forked from extern/shorewall_code
Tweak 'tracked' interface handling
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7831 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
d946e11fc4
commit
6bb6ff5e14
@ -14,6 +14,8 @@ Changes in 4.1.2
|
|||||||
|
|
||||||
7) Tighten up HIGH_ROUTE_MARKS in the OUTPUT chain.
|
7) Tighten up HIGH_ROUTE_MARKS in the OUTPUT chain.
|
||||||
|
|
||||||
|
8) Tweak 'track'.
|
||||||
|
|
||||||
Changes in 4.1.1
|
Changes in 4.1.1
|
||||||
|
|
||||||
1) Fix ULOG/NFLOG output.
|
1) Fix ULOG/NFLOG output.
|
||||||
|
@ -131,6 +131,22 @@ Other changes in Shorewall 4.1.2.
|
|||||||
there. Packet marking rules for traffic shaping of packets
|
there. Packet marking rules for traffic shaping of packets
|
||||||
originating on the firewall must be coded in the POSTROUTING table.
|
originating on the firewall must be coded in the POSTROUTING table.
|
||||||
|
|
||||||
|
3) The behavior of the 'track' provider has been changed subtly when
|
||||||
|
TC_EXPERT=No.
|
||||||
|
|
||||||
|
Previously, traffic entering from a tracked interface was subjected
|
||||||
|
to PREROUTING marking. This was to allow the PREROUTING rules to
|
||||||
|
clear the packet mark, thus causing the packet to be routed using
|
||||||
|
the 'main' table (table 254).
|
||||||
|
|
||||||
|
Beginning with Shorewall 4.1.2, when a packet enters on a tracked
|
||||||
|
interface, the packet mark will be cleared unconditionally and the
|
||||||
|
packet will be routed based on the main table.
|
||||||
|
|
||||||
|
This change should be transparent to most users. Users who use
|
||||||
|
PREROUTING marks to route between two tracked interface are advised
|
||||||
|
to switch to TC_EXPORT=Yes.
|
||||||
|
|
||||||
Migration Issues.
|
Migration Issues.
|
||||||
|
|
||||||
1) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
|
1) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
|
||||||
@ -139,6 +155,22 @@ Migration Issues.
|
|||||||
there. Packet marking rules for traffic shaping of packets
|
there. Packet marking rules for traffic shaping of packets
|
||||||
originating on the firewall must be coded in the POSTROUTING table.
|
originating on the firewall must be coded in the POSTROUTING table.
|
||||||
|
|
||||||
|
2) The behavior of the 'track' provider has been changed subtly when
|
||||||
|
TC_EXPERT=No.
|
||||||
|
|
||||||
|
Previously, traffic entering from a tracked interface was subjected
|
||||||
|
to PREROUTING marking. This was to allow the PREROUTING rules to
|
||||||
|
clear the packet mark, thus causing the packet to be routed using
|
||||||
|
the 'main' table (table 254).
|
||||||
|
|
||||||
|
Beginning with Shorewall 4.1.2, when a packet enters on a tracked
|
||||||
|
interface, the packet mark will be cleared unconditionally and the
|
||||||
|
packet will be routed based on the main table.
|
||||||
|
|
||||||
|
This change should be transparent to most users. Users who use
|
||||||
|
PREROUTING marks to route between two tracked interface are advised
|
||||||
|
to switch to TC_EXPORT=Yes.
|
||||||
|
|
||||||
New Features in Shorewall 4.1.
|
New Features in Shorewall 4.1.
|
||||||
|
|
||||||
1) Shorewall 4.1 contains experimental support for multiple Internet
|
1) Shorewall 4.1 contains experimental support for multiple Internet
|
||||||
|
@ -233,7 +233,7 @@ get_config() {
|
|||||||
[ -n "$STARTUP_LOG" ] || $LOG_VERBOSITY=-1;
|
[ -n "$STARTUP_LOG" ] || $LOG_VERBOSITY=-1;
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
echo " ERROR: INvalid LOG_VERBOSITY ($LOG_VERBOSITY)" >&2
|
echo " ERROR: Invalid LOG_VERBOSITY ($LOG_VERBOSITY)" >&2
|
||||||
exit 2;
|
exit 2;
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -256,10 +256,27 @@ get_config() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "${VERBOSITY:=2}" ]
|
case $VERBOSITY in
|
||||||
|
-1|0|1|2)
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
if [ -n "$VERBOSITY" ]; then
|
||||||
|
echo " ERROR: Invalid VERBOSITY setting ($VERBOSITY)" >&2
|
||||||
|
exit 2
|
||||||
|
else
|
||||||
|
VERBOSITY=2
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
[ -n "$USE_VERBOSITY" ] && VERBOSE=$USE_VERBOSITY || VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY))
|
[ -n "$USE_VERBOSITY" ] && VERBOSE=$USE_VERBOSITY || VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY))
|
||||||
|
|
||||||
|
if [ $VERBOSE -lt -1 ]; then
|
||||||
|
VERBOSE=-1
|
||||||
|
elif [ $VERBOSE -gt 2 ]; then
|
||||||
|
VERBOSE=2
|
||||||
|
fi
|
||||||
|
|
||||||
export VERBOSE
|
export VERBOSE
|
||||||
|
|
||||||
[ -n "${HOSTNAME:=$(hostname)}" ]
|
[ -n "${HOSTNAME:=$(hostname)}" ]
|
||||||
|
@ -552,10 +552,10 @@ sub setup_tc() {
|
|||||||
my $mark_part = '';
|
my $mark_part = '';
|
||||||
|
|
||||||
if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
|
if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
|
||||||
$mark_part = $config{HIGH_ROUTE_MARKS} ? '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';
|
$mark_part = $config{HIGH_ROUTE_MARKS} ? '-m connmark --mark 0/0xFF00' : '-m connmark --mark 0/0xFF';
|
||||||
|
|
||||||
for my $interface ( @routemarked_interfaces ) {
|
for my $interface ( @routemarked_interfaces ) {
|
||||||
add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
|
add_rule $mangle_table->{PREROUTING} , "-i $interface -j MARK --set-mark 0";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user