From 2d16fac9ed86dc8dcbfc9c09cbad14fdd110f503 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 17 Jan 2017 08:25:33 -0800 Subject: [PATCH] Revert "Implement USE_DEFAULT_RT=Exact" This reverts commit 2ca1ae734a300d7a147d40d58f7c46177196b9a9. --- Shorewall/Perl/Shorewall/Config.pm | 11 +-- Shorewall/Perl/Shorewall/Providers.pm | 8 +-- Shorewall/Samples/Universal/shorewall.conf | 2 +- .../Samples/one-interface/shorewall.conf | 2 +- .../Samples/three-interfaces/shorewall.conf | 2 +- .../Samples/two-interfaces/shorewall.conf | 2 +- Shorewall/configfiles/shorewall.conf | 2 +- Shorewall/manpages/shorewall-providers.xml | 8 --- Shorewall/manpages/shorewall.conf.xml | 20 ++---- Shorewall6/Samples6/Universal/shorewall6.conf | 2 +- .../Samples6/one-interface/shorewall6.conf | 2 +- .../Samples6/three-interfaces/shorewall6.conf | 2 +- .../Samples6/two-interfaces/shorewall6.conf | 2 +- Shorewall6/manpages/shorewall6-providers.xml | 8 --- Shorewall6/manpages/shorewall6.conf.xml | 13 ++-- docs/MultiISP.xml | 67 ++++++++----------- 16 files changed, 54 insertions(+), 99 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 909dac1c1..de9ed994c 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -6282,20 +6282,11 @@ sub get_configuration( $$$$ ) { require_capability 'COMMENTS', 'TRACK_RULES=Yes', 's' if $config{TRACK_RULES}; default_yes_no 'MANGLE_ENABLED' , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : ''; + default_yes_no 'USE_DEFAULT_RT' , ''; default_yes_no 'RESTORE_DEFAULT_ROUTE' , 'Yes'; default_yes_no 'AUTOMAKE' , ''; default_yes_no 'TRACK_PROVIDERS' , ''; - if ( supplied( $val = $config{USE_DEFAULT_RT} ) ) { - if ( lc( $val ) eq 'exact' ) { - $config{USE_DEFAULT_RT} = 'exact'; - } else { - default_yes_no 'USE_DEFAULT_RT' , ''; - } - } else { - default_yes_no 'USE_DEFAULT_RT' , ''; - } - unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) { default_yes_no( 'NULL_ROUTE_RFC1918', '' ); $config{NULL_ROUTE_RFC1918} = 'blackhole' if $config{NULL_ROUTE_RFC1918}; diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index d06f4c256..c284e0f42 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -519,11 +519,11 @@ sub process_a_provider( $ ) { my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent ); if ( $pseudo ) { - ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $local, $load, $what , $hostroute, $persistent ) = - ( 0, 0 , 0 , 0, 0, 1 , '' , 0 , 0, 0, 'interface', 0, 0); + ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $local, $load, $what , $hostroute, $persistent ) = + ( 0, 0 , 0 , 0, 0, 1 , '' , 0 , 0, 0, 'interface', 0, 0); } else { - ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $local, $load, $what , $hostroute, $persistent )= - ( 0, $config{TRACK_PROVIDERS}, 0 , 0, $config{USE_DEFAULT_RT} eq 'Yes' ? 1 : 0, interface_is_optional( $interface ), '' , 0 , 0, 0, 'provider', 1, 0); + ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $local, $load, $what , $hostroute, $persistent )= + ( 0, $config{TRACK_PROVIDERS}, 0 , 0, $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' , 0 , 0, 0, 'provider', 1, 0); } unless ( $options eq '-' ) { diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf index f580ae935..ed9a3c0c5 100644 --- a/Shorewall/Samples/Universal/shorewall.conf +++ b/Shorewall/Samples/Universal/shorewall.conf @@ -240,7 +240,7 @@ TRACK_PROVIDERS=Yes TRACK_RULES=No -USE_DEFAULT_RT=Exact +USE_DEFAULT_RT=Yes USE_PHYSICAL_NAMES=No diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf index 28f6f937e..5aaf63567 100644 --- a/Shorewall/Samples/one-interface/shorewall.conf +++ b/Shorewall/Samples/one-interface/shorewall.conf @@ -251,7 +251,7 @@ TRACK_PROVIDERS=Yes TRACK_RULES=No -USE_DEFAULT_RT=Exact +USE_DEFAULT_RT=Yes USE_PHYSICAL_NAMES=No diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf index 06c140161..a6320090b 100644 --- a/Shorewall/Samples/three-interfaces/shorewall.conf +++ b/Shorewall/Samples/three-interfaces/shorewall.conf @@ -248,7 +248,7 @@ TRACK_PROVIDERS=Yes TRACK_RULES=No -USE_DEFAULT_RT=Exact +USE_DEFAULT_RT=Yes USE_PHYSICAL_NAMES=No diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf index fc54d3bb8..6f8ba4cd5 100644 --- a/Shorewall/Samples/two-interfaces/shorewall.conf +++ b/Shorewall/Samples/two-interfaces/shorewall.conf @@ -251,7 +251,7 @@ TRACK_PROVIDERS=Yes TRACK_RULES=No -USE_DEFAULT_RT=Exact +USE_DEFAULT_RT=Yes USE_PHYSICAL_NAMES=No diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index b56ea679f..b124e251f 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -240,7 +240,7 @@ TRACK_PROVIDERS=No TRACK_RULES=No -USE_DEFAULT_RT=Exact +USE_DEFAULT_RT=Yes USE_PHYSICAL_NAMES=No diff --git a/Shorewall/manpages/shorewall-providers.xml b/Shorewall/manpages/shorewall-providers.xml index 0a7649959..75359ad3e 100644 --- a/Shorewall/manpages/shorewall-providers.xml +++ b/Shorewall/manpages/shorewall-providers.xml @@ -208,14 +208,6 @@ weight where weight is the weight of the route out of this interface. - - The setting is the default - when USE_DEFAULT_RT=Yes in and neither - [=], , - , nor - is specified. To suppress this - behavior, set USE_DEFAULT_RT=Strict (Shorewall 5.1.1 or - later). diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index f8e54ee9e..6faa5a992 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -2307,10 +2307,9 @@ INLINE - - - ;; -j REJECT RESTORE_DEFAULT_ROUTE=No is appropriate when you don't want a default route in the main table (USE_DEFAULT_RT=No) or in the - default table (USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact) when - there are no balance providers available. In that case, - RESTORE_DEFAULT_ROUTE=No will cause any default route in the - relevant table to be deleted. + default table (USE_DEFAULT_RT=Yes) when there are no balance + providers available. In that case, RESTORE_DEFAULT_ROUTE=No will + cause any default route in the relevant table to be deleted. @@ -2806,8 +2805,7 @@ INLINE - - - ;; -j REJECT USE_DEFAULT_RT=[Yes|No|Exact] + role="bold">Yes|No] When set to 'Yes', this option causes the Shorewall multi-ISP @@ -2818,8 +2816,7 @@ INLINE - - - ;; -j REJECT the Shorewall-generated routing rules. So changes to the main table will affect the routing of packets by default. - When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact (Shorewall - 5.1.1 or later): + When USE_DEFAULT_RT=Yes: @@ -2834,11 +2831,8 @@ INLINE - - - ;; -j REJECT - The balance provider - option is assumed unless loose, - , or - is specified for the provider or unless - USE_DEFAULT_RT=Exact. + balance is assumed unless + loose is specified. diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf index 967dc17e6..f04b486b2 100644 --- a/Shorewall6/Samples6/Universal/shorewall6.conf +++ b/Shorewall6/Samples6/Universal/shorewall6.conf @@ -211,7 +211,7 @@ TRACK_PROVIDERS=Yes TRACK_RULES=No -USE_DEFAULT_RT=Exact +USE_DEFAULT_RT=Yes USE_PHYSICAL_NAMES=No diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf index f34b2325b..45fbbda26 100644 --- a/Shorewall6/Samples6/one-interface/shorewall6.conf +++ b/Shorewall6/Samples6/one-interface/shorewall6.conf @@ -212,7 +212,7 @@ TRACK_PROVIDERS=Yes TRACK_RULES=No -USE_DEFAULT_RT=Exact +USE_DEFAULT_RT=Yes USE_PHYSICAL_NAMES=No diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf index 2fd07b362..57231364e 100644 --- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf @@ -211,7 +211,7 @@ TRACK_PROVIDERS=Yes TRACK_RULES=No -USE_DEFAULT_RT=Exact +USE_DEFAULT_RT=Yes USE_PHYSICAL_NAMES=No diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf index 5a10840bc..92b0744e7 100644 --- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf @@ -211,7 +211,7 @@ TRACK_PROVIDERS=Yes TRACK_RULES=No -USE_DEFAULT_RT=Exact +USE_DEFAULT_RT=Yes USE_PHYSICAL_NAMES=No diff --git a/Shorewall6/manpages/shorewall6-providers.xml b/Shorewall6/manpages/shorewall6-providers.xml index 8be74575f..63b799b4c 100644 --- a/Shorewall6/manpages/shorewall6-providers.xml +++ b/Shorewall6/manpages/shorewall6-providers.xml @@ -173,14 +173,6 @@ where weight is the weight of the route out of this interface. Prior to Shorewall 5.0.13, only one provider can specify this option. - - The setting is the default - when USE_DEFAULT_RT=Yes in and neither - [=], , - [=], nor - is specified. To suppress this - behavior, set USE_DEFAULT_RT=Strict (Shorewall 5.1.1 or - later). diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index bb6030b52..ebee8e8c5 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -2448,8 +2448,7 @@ INLINE - - - ;; -j REJECT USE_DEFAULT_RT=[Yes|No|Exact] + role="bold">Yes|No] Added in Shorewall6 4.4.25. When set to 'Yes', this option @@ -2461,8 +2460,7 @@ INLINE - - - ;; -j REJECT changes to the main table will affect the routing of packets by default. - When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact (Shorewall - 5.1.1 or later): + When USE_DEFAULT_RT=Yes: @@ -2477,11 +2475,8 @@ INLINE - - - ;; -j REJECT - The balance provider - option is assumed unless loose, - , or - is specified for the provider or unless - USE_DEFAULT_RT=Exact. + balance is assumed unless + loose is specified. diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index b984a64bf..940e24e68 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -219,16 +219,14 @@ The behavior and configuration of Multiple ISP support is dependent on the setting of USE_DEFAULT_RT in shorewall[6].conf. - When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact (Shorewall 5.1.1 - and later), packets are first routed through the main routing table - which does not contain a default route. Packets - which fail to be routed by an entry in the main table are then passed to - shorewall-defined routing tables based on your Multi-ISP configuration. - The advantage of this approach is that dynamic changes to the ip - configuration, such as VPNs going up and down, do not require - notificaiton of Shorewall. USE_DEFAULT_RT=No (USE_DEFAULT_RT=Exact in - Shorewall 5.1.1 and later) is now the default and use of - USE_DEFAULT_RT=No is deprecated. + When USE_DEFAULT_RT=Yes, packets are first routed through the main + routing table which does not contain a default + route. Packets which fail to be routed by an entry in the + main table are then passed to shorewall-defined routing tables based on + your Multi-ISP configuration. The advantage of this approach is that + dynamic changes to the ip configuration, such as VPNs going up and down, + do not require notificaiton of Shorewall. USE_DEFAULT_RT is now the + default and use of USE_DEFAULT_RT=No is deprecated. When USE_DEFAULT_RT=No, packets are routed via Shorewall-generated routing tables. As a consequence, the main routing table must be copied @@ -321,10 +319,9 @@ Gives the name or number of a routing table to duplicate. May be 'main' or the name or number of a previously declared provider. This field should be be specified as '-' when - USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact in - shorewall.conf. When USE_DEFAULT_RT=No (not - recommended), this column is normally specified as - . + USE_DEFAULT_RT=Yes in shorewall.conf. When + USE_DEFAULT_RT=No (not recommended), this column is normally + specified as . @@ -698,8 +695,7 @@ fi interfaces should be routed through the main table using entries in /etc/shorewall/rtrules (see Example 2 below) or by using USE_DEFAULT_RT=Yes or - USE_DEFAULT_RT=Exact (recommended) + linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes (recommended) In addition: @@ -911,8 +907,8 @@ DROP:info net:192.168.1.0/24 all Legacy Example This section describes the legacy method of configuring multiple - uplinks. It is deprecated in favor of the USE_DEFAULT_RT=Yes or - USE_DEFAULT_RT=Exact configuration described below. The configuration in the figure at the top of this section would @@ -944,8 +940,7 @@ eth1 0.0.0.0/0 130.252.99.27
- Example using USE_DEFAULT_RT=Yes or - USE_DEFAULT_RT=Exact + Example using USE_DEFAULT_RT=Yes This section shows the differences in configuring the above example with USE_DEFAULT_RT=Yes. The changes are confined to the @@ -1219,12 +1214,12 @@ gateway:~ # VPN clients (including but not limited to OpenVPN in routed mode and PPTP), the VPN software adds a host route to the main table for each VPN client. The best - approach is to use USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact as - described below. If that isn't - possible, you must add a routing rule in the 1000-1999 range to - specify the main table for traffic - addressed to those clients. See Example - 2 below. + approach is to use USE_DEFAULT_RT=Yes as described below. If that isn't possible, you + must add a routing rule in the 1000-1999 range to specify the + main table for traffic addressed to + those clients. See Example 2 + below. If you have an IPSEC gateway on your firewall, be sure to arrange for ESP packets to be routed out of the same interface that @@ -1794,9 +1789,9 @@ lillycat: # route rules such as described in one of the examples above necessary. - USE_DEFAULT_RT=Yes and USE_DEFAULT_RT=Exact work around that - problem by passing packets through the main table first rather than - last. This has a number of implications: + USE_DEFAULT_RT=Yes works around that problem by passing packets + through the main table first rather than last. This has a number of + implications: @@ -1807,12 +1802,9 @@ lillycat: # - When USE_DEFAULT_RT=Yes, the balance option is assumed for all interfaces - that do not have the loose, - primary, fallback or tproxy option. When you want both The balance option is assumed + for all interfaces that do not have the loose option. When you want both balance and loose, both must be specified. @@ -1906,9 +1898,8 @@ shorewall 2 2 - eth0 192.168.1.254 track,balance=2,optional<
DHCP with USE_DEFAULT_RT - When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact, you don't want - your DHCP client inserting a default route into the main routing - table. + When USE_DEFAULT_RT=Yes, you don't want your DHCP client + inserting a default route into the main routing table.
Debian