forked from extern/shorewall_code
Add 'loose' provider option; add COPY column to providers file
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2370 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
a6e682a872
commit
687704eff2
@ -1052,7 +1052,34 @@ verify_mark() # $1 = value to test
|
|||||||
#
|
#
|
||||||
setup_providers()
|
setup_providers()
|
||||||
{
|
{
|
||||||
local table number mark duplicate interface gateway options provider address
|
local table number mark duplicate interface gateway options provider address copy route loose addresses
|
||||||
|
|
||||||
|
copy_table() {
|
||||||
|
run_ip route show table $duplicate | while read net route; do
|
||||||
|
case $net in
|
||||||
|
default|nexthop)
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
ensure_and_save_command ip route add table $number $net $route
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
copy_and_edit_table() {
|
||||||
|
|
||||||
|
run_ip route show table $duplicate | while read net route; do
|
||||||
|
case $net in
|
||||||
|
default|nexthop)
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
if list_search $(find_device $route) $copy; then
|
||||||
|
ensure_and_save_command ip route add table $number $net $route
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
add_a_provider() {
|
add_a_provider() {
|
||||||
local t n iface option
|
local t n iface option
|
||||||
@ -1073,16 +1100,13 @@ setup_providers()
|
|||||||
|
|
||||||
run_and_save_command qt ip route flush table $number
|
run_and_save_command qt ip route flush table $number
|
||||||
|
|
||||||
if [ "x$duplicate" != x- ]; then
|
if [ "x${duplicate:=-}" != x- ]; then
|
||||||
run_ip route show table $duplicate | while read net route; do
|
if [ "x${copy:=-}" != "x-" ]; then
|
||||||
case $net in
|
copy="$interface $(separate_list $copy)"
|
||||||
default|nexthop)
|
copy_and_edit_table
|
||||||
;;
|
else
|
||||||
*)
|
copy_table
|
||||||
ensure_and_save_command ip route add table $number $net $route
|
fi
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "x$gateway" = xdetect ] ; then
|
if [ "x$gateway" = xdetect ] ; then
|
||||||
@ -1104,6 +1128,7 @@ setup_providers()
|
|||||||
[ -n "$gateway" ] || fatal_error "Unable to detect the gateway through interface $interface"
|
[ -n "$gateway" ] || fatal_error "Unable to detect the gateway through interface $interface"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
ensure_and_save_command ip route replace $gateway dev $interface table $number
|
||||||
ensure_and_save_command ip route add default via $gateway dev $interface table $number
|
ensure_and_save_command ip route add default via $gateway dev $interface table $number
|
||||||
|
|
||||||
verify_mark $mark
|
verify_mark $mark
|
||||||
@ -1114,10 +1139,7 @@ setup_providers()
|
|||||||
|
|
||||||
ensure_and_save_command ip rule add fwmark $mark table $number
|
ensure_and_save_command ip rule add fwmark $mark table $number
|
||||||
|
|
||||||
for address in $(find_interface_addresses $interface); do
|
loose=
|
||||||
run_and_save_command qt ip rule del from $address
|
|
||||||
ensure_and_save_command ip rule add from $address table $number
|
|
||||||
done
|
|
||||||
|
|
||||||
for option in $(separate_list $options); do
|
for option in $(separate_list $options); do
|
||||||
case $option in
|
case $option in
|
||||||
@ -1136,13 +1158,19 @@ setup_providers()
|
|||||||
balance)
|
balance)
|
||||||
DEFAULT_ROUTE="$DEFAULT_ROUTE nexthop via $gateway dev $interface weight 1"
|
DEFAULT_ROUTE="$DEFAULT_ROUTE nexthop via $gateway dev $interface weight 1"
|
||||||
;;
|
;;
|
||||||
|
loose)
|
||||||
|
loose=Yes
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
error_message " Warning: Invalid option ($option) ignored in provider \"$provider\""
|
error_message " Warning: Invalid option ($option) ignored in provider \"$provider\""
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
||||||
|
find_interface_addresses $interface | while read address; do
|
||||||
|
run_and_save_command qt ip rule del from $address
|
||||||
|
[ -n "$loose" ] || ensure_and_save_command ip rule add from $address table $number
|
||||||
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
strip_file providers $1
|
strip_file providers $1
|
||||||
@ -1152,9 +1180,9 @@ setup_providers()
|
|||||||
|
|
||||||
save_progress_message "Restoring Providers..."
|
save_progress_message "Restoring Providers..."
|
||||||
|
|
||||||
while read table number mark duplicate interface gateway options; do
|
while read table number mark duplicate interface gateway options copy; do
|
||||||
expandv table number mark duplicate interface gateway options
|
expandv table number mark duplicate interface gateway options copy
|
||||||
provider="$table $number $mark $duplicate $interface $gateway $options"
|
provider="$table $number $mark $duplicate $interface $gateway $options $copy"
|
||||||
add_a_provider
|
add_a_provider
|
||||||
PROVIDERS="$PROVIDERS $table"
|
PROVIDERS="$PROVIDERS $table"
|
||||||
progress_message " Provider $provider Added"
|
progress_message " Provider $provider Added"
|
||||||
|
|||||||
@ -52,6 +52,16 @@
|
|||||||
# where <weight> is the weight of the route out of
|
# where <weight> is the weight of the route out of
|
||||||
# this interface.
|
# this interface.
|
||||||
#
|
#
|
||||||
|
# loose Normally, Shorewall adds routing rules to prohibit
|
||||||
|
# firewall marks from working with traffic generated
|
||||||
|
# on the firewall itself. By setting the 'loose'
|
||||||
|
# option, generation of these rules is avoided.
|
||||||
|
#
|
||||||
|
# COPY A comma-separated lists of other interfaces on your
|
||||||
|
# firewall. Only makes sense when DUPLICATE is 'main'.
|
||||||
|
# Only copy routes through INTERFACE and through
|
||||||
|
# interfaces listed here.
|
||||||
|
#
|
||||||
# Example: You run squid in your DMZ on IP address 192.168.2.99. Your DMZ
|
# Example: You run squid in your DMZ on IP address 192.168.2.99. Your DMZ
|
||||||
# interface is eth2
|
# interface is eth2
|
||||||
#
|
#
|
||||||
@ -66,11 +76,11 @@
|
|||||||
# eth1 connects to ISP 2. The IP address of eth1 is 130.252.99.27 and the
|
# eth1 connects to ISP 2. The IP address of eth1 is 130.252.99.27 and the
|
||||||
# ISP's gateway router has IP address 130.252.99.254.
|
# ISP's gateway router has IP address 130.252.99.254.
|
||||||
#
|
#
|
||||||
# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
|
# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
|
||||||
# ISP1 1 1 main eth0 206.124.146.254 track,balance
|
# ISP1 1 1 main eth0 206.124.146.254 track,balance
|
||||||
# ISP2 2 2 main eth1 130.252.99.254 track,balance
|
# ISP2 2 2 main eth1 130.252.99.254 track,balance
|
||||||
#
|
#
|
||||||
# For additional information, see http://shorewall.net/Shorewall_and_Routing.html
|
# For additional information, see http://shorewall.net/Shorewall_and_Routing.html
|
||||||
##############################################################################
|
##############################################################################################
|
||||||
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
|
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user