From 687704eff241eedaf4dcc25cae96b54220d1ecc0 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 18 Jul 2005 22:40:26 +0000 Subject: [PATCH] Add 'loose' provider option; add COPY column to providers file git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2370 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/firewall | 66 ++++++++++++++++++++++++++++++++------------- Shorewall/providers | 16 ++++++++--- 2 files changed, 60 insertions(+), 22 deletions(-) diff --git a/Shorewall/firewall b/Shorewall/firewall index d682cb9a2..30630ce3b 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1052,7 +1052,34 @@ verify_mark() # $1 = value to test # setup_providers() { - local table number mark duplicate interface gateway options provider address + local table number mark duplicate interface gateway options provider address copy route loose addresses + + copy_table() { + run_ip route show table $duplicate | while read net route; do + case $net in + default|nexthop) + ;; + *) + ensure_and_save_command ip route add table $number $net $route + ;; + esac + done + } + + copy_and_edit_table() { + + run_ip route show table $duplicate | while read net route; do + case $net in + default|nexthop) + ;; + *) + if list_search $(find_device $route) $copy; then + ensure_and_save_command ip route add table $number $net $route + fi + ;; + esac + done + } add_a_provider() { local t n iface option @@ -1073,16 +1100,13 @@ setup_providers() run_and_save_command qt ip route flush table $number - if [ "x$duplicate" != x- ]; then - run_ip route show table $duplicate | while read net route; do - case $net in - default|nexthop) - ;; - *) - ensure_and_save_command ip route add table $number $net $route - ;; - esac - done + if [ "x${duplicate:=-}" != x- ]; then + if [ "x${copy:=-}" != "x-" ]; then + copy="$interface $(separate_list $copy)" + copy_and_edit_table + else + copy_table + fi fi if [ "x$gateway" = xdetect ] ; then @@ -1104,6 +1128,7 @@ setup_providers() [ -n "$gateway" ] || fatal_error "Unable to detect the gateway through interface $interface" fi + ensure_and_save_command ip route replace $gateway dev $interface table $number ensure_and_save_command ip route add default via $gateway dev $interface table $number verify_mark $mark @@ -1114,10 +1139,7 @@ setup_providers() ensure_and_save_command ip rule add fwmark $mark table $number - for address in $(find_interface_addresses $interface); do - run_and_save_command qt ip rule del from $address - ensure_and_save_command ip rule add from $address table $number - done + loose= for option in $(separate_list $options); do case $option in @@ -1136,13 +1158,19 @@ setup_providers() balance) DEFAULT_ROUTE="$DEFAULT_ROUTE nexthop via $gateway dev $interface weight 1" ;; + loose) + loose=Yes + ;; *) error_message " Warning: Invalid option ($option) ignored in provider \"$provider\"" ;; esac done - + find_interface_addresses $interface | while read address; do + run_and_save_command qt ip rule del from $address + [ -n "$loose" ] || ensure_and_save_command ip rule add from $address table $number + done } strip_file providers $1 @@ -1152,9 +1180,9 @@ setup_providers() save_progress_message "Restoring Providers..." - while read table number mark duplicate interface gateway options; do - expandv table number mark duplicate interface gateway options - provider="$table $number $mark $duplicate $interface $gateway $options" + while read table number mark duplicate interface gateway options copy; do + expandv table number mark duplicate interface gateway options copy + provider="$table $number $mark $duplicate $interface $gateway $options $copy" add_a_provider PROVIDERS="$PROVIDERS $table" progress_message " Provider $provider Added" diff --git a/Shorewall/providers b/Shorewall/providers index c408d740f..da19c2839 100755 --- a/Shorewall/providers +++ b/Shorewall/providers @@ -52,6 +52,16 @@ # where is the weight of the route out of # this interface. # +# loose Normally, Shorewall adds routing rules to prohibit +# firewall marks from working with traffic generated +# on the firewall itself. By setting the 'loose' +# option, generation of these rules is avoided. +# +# COPY A comma-separated lists of other interfaces on your +# firewall. Only makes sense when DUPLICATE is 'main'. +# Only copy routes through INTERFACE and through +# interfaces listed here. +# # Example: You run squid in your DMZ on IP address 192.168.2.99. Your DMZ # interface is eth2 # @@ -66,11 +76,11 @@ # eth1 connects to ISP 2. The IP address of eth1 is 130.252.99.27 and the # ISP's gateway router has IP address 130.252.99.254. # -# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS +# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY # ISP1 1 1 main eth0 206.124.146.254 track,balance # ISP2 2 2 main eth1 130.252.99.254 track,balance # # For additional information, see http://shorewall.net/Shorewall_and_Routing.html -############################################################################## -#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS +############################################################################################## +#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE