para>
|
||||
<para>When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact (Shorewall
|
||||
5.1.1 or later):</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
@ -2475,8 +2477,11 @@ INLINE - - - ;; -j REJECT
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">balance</emphasis> is assumed unless
|
||||
<emphasis role="bold">loose</emphasis> is specified.</para>
|
||||
<para>The <emphasis role="bold">balance</emphasis> provider
|
||||
option is assumed unless <emphasis role="bold">loose</emphasis>,
|
||||
<option>fallback</option>,<option> load=</option> or
|
||||
<option>tproxy</option> is specified for the provider or unless
|
||||
USE_DEFAULT_RT=Exact.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
||||
@ -219,14 +219,16 @@
|
||||
<para>The behavior and configuration of Multiple ISP support is
|
||||
dependent on the setting of USE_DEFAULT_RT in shorewall[6].conf.</para>
|
||||
|
||||
<para>When USE_DEFAULT_RT=Yes, packets are first routed through the main
|
||||
routing table <emphasis>which does not contain a default
|
||||
route</emphasis>. Packets which fail to be routed by an entry in the
|
||||
main table are then passed to shorewall-defined routing tables based on
|
||||
your Multi-ISP configuration. The advantage of this approach is that
|
||||
dynamic changes to the ip configuration, such as VPNs going up and down,
|
||||
do not require notificaiton of Shorewall. USE_DEFAULT_RT is now the
|
||||
default and use of USE_DEFAULT_RT=No is deprecated.</para>
|
||||
<para>When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact (Shorewall 5.1.1
|
||||
and later), packets are first routed through the main routing table
|
||||
<emphasis>which does not contain a default route</emphasis>. Packets
|
||||
which fail to be routed by an entry in the main table are then passed to
|
||||
shorewall-defined routing tables based on your Multi-ISP configuration.
|
||||
The advantage of this approach is that dynamic changes to the ip
|
||||
configuration, such as VPNs going up and down, do not require
|
||||
notificaiton of Shorewall. USE_DEFAULT_RT=No (USE_DEFAULT_RT=Exact in
|
||||
Shorewall 5.1.1 and later) is now the default and use of
|
||||
USE_DEFAULT_RT=No is deprecated.</para>
|
||||
|
||||
<para>When USE_DEFAULT_RT=No, packets are routed via Shorewall-generated
|
||||
routing tables. As a consequence, the main routing table must be copied
|
||||
@ -319,9 +321,10 @@
|
||||
<para>Gives the name or number of a routing table to duplicate.
|
||||
May be 'main' or the name or number of a previously declared
|
||||
provider. This field should be be specified as '-' when
|
||||
USE_DEFAULT_RT=Yes in <filename>shorewall.conf. When
|
||||
USE_DEFAULT_RT=No (not recommended), this column is normally
|
||||
specified as <option>main</option>.</filename></para>
|
||||
USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact in
|
||||
<filename>shorewall.conf. When USE_DEFAULT_RT=No (not
|
||||
recommended), this column is normally specified as
|
||||
<option>main</option>.</filename></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -695,7 +698,8 @@ fi</programlisting>
|
||||
interfaces should be routed through the main table using entries in
|
||||
<filename>/etc/shorewall/rtrules</filename> (see Example 2 <link
|
||||
linkend="Examples">below</link>) or by using <link
|
||||
linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes</link> (recommended)</para>
|
||||
linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes or
|
||||
USE_DEFAULT_RT=Exact</link> (recommended)</para>
|
||||
|
||||
<para>In addition:</para>
|
||||
|
||||
@ -907,8 +911,8 @@ DROP:info net:192.168.1.0/24 all</programlisting>
|
||||
<title id="Example">Legacy Example</title>
|
||||
|
||||
<para>This section describes the legacy method of configuring multiple
|
||||
uplinks. It is deprecated in favor of the USE_DEFAULT_RT=Yes
|
||||
configuration described <link
|
||||
uplinks. It is deprecated in favor of the USE_DEFAULT_RT=Yes or
|
||||
USE_DEFAULT_RT=Exact configuration described <link
|
||||
linkend="USE_DEFAULT_RT">below</link>.</para>
|
||||
|
||||
<para>The configuration in the figure at the top of this section would
|
||||
@ -940,7 +944,8 @@ eth1 0.0.0.0/0 130.252.99.27</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="Example2">
|
||||
<title id="Example99">Example using USE_DEFAULT_RT=Yes</title>
|
||||
<title id="Example99">Example using USE_DEFAULT_RT=Yes or
|
||||
USE_DEFAULT_RT=Exact</title>
|
||||
|
||||
<para>This section shows the differences in configuring the above
|
||||
example with USE_DEFAULT_RT=Yes. The changes are confined to the
|
||||
@ -1214,12 +1219,12 @@ gateway:~ #</programlisting>
|
||||
VPN clients (including but not limited to OpenVPN in routed mode and
|
||||
PPTP), the VPN software adds a host route to the <emphasis
|
||||
role="bold">main</emphasis> table for each VPN client. The best
|
||||
approach is to use USE_DEFAULT_RT=Yes as described <link
|
||||
linkend="USE_DEFAULT_RT">below</link>. If that isn't possible, you
|
||||
must add a routing rule in the 1000-1999 range to specify the
|
||||
<emphasis role="bold">main</emphasis> table for traffic addressed to
|
||||
those clients. See<link linkend="Openvpn"> Example 2</link>
|
||||
below.</para>
|
||||
approach is to use USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact as
|
||||
described <link linkend="USE_DEFAULT_RT">below</link>. If that isn't
|
||||
possible, you must add a routing rule in the 1000-1999 range to
|
||||
specify the <emphasis role="bold">main</emphasis> table for traffic
|
||||
addressed to those clients. See<link linkend="Openvpn"> Example
|
||||
2</link> below.</para>
|
||||
|
||||
<para>If you have an IPSEC gateway on your firewall, be sure to
|
||||
arrange for ESP packets to be routed out of the same interface that
|
||||
@ -1789,9 +1794,9 @@ lillycat: #</programlisting>
|
||||
route rules such as described in <link linkend="Openvpn">one of the
|
||||
examples above</link> necessary.</para>
|
||||
|
||||
<para>USE_DEFAULT_RT=Yes works around that problem by passing packets
|
||||
through the main table first rather than last. This has a number of
|
||||
implications:</para>
|
||||
<para>USE_DEFAULT_RT=Yes and USE_DEFAULT_RT=Exact work around that
|
||||
problem by passing packets through the main table first rather than
|
||||
last. This has a number of implications:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
@ -1802,9 +1807,12 @@ lillycat: #</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The <emphasis role="bold">balance</emphasis> option is assumed
|
||||
for all interfaces that do not have the <emphasis
|
||||
role="bold">loose</emphasis> option. When you want both <emphasis
|
||||
<para>When USE_DEFAULT_RT=Yes, the <emphasis
|
||||
role="bold">balance</emphasis> option is assumed for all interfaces
|
||||
that do not have the <emphasis role="bold">loose</emphasis>,
|
||||
<emphasis role="bold">primary</emphasis>, <emphasis
|
||||
role="bold">fallback</emphasis> or <emphasis
|
||||
role="bold">tproxy</emphasis> option. When you want both <emphasis
|
||||
role="bold">balance</emphasis> and <emphasis
|
||||
role="bold">loose</emphasis>, both must be specified.</para>
|
||||
</listitem>
|
||||
@ -1898,8 +1906,9 @@ shorewall 2 2 - eth0 192.168.1.254 track,balance=2,optional<
|
||||
<section>
|
||||
<title>DHCP with USE_DEFAULT_RT</title>
|
||||
|
||||
<para>When USE_DEFAULT_RT=Yes, you don't want your DHCP client
|
||||
inserting a default route into the main routing table.</para>
|
||||
<para>When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact, you don't want
|
||||
your DHCP client inserting a default route into the main routing
|
||||
table.</para>
|
||||
|
||||
<section>
|
||||
<title>Debian</title>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user