diff --git a/Shorewall/firewall b/Shorewall/firewall index d2a713141..0f23018ff 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -150,7 +150,9 @@ append_file() # $1 = File Name # Run iptables and if an error occurs, stop the firewall and quit # run_iptables() { - + # + # Purge the temporary files that we use to prevent duplicate '-m' specifications + # [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange @@ -183,7 +185,9 @@ run_iptables2() { # Quietly run iptables # qt_iptables() { - + # + # Purge the temporary files that we use to prevent duplicate '-m' specifications + # [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange @@ -1304,13 +1308,15 @@ setup_providers() ensure_and_save_command "[ -n \"\$NOROUTES\" ] || ip route add default via $gateway dev $interface table $number" fi - verify_mark $mark + if [ x${mark} != x- ]; then + verify_mark $mark - eval ${table}_mark=$mark + eval ${table}_mark=$mark - if [ $COMMAND != check ]; then - run_and_save_command "[ -n \"\$NOROUTES\" ] || qt ip rule del fwmark $mark" - ensure_and_save_command "[ -n \"\$NOROUTES\" ] || ip rule add fwmark $mark pref $((10000 + $mark)) table $number" + if [ $COMMAND != check ]; then + run_and_save_command "[ -n \"\$NOROUTES\" ] || qt ip rule del fwmark $mark" + ensure_and_save_command "[ -n \"\$NOROUTES\" ] || ip rule add fwmark $mark pref $((10000 + $mark)) table $number" + fi fi loose= @@ -1323,6 +1329,7 @@ setup_providers() list_search $interface $ROUTEMARK_INTERFACES && \ fatal_error "Interface $interface is tracked through an earlier provider" iface=$(chain_base $interface) + [ x${mark} = x- ] && fatal_error "The 'track' option requires a numeric value in the MARK column - Provider \"$provider\"" eval ${iface}_routemark=$mark ROUTEMARK_INTERFACES="$ROUTEMARK_INTERFACES $interface" ;; @@ -1347,7 +1354,7 @@ setup_providers() find_interface_addresses $interface | while read address; do run_and_save_command "[ -n \"\$NOROUTES\" ] || qt ip rule del from $address" if [ -z "$loose" ]; then - pref=$((20000 + $rulenum * 1000 + $mark )) + pref=$((20000 + $rulenum * 1000 + $number )) rulenum=$(($rulenum + 1)) ensure_and_save_command "[ -n \"\$NOROUTES\" ] || ip rule add from $address pref $pref table $number" fi @@ -5981,7 +5988,7 @@ process_rules() for yservers in $xservers; do ysourcezone=${yclients%%:*} ydestzone=${yservers%%:*} - if [ "$2" = Yes -o "${ysourcezone}" != "${ydestzone}" ] ; then + if [ "${ysourcezone}" != "${ydestzone}" -o "$2" = Yes ] ; then eval ypolicy=\$${ysourcezone}2${ydestzone}_policy if [ "$ypolicy" != NONE ] ; then if [ "$1" = Yes ]; then diff --git a/Shorewall/providers b/Shorewall/providers index b223793c8..4a6ce4e3b 100755 --- a/Shorewall/providers +++ b/Shorewall/providers @@ -75,9 +75,11 @@ # eth1 connects to ISP 2. The IP address of eth1 is 130.252.99.27 and the # ISP's gateway router has IP address 130.252.99.254. # -# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY -# ISP1 1 1 main eth0 206.124.146.254 track,balance -# ISP2 2 2 main eth1 130.252.99.254 track,balance +# eth2 connects to a local network. +# +# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY +# ISP1 1 1 main eth0 206.124.146.254 track,balance eth2 +# ISP2 2 2 main eth1 130.252.99.254 track,balance eth2 # # For additional information, see # http://shorewall.net/Shorewall_and_Routing.html