Default gateway detection in /etc/shorewall/init

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8342 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2008-03-23 16:08:34 +00:00 · 2008-03-23 16:08:34 +00:00 · 5986d4db32
commit 5986d4db32
parent 680788433d
4 changed files with 196 additions and 199 deletions
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@ -1,3 +1,11 @@
 Changes in 4.1.7
 1)  Fix port verification.
 2)  Fix number of columns calculation.
 3)  Allow user exits to detect gateway.
 Changes in 4.1.6
 1)  Deprecate IMPLICIT_CONTINUE=Yes
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@ -1,4 +1,4 @@
-Shorewall 4.1 Patch Release 6.
+Shorewall 4.1 Patch Release 7.
 ----------------------------------------------------------------------------
               R E L E A S E  4 . 1  H I G H L I G H T S
@ -71,208 +71,40 @@ Migration Issues.
 5)  The value of IMPLICIT_CONTINUE in shorewall.conf (and samples) has
    been changed from Yes to No.
-Problems corrected in Shorewall-perl 4.1.6.
+Problems corrected in Shorewall-perl 4.1.7.
-1)  A problem introduced in 4.1.5 would result in the following error
+1)  Perl run-time errors occurred if an unknown service was named in
-    message.
+    the /etc/shorewall/tcfilters file.
-	ERROR: Internal error in create_netfilter_load()	
+2)  Trailing columns containing '-' would outwit Shorewall-perl's
    detection of 'too few columns' errors.
-2)  Under Shorewall-perl, if an empty action was invoked or was named
+New Features in 4.1.7.
    in one of the DEFAULT_xxx options in shorewall.conf, an
    iptables-restore error occured.
-3)  If $ADMIN was empty, then the rule:
+1)  If an interface fails when using balanced multi-ISP routing, the
    default route is lost. If there are remaining working interfaces
    with dynamic gateway addresses, Shorewall will be unable to
    determine those gateways.
-       ACCEPT loc:$ADMIN all
+    Beginning with Shorewall (Shorewall-lite) 4.1.7, the 'init' script
    may participate in gateway detection by setting variables with
    pre-determined names as follows:
-    became
+         <gw>_GATEWAY
-       ACCEPT loc   net
+    where <gw> is the interface name:
-    It is now flagged as an error.
+    	  - in upper case
 	  - with any characters not allowed in shell variable names
 	    replaced by '_'.
-Problems corrected in Shorewall-shell 4.1.6.
+    Example (from OpenWRT): 
-1)  Specifying a value for ACCEPT_DEFAULT or QUEUE_DEFAULT resulted in
+    	  Interface:           eth0.1
-    a fatal error at compile time. 
+	  Variable:            ETH0_1_GATEWAY
          /etc/shorewall/init: 
-New Features in 4.1.6.
+	      ETH0_1_GATEWAY=$(uci get /var/state/network.wan0.gateway)
 1)  The default value for the IMPLICIT_CONTINUE option has been changed
    to 'No'.
 2)  A REDIRECTED INTERFACES option has been added to the tcdevices file
    to support using an IFB (Intermediate Functional Block) device.
    IFBs can be used to shape incoming traffic by redirecting that
    traffic through the IFB.
    To use this feature:
       a) Specify the name of your IFB in the INTERFACE column.
       b) List the redirected device names (comma-separated) in the
          REDIRECTED INTERFACES column.
    Packets that are input from the redirected interface(s) will appear
    as output packets on the IFB.
    This support should be considered EXPERIMENTAL.
 3)  Shorewall-perl now supports an 'l2tp' tunnel type. It opens UDP
    port 1701 in both directions and assumes that the source port will
    also be 1701. Some implementations (particularly OS X) use a
    different source port. In that case, you should use
    'generic:udp:1701' rather than 'l2tp'.
 4)  The /etc/shorewall/tcdevices and /etc/shorewall/tcclasses files
    have undergone some changes, especially when the 'classify' option
    has been specified.
    Normally Shorewall assigns interface numbers sequentially to
    devices listed in /etc/shorewall/tcdevices. Beginning with
    Shorewall 4.1.6, you can explicitly specify inteface numbers by
    prefixing the interface name with the interface number and a colon:
    Example:
     #INTERFACE	IN-BANDWITH	OUT-BANDWIDTH	OPTIONS
     1:eth0	1300kbit	384kbit		classify
     2:eth1	5600kbit	1000kbit	
     In /etc/shorewall/tcclasses:
     a) You can specify the INTERFACE using either the interface name
        or interface number.
     b) classes associated with devices which have the 'classify'
        option _must_ specify a class number by following the interface
        name/number with a colon (":") and the class number. The same
        class number may be used for classes defined on different
        interfaces but a class number may not be the same as any
        interface number.
    A class number may be specified when 'classify' has not been
    specified for the associated device. When a class number has not
    been given, the default class number remains the mark value
    prefixed by "1".
 5)  Shorewall now supports Intermediate Functional Block (IFB) devices.
    These devices allow shaping of incoming traffic.
    The 'ifb' module is available in the kernels included with today's
    distributions. You must load the module manually:
    If your distribution has modprobe:
       modprobe ifb [ numifbs=<number> ]
    Otherwise:
       insmod <path to net driver modules>/ifb.ko [ numifbs=<number> ]
    By default, the module automatically creates two IFB devices (ifb0
    and ifb1). To create only one, specify 'numifbs=1'.
    Example:
 	ursa:~ # modprobe ifb numifbs=1
 	ursa:~ # ip link ls
 	1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue 
    	    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 	2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    	    link/ether cc:2b:cb:24:1b:00 brd ff:ff:ff:ff:ff:ff
 	3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    	    link/ether 00:1a:73:db:8c:35 brd ff:ff:ff:ff:ff:ff
        4: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop qlen 32
   	    link/ether 26:99:d8:7d:32:26 brd ff:ff:ff:ff:ff:ff
 	ursa:~ # 
    After you have created the IFB(s), you must bring it(them) up:
    	ip link set dev ifb0 up
    You can place all of this in /etc/shorewall/init as follows:
    	modprobe ifb numifbs=1
 	ip link set dev ifb0 up
    The /etc/shorewall/tcdevices file has been extended to include an
    additional REDIRECTED DEVICES column. To convert your configuration
    to use an IFB:
    a) Look at your current /etc/shorewall/tcdevices file. Suppose you
       have:
 	#INTERFACE	IN-BANDWIDTH	OUT-BANDWIDTH	OPTIONS
 	eth0		1300kbit        384kbit		-
        Change it as follows:
 	#INTERFACE  IN-BANDWIDTH  OUT-BANDWIDTH	OPTIONS  REDIRECTED
 	#                                                DEVICES
 	eth0	    -	          384kkbit	-
 	ifb0	    -		  1300kbit	-	 eth0
       Note that the old IN-BANDWIDTH for eth0 has become the
       OUT-BANDWIDTH for ifb0 and that neither device has an
       IN-BANDWIDTH in the new configuration.
       Finally note that eth0 has been specified as a REDIRECTED device
       for the IFB.
    b) There are no Netfilter hooks between the real device (eth0) and
       the IFB (ifb0). So tcrules cannot be used to specify shaping of
       traffic leaving the IFB. To allow that traffic to be classified,
       a new /etc/shorewall/tcfilters file has been added.
       /etc/shorewall/tcfilters can be used for classifying traffic on
       any interface. When using entries in that file, it is important
       to realize that those entries act on packets as they appear 'on
       the wire'. That means that on output, SNAT/MASQUERADE has been
       applied and on input (output to an IFB), DNAT has not yet been
       applied.
       Columns in the file are:
       INTERFACE:CLASS
 		The interface name or number followed by a colon (":")
 		and the class number.
       SOURCE
                Source IP address. May be a host or network address.
 		Specify "-" if any SOURCE address should match.
       DEST
 		Destination IP address. May be a host or network
 		address. Specify "-" if any DEST address should match.
       PROTO
 		Protocol Name/Number. Specify "-" if any PROTO should
 		match.
       DEST PORT(S)
 	        A comma-separated list of destination ports. May only
 	        be given if the PROTO is tcp, udp, icmp or
 	        sctp. Port ranges may be used, except when the PROTO is
 	        icmp. Specify "-" if any PORT should match.
       SOURCE PORT(S)
 	        A comma-separated list of source port. May only be
 	        given if the PROTO is tcp, udp or sctp. Port ranges
 	        may be used unless the protocol is icmp. Specify "-" if
 	        any PORT should match.
    Entries in /etc/shorewall/tcfilters generate U32 tc filters which
    may be displayed using the "shorewall show filters" ("shorewall-lite
    show filters") command. Note: The 'show filters' command is an
    alias for the existing 'show classifiers' command.
    Note that /etc/shorewall/tcfilters provides a usable alternative to
    HIGH_ROUTE_MARKS=Yes. You can use marks to select between providers
    and use entries in /etc/shorewall/tcfilters (or CLASSIFY tcrules)
    for traffic shaping.
 New Features in Shorewall 4.1.
@ -699,3 +531,160 @@ New Features in Shorewall 4.1.
    available under Shorewall-perl The option is ignored by
    Shorewall-shell.
 24) The default value for the IMPLICIT_CONTINUE option has been changed
    to 'No'.
 25) Shorewall-perl now supports an 'l2tp' tunnel type. It opens UDP
    port 1701 in both directions and assumes that the source port will
    also be 1701. Some implementations (particularly OS X) use a
    different source port. In that case, you should use
    'generic:udp:1701' rather than 'l2tp'.
 26) The /etc/shorewall/tcdevices and /etc/shorewall/tcclasses files
    have undergone some changes, especially when the 'classify' option
    has been specified.
    Normally Shorewall assigns interface numbers sequentially to
    devices listed in /etc/shorewall/tcdevices. Beginning with
    Shorewall 4.1.6, you can explicitly specify inteface numbers by
    prefixing the interface name with the interface number and a colon:
    Example:
     #INTERFACE	IN-BANDWITH	OUT-BANDWIDTH	OPTIONS
     1:eth0	1300kbit	384kbit		classify
     2:eth1	5600kbit	1000kbit	
     In /etc/shorewall/tcclasses:
     a) You can specify the INTERFACE using either the interface name
        or interface number.
     b) classes associated with devices which have the 'classify'
        option _must_ specify a class number by following the interface
        name/number with a colon (":") and the class number. The same
        class number may be used for classes defined on different
        interfaces but a class number may not be the same as any
        interface number.
    A class number may be specified when 'classify' has not been
    specified for the associated device. When a class number has not
    been given, the default class number remains the mark value
    prefixed by "1".
 27) Shorewall now supports Intermediate Functional Block (IFB) devices.
    These devices allow shaping of incoming traffic.
    The 'ifb' module is available in the kernels included with today's
    distributions. You must load the module manually:
    If your distribution has modprobe:
       modprobe ifb [ numifbs=<number> ]
    Otherwise:
       insmod <path to net driver modules>/ifb.ko [ numifbs=<number> ]
    By default, the module automatically creates two IFB devices (ifb0
    and ifb1). To create only one, specify 'numifbs=1'.
    Example:
 	ursa:~ # modprobe ifb numifbs=1
 	ursa:~ # ip link ls
 	1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue 
    	    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 	2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    	    link/ether cc:2b:cb:24:1b:00 brd ff:ff:ff:ff:ff:ff
 	3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    	    link/ether 00:1a:73:db:8c:35 brd ff:ff:ff:ff:ff:ff
        4: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop qlen 32
   	    link/ether 26:99:d8:7d:32:26 brd ff:ff:ff:ff:ff:ff
 	ursa:~ # 
    After you have created the IFB(s), you must bring it(them) up:
    	ip link set dev ifb0 up
    You can place all of this in /etc/shorewall/init as follows:
    	modprobe ifb numifbs=1
 	ip link set dev ifb0 up
    The /etc/shorewall/tcdevices file has been extended to include an
    additional REDIRECTED DEVICES column. To convert your configuration
    to use an IFB:
    a) Look at your current /etc/shorewall/tcdevices file. Suppose you
       have:
 	#INTERFACE	IN-BANDWIDTH	OUT-BANDWIDTH	OPTIONS
 	eth0		1300kbit        384kbit		-
        Change it as follows:
 	#INTERFACE  IN-BANDWIDTH  OUT-BANDWIDTH	OPTIONS  REDIRECTED
 	#                                                DEVICES
 	eth0	    -	          384kkbit	-
 	ifb0	    -		  1300kbit	-	 eth0
       Note that the old IN-BANDWIDTH for eth0 has become the
       OUT-BANDWIDTH for ifb0 and that neither device has an
       IN-BANDWIDTH in the new configuration.
       Finally note that eth0 has been specified as a REDIRECTED device
       for the IFB.
    b) There are no Netfilter hooks between the real device (eth0) and
       the IFB (ifb0). So tcrules cannot be used to specify shaping of
       traffic leaving the IFB. To allow that traffic to be classified,
       a new /etc/shorewall/tcfilters file has been added.
       /etc/shorewall/tcfilters can be used for classifying traffic on
       any interface. When using entries in that file, it is important
       to realize that those entries act on packets as they appear 'on
       the wire'. That means that on output, SNAT/MASQUERADE has been
       applied and on input (output to an IFB), DNAT has not yet been
       applied.
       Columns in the file are:
       INTERFACE:CLASS
 		The interface name or number followed by a colon (":")
 		and the class number.
       SOURCE
                Source IP address. May be a host or network address.
 		Specify "-" if any SOURCE address should match.
       DEST
 		Destination IP address. May be a host or network
 		address. Specify "-" if any DEST address should match.
       PROTO
 		Protocol Name/Number. Specify "-" if any PROTO should
 		match.
       DEST PORT(S)
 	        A comma-separated list of destination ports. May only
 	        be given if the PROTO is tcp, udp, icmp or
 	        sctp. Port ranges may be used, except when the PROTO is
 	        icmp. Specify "-" if any PORT should match.
       SOURCE PORT(S)
 	        A comma-separated list of source port. May only be
 	        given if the PROTO is tcp, udp or sctp. Port ranges
 	        may be used unless the protocol is icmp. Specify "-" if
 	        any PORT should match.
    Entries in /etc/shorewall/tcfilters generate U32 tc filters which
    may be displayed using the "shorewall show filters" ("shorewall-lite
    show filters") command. Note: The 'show filters' command is an
    alias for the existing 'show classifiers' command.
    Note that /etc/shorewall/tcfilters provides a usable alternative to
    HIGH_ROUTE_MARKS=Yes. You can use marks to select between providers
    and use entries in /etc/shorewall/tcfilters (or CLASSIFY tcrules)
    for traffic shaping.
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@ -1574,9 +1574,9 @@ sub get_interface_gateway ( $ ) {
    my $variable = interface_gateway( $interface );
    if ( interface_is_optional $interface ) {
-	$interfacegateways{$interface} = qq($variable=\$(detect_gateway $interface)\n);
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)\n);
    } else {
-	$interfacegateways{$interface} = qq($variable=\$(detect_gateway $interface)
+	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$(detect_gateway $interface)
 [ -n "\$$variable" ] || fatal_error "Unable to detect the gateway through interface $interface"
 );
    }
--- a/web/shorewall_index.htm
+++ b/web/shorewall_index.htm
@ -22,7 +22,7 @@ the
 license is included in the section entitled <span
 style="text-decoration: underline;">"</span><a href="GnuCopyright.htm"
 target="_self">GNU Free Documentation License</a>".</p>
-<p>2008-02-23</p>
+<p>2008-03-21</p>
 <hr style="width: 100%; height: 2px;">
 <h2>Table of Contents</h2>
 <p style="margin-bottom: 0in; margin-left: 0.42in;"><a href="#Intro">Introduction
@ -150,15 +150,15 @@ problems</a> and <a
 </ul>
 The <span style="font-weight: bold;">current Development Release</span>
 is
-4.1.5.
+4.1.6.
 <ul>
  <li>Here are the <a
- href="http://www1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.5/releasenotes.txt">release
+ href="http://www1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.6/releasenotes.txt">release
 notes</a> </li>
  <li>Here are the <a
- href="http://www1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.5/known_problems.txt">known
+ href="http://www1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.6/known_problems.txt">known
 problems</a> and <a
- href="http://www1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.5/errata/">updates</a>.</li>
+ href="http://www1.shorewall.net/pub/shorewall/development/4.1/shorewall-4.1.6/errata/">updates</a>.</li>
 </ul>
 </div>
 <div style="margin-left: 40px;">