diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 42df90405..1f6dde019 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -1060,11 +1060,23 @@ verify_mark() # $1 = value to test # setup_providers() { + local table number mark duplicate interface gateway options provider + add_a_provider() { - if list_search $table $PROVIDERS; then - fatal_error "Duplicate Provider: $table, provider: \"$provider\"" - fi - + local t n iface option + + for t in $PROVIDERS; do + if [ "$t" = "$table" ]; then + fatal_error "Duplicate Provider: $table, provider: \"$provider\"" + fi + + eval n=\$${t}_number + + if [ $n -eq $number ]; then + fatal_error "Duplicate Provider number: $number, provider: \"$provider\"" + fi + done + eval ${table}_number=$number run_and_save_command qt ip route flush table $number @@ -1076,14 +1088,21 @@ setup_providers() fi ensure_and_save_command ip route add default via $gateway dev $interface table $number - - iface=$(chain_base $interface) + verify_mark $mark + + eval ${table}_mark=$mark + + run_and_save_command qt ip rule del fwmark $mark + + ensure_and_save_command ip rule add fwmark $mark table $number + for option in $(separate_list $options); do case $option in -) ;; track) + iface=$(chain_base $interface) eval ${iface}_routemark=$mark ROUTEMARK_INTERFACES="$ROUTEMARK_INTERFACES $interface" ;; @@ -1096,13 +1115,6 @@ setup_providers() esac done - verify_mark $mark - - eval ${table}_mark=$mark - - run_and_save_command qt ip rule del fwmark $mark - - ensure_and_save_command ip rule add fwmark $mark table $number } @@ -6446,12 +6458,6 @@ initialize_netfilter () { run_iptables -A INPUT -i lo -j ACCEPT run_iptables -A OUTPUT -o lo -j ACCEPT - # - # [re]-Establish routing - # - - setup_providers $(find_file providers) - setup_routes $(find_file routes) # # Allow DNS lookups during startup for FQDNs @@ -6504,7 +6510,6 @@ initialize_netfilter () { run_iptables -A newnotsyn -j DROP fi - createchain icmpdef no createchain reject no createchain dynamic no createchain smurfs no @@ -7391,7 +7396,14 @@ define_firewall() # $1 = Command (Start or Restart) save_load_kernel_modules echo "Initializing..."; initialize_netfilter + echo "Configuring Proxy ARP"; setup_proxy_arp + # + # [re]-Establish routing + # + setup_providers $(find_file providers) + setup_routes $(find_file routes) + echo "Setting up NAT..."; setup_nat echo "Setting up NETMAP..."; setup_netmap echo "Adding Common Rules"; add_common_rules diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 6c743e113..7dde50ed3 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -1,13 +1,16 @@ -Shorewall 2.3.2 +Shorewall 2.4.0-RC1 ----------------------------------------------------------------------- -Problems corrected in version 2.3.2 +Upgrade Issues when moving to 2.4.0 -None. +1) Shorewall now enforces the restriction that mark values used in + /etc/shorewall/tcrules are less than 256. If you are using mark + values >= 256, you must change your configuration before you + upgrade. ----------------------------------------------------------------------- -New Features in version 2.3.2 +New Features in version 2.4.0 -1) Shorewall 2.3.2 includes support for multiple internet interfaces to +1) Shorewall 2.4.0 includes support for multiple internet interfaces to different ISPs. The file /etc/shorewall/providers may be used to define the @@ -63,109 +66,16 @@ New Features in version 2.3.2 Squid 1 1 - eth2 192.168.2.99 - Use of this feature requires that your kernel and iptables - support CONNTRACK target and conntrack match as well as extended + support CONNMARK target and conntrack match as well as extended MARK support. It does NOT require the ROUTE target extension. -2) Shorewall 2.3.2 can now configure routing if your kernel and - iptables support the ROUTE target extension. This extension is - available in Patch-O-Matic-ng. This feature is *EXPERIMENTAL* since - the Netfilter team have no intention of ever releasing the ROUTE - target extension to kernel.org. + WARNING: The current version of iptables (1.3.1) is broken with + respect to CONNMARK and iptables-save/iptables-restore. This means + that if you configure multiple ISPs, "shorewall restore" will + fail. You must patch your iptables using the patch at + http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff. - Routing is configured using the /etc/shorewall/routes file. Columns - in the file are as follows: - - SOURCE Source of the packet. May be any of the - following: - - - - A host or network address - - A network interface name. - - The name of an ipset prefaced with "+" - - $FW (for packets originating on the firewall) - - A MAC address in Shorewall format - - A range of IP addresses (assuming that your - kernel and iptables support range match) - - A network interface name followed by ":" - and an address or address range. - - DEST Destination of the packet. May be any of the - following: - - - A host or network address - - A network interface name (determined from - routing table(s)) - - The name of an ipset prefaced with "+" - - A network interface name followed by ":" - and an address or address range. - - PROTO Protocol - Must be "tcp", "udp", "icmp", - "ipp2p", a number, or "all". "ipp2p" requires - ipp2p match support in your kernel and - iptables. - - PORT(S) Destination Ports. A comma-separated list of - Port names (from /etc/services), port numbers - or port ranges; if the protocol is "icmp", this - column is interpreted as the destination - icmp-type(s). - - If the protocol is ipp2p, this column is - interpreted as an ipp2p option without the - leading "--" (example "bit" for bit-torrent). - If no PORT is given, "ipp2p" is assumed. - - This column is ignored if PROTOCOL = all but - must be entered if any of the following field - is supplied. In that case, it is suggested that - this field contain "-" - - SOURCE PORT(S) (Optional) Source port(s). If omitted, - any source port is acceptable. Specified as a - comma-separated list of port names, port - numbers or port ranges. - - TEST Defines a test on the existing packet or - connection mark. - - The rule will match only if the test returns - true. Tests have the format - [!][/][:C] - - Where: - - ! Inverts the test (not equal) - Value of the packet or - connection mark. - - A mask to be applied to the - mark before testing - :C Designates a connection - mark. If omitted, the packet - mark's value is tested. - - INTERFACE The interface that the packet is to be routed - out of. If you do not specify this field then - you must place "-" in this column and enter an - IP address in the GATEWAY column. - - GATEWAY The gateway that the packet is to be forewarded - through. - ------------------------------------------------------------------------ -Problems corrected in version 2.3.1 - -1) A typo in the 'tunnel' script has been corrected (thanks to Patrik - Varmecký). - -2) Previously, if "shorewall save" was done with SAVE_IPSETS=Yes then - Shorewall would fail fast start on reboot because the ipset modules - were not loaded. - ------------------------------------------------------------------------ -New Features in version 2.3.0 - -1) Shorewall 2.3.0 supports the 'cmd-owner' option of the owner match +2) Shorewall 2.3.0 supports the 'cmd-owner' option of the owner match facility in Netfilter. Like all owner match options, 'cmd-owner' may only be applied to traffic that originates on the firewall. @@ -193,7 +103,7 @@ New Features in version 2.3.0 symbolic links, it's easy to alias command names to be anything you want. -2) Support has been added for ipsets +3) Support has been added for ipsets (see http://people.netfilter.org/kadlec/ipset/). In most places where a host or network address may be used, you may @@ -308,3 +218,90 @@ New Features in version 2.3.0 ipset -B Blacklist 206.124.146.177 -b SMTP Now only port 25 will be blocked from 206.124.146.177. + +4) Shorewall 2.4.0 can now configure routing if your kernel and + iptables support the ROUTE target extension. This extension is + available in Patch-O-Matic-ng. This feature is *EXPERIMENTAL* since + the Netfilter team have no intention of ever releasing the ROUTE + target extension to kernel.org. + + Routing is configured using the /etc/shorewall/routes file. Columns + in the file are as follows: + + SOURCE Source of the packet. May be any of the + following: + + + - A host or network address + - A network interface name. + - The name of an ipset prefaced with "+" + - $FW (for packets originating on the firewall) + - A MAC address in Shorewall format + - A range of IP addresses (assuming that your + kernel and iptables support range match) + - A network interface name followed by ":" + and an address or address range. + + DEST Destination of the packet. May be any of the + following: + + - A host or network address + - A network interface name (determined from + routing table(s)) + - The name of an ipset prefaced with "+" + - A network interface name followed by ":" + and an address or address range. + + PROTO Protocol - Must be "tcp", "udp", "icmp", + "ipp2p", a number, or "all". "ipp2p" requires + ipp2p match support in your kernel and + iptables. + + PORT(S) Destination Ports. A comma-separated list of + Port names (from /etc/services), port numbers + or port ranges; if the protocol is "icmp", this + column is interpreted as the destination + icmp-type(s). + + If the protocol is ipp2p, this column is + interpreted as an ipp2p option without the + leading "--" (example "bit" for bit-torrent). + If no PORT is given, "ipp2p" is assumed. + + This column is ignored if PROTOCOL = all but + must be entered if any of the following field + is supplied. In that case, it is suggested that + this field contain "-" + + SOURCE PORT(S) (Optional) Source port(s). If omitted, + any source port is acceptable. Specified as a + comma-separated list of port names, port + numbers or port ranges. + + TEST Defines a test on the existing packet or + connection mark. + + The rule will match only if the test returns + true. Tests have the format + [!][/][:C] + + Where: + + ! Inverts the test (not equal) + Value of the packet or + connection mark. + + A mask to be applied to the + mark before testing + :C Designates a connection + mark. If omitted, the packet + mark's value is tested. + + INTERFACE The interface that the packet is to be routed + out of. If you do not specify this field then + you must place "-" in this column and enter an + IP address in the GATEWAY column. + + GATEWAY The gateway that the packet is to be forewarded + through. +