From 3aac25264529a697b520e9c6b67dc3c9b04d3cb8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 26 Oct 2011 05:59:27 -0700 Subject: [PATCH] Cleanup of IPv6 config files and manpages - Add BLACKLIST section to IPv6 rules files. - Add USE_DEFAULT_RT to the shorewall6.conf files and to the manpage. --- Samples6/Universal/rules | 1 + Samples6/Universal/shorewall6.conf | 2 + Samples6/one-interface/rules | 1 + Samples6/one-interface/shorewall6.conf | 2 + Samples6/three-interfaces/rules | 1 + Samples6/three-interfaces/shorewall6.conf | 2 + Samples6/two-interfaces/rules | 1 + Samples6/two-interfaces/shorewall6.conf | 2 + Shorewall6/configfiles/rules | 1 + Shorewall6/configfiles/shorewall6.conf | 2 + manpages6/shorewall6.conf.xml | 61 +++++++++++++++++++++++ 11 files changed, 76 insertions(+) diff --git a/Samples6/Universal/rules b/Samples6/Universal/rules index 5ae7cfbad..2967c1dcf 100644 --- a/Samples6/Universal/rules +++ b/Samples6/Universal/rules @@ -9,6 +9,7 @@ ########################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH # PORT PORT(S) DEST LIMIT GROUP +#SECTION BLACKLIST #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED diff --git a/Samples6/Universal/shorewall6.conf b/Samples6/Universal/shorewall6.conf index d3cc9be11..a56f46e06 100644 --- a/Samples6/Universal/shorewall6.conf +++ b/Samples6/Universal/shorewall6.conf @@ -163,6 +163,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=Yes +USE_DEFAULT_RT=No + WIDE_TC_MARKS=Yes ZONE2ZONE=2 diff --git a/Samples6/one-interface/rules b/Samples6/one-interface/rules index e051f8e01..0a391516b 100644 --- a/Samples6/one-interface/rules +++ b/Samples6/one-interface/rules @@ -13,6 +13,7 @@ ########################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH # PORT PORT(S) DEST LIMIT GROUP +#SECTION BLACKLIST #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED diff --git a/Samples6/one-interface/shorewall6.conf b/Samples6/one-interface/shorewall6.conf index 54bd5a489..23b4577e3 100644 --- a/Samples6/one-interface/shorewall6.conf +++ b/Samples6/one-interface/shorewall6.conf @@ -163,6 +163,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=Yes +USE_DEFAULT_RT=No + WIDE_TC_MARKS=Yes ZONE2ZONE=2 diff --git a/Samples6/three-interfaces/rules b/Samples6/three-interfaces/rules index a8a8d2979..9f8c2772f 100644 --- a/Samples6/three-interfaces/rules +++ b/Samples6/three-interfaces/rules @@ -13,6 +13,7 @@ ########################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH # PORT PORT(S) DEST LIMIT GROUP +#SECTION BLACKLIST #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED diff --git a/Samples6/three-interfaces/shorewall6.conf b/Samples6/three-interfaces/shorewall6.conf index 03ef6f7df..3b038757f 100644 --- a/Samples6/three-interfaces/shorewall6.conf +++ b/Samples6/three-interfaces/shorewall6.conf @@ -163,6 +163,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=Yes +USE_DEFAULT_RT=No + WIDE_TC_MARKS=Yes ZONE2ZONE=2 diff --git a/Samples6/two-interfaces/rules b/Samples6/two-interfaces/rules index 2e95245eb..0a13822da 100644 --- a/Samples6/two-interfaces/rules +++ b/Samples6/two-interfaces/rules @@ -13,6 +13,7 @@ ########################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH # PORT PORT(S) DEST LIMIT GROUP +#SECTION BLACKLIST #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED diff --git a/Samples6/two-interfaces/shorewall6.conf b/Samples6/two-interfaces/shorewall6.conf index f2bbbfbdb..f51ec661d 100644 --- a/Samples6/two-interfaces/shorewall6.conf +++ b/Samples6/two-interfaces/shorewall6.conf @@ -163,6 +163,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=Yes +USE_DEFAULT_RT=No + WIDE_TC_MARKS=Yes ZONE2ZONE=2 diff --git a/Shorewall6/configfiles/rules b/Shorewall6/configfiles/rules index cdbb68620..e97af997e 100644 --- a/Shorewall6/configfiles/rules +++ b/Shorewall6/configfiles/rules @@ -9,6 +9,7 @@ ########################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH # PORT PORT(S) DEST LIMIT GROUP +#SECTION BLACKLIST #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf index b8c3c1249..3b7314959 100644 --- a/Shorewall6/configfiles/shorewall6.conf +++ b/Shorewall6/configfiles/shorewall6.conf @@ -163,6 +163,8 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=No +USE_DEFAULT_RT=No + WIDE_TC_MARKS=No ZONE2ZONE=2 diff --git a/manpages6/shorewall6.conf.xml b/manpages6/shorewall6.conf.xml index cc5bba148..df6cbae97 100644 --- a/manpages6/shorewall6.conf.xml +++ b/manpages6/shorewall6.conf.xml @@ -1637,6 +1637,67 @@ net all DROP infothen the chain name is 'net2all' + + USE_DEFAULT_RT=[Yes|No] + + + Added in Shorewall6 4.4.25. When set to 'Yes', this option + causes the Shorewall6 multi-ISP feature to create a different set of + routing rules which are resilient to changes in the main routing + table. Such changes can occur for a number of reasons, VPNs going up + and down being an example. The idea is to send packets through the + main table prior to applying any of the Shorewall6-generated routing + rules. So changes to the main table will affect the routing of + packets by default. + + When USE_DEFAULT_RT=Yes: + + + + Both the DUPLICATE and the COPY columns in shorewall6-providers(5) + file must remain empty (or contain "-"). + + + + The default route is added to the the 'default' table + rather than to the main table. + + + + balance is assumed unless + loose is specified. + + + + Packets are sent through the main routing table by a rule + with priority 999. In shorewall6-routing_rules(5), + the range 1-998 may be used for inserting rules that bypass the + main table. + + + + All provider gateways must be specified explicitly in the + GATEWAY column. detect may not + be specified. + + + + You should disable all default route management outside of + Shorewall6. If a default route is added to the main table while + Shorewall is started, then all policy routing will stop working + (except for those routing rules in the priority range + 1-998). + + + + If USE_DEFAULT_RT is not set or if it is set to the empty + string then USE_DEFAULT_RT=No is assumed. + + + VERBOSITY=[number]