Couple of bug fixes in Provider feature

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2140 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-05-19 18:06:09 +00:00
parent 6eb4740995
commit 80430c3d81
2 changed files with 135 additions and 126 deletions

View File

@ -1060,10 +1060,22 @@ verify_mark() # $1 = value to test
# #
setup_providers() setup_providers()
{ {
local table number mark duplicate interface gateway options provider
add_a_provider() { add_a_provider() {
if list_search $table $PROVIDERS; then local t n iface option
fatal_error "Duplicate Provider: $table, provider: \"$provider\""
fi for t in $PROVIDERS; do
if [ "$t" = "$table" ]; then
fatal_error "Duplicate Provider: $table, provider: \"$provider\""
fi
eval n=\$${t}_number
if [ $n -eq $number ]; then
fatal_error "Duplicate Provider number: $number, provider: \"$provider\""
fi
done
eval ${table}_number=$number eval ${table}_number=$number
@ -1077,13 +1089,20 @@ setup_providers()
ensure_and_save_command ip route add default via $gateway dev $interface table $number ensure_and_save_command ip route add default via $gateway dev $interface table $number
iface=$(chain_base $interface) verify_mark $mark
eval ${table}_mark=$mark
run_and_save_command qt ip rule del fwmark $mark
ensure_and_save_command ip rule add fwmark $mark table $number
for option in $(separate_list $options); do for option in $(separate_list $options); do
case $option in case $option in
-) -)
;; ;;
track) track)
iface=$(chain_base $interface)
eval ${iface}_routemark=$mark eval ${iface}_routemark=$mark
ROUTEMARK_INTERFACES="$ROUTEMARK_INTERFACES $interface" ROUTEMARK_INTERFACES="$ROUTEMARK_INTERFACES $interface"
;; ;;
@ -1096,13 +1115,6 @@ setup_providers()
esac esac
done done
verify_mark $mark
eval ${table}_mark=$mark
run_and_save_command qt ip rule del fwmark $mark
ensure_and_save_command ip rule add fwmark $mark table $number
} }
@ -6446,12 +6458,6 @@ initialize_netfilter () {
run_iptables -A INPUT -i lo -j ACCEPT run_iptables -A INPUT -i lo -j ACCEPT
run_iptables -A OUTPUT -o lo -j ACCEPT run_iptables -A OUTPUT -o lo -j ACCEPT
#
# [re]-Establish routing
#
setup_providers $(find_file providers)
setup_routes $(find_file routes)
# #
# Allow DNS lookups during startup for FQDNs # Allow DNS lookups during startup for FQDNs
@ -6504,7 +6510,6 @@ initialize_netfilter () {
run_iptables -A newnotsyn -j DROP run_iptables -A newnotsyn -j DROP
fi fi
createchain icmpdef no
createchain reject no createchain reject no
createchain dynamic no createchain dynamic no
createchain smurfs no createchain smurfs no
@ -7391,7 +7396,14 @@ define_firewall() # $1 = Command (Start or Restart)
save_load_kernel_modules save_load_kernel_modules
echo "Initializing..."; initialize_netfilter echo "Initializing..."; initialize_netfilter
echo "Configuring Proxy ARP"; setup_proxy_arp echo "Configuring Proxy ARP"; setup_proxy_arp
#
# [re]-Establish routing
#
setup_providers $(find_file providers)
setup_routes $(find_file routes)
echo "Setting up NAT..."; setup_nat echo "Setting up NAT..."; setup_nat
echo "Setting up NETMAP..."; setup_netmap echo "Setting up NETMAP..."; setup_netmap
echo "Adding Common Rules"; add_common_rules echo "Adding Common Rules"; add_common_rules

View File

@ -1,13 +1,16 @@
Shorewall 2.3.2 Shorewall 2.4.0-RC1
----------------------------------------------------------------------- -----------------------------------------------------------------------
Problems corrected in version 2.3.2 Upgrade Issues when moving to 2.4.0
None. 1) Shorewall now enforces the restriction that mark values used in
/etc/shorewall/tcrules are less than 256. If you are using mark
values >= 256, you must change your configuration before you
upgrade.
----------------------------------------------------------------------- -----------------------------------------------------------------------
New Features in version 2.3.2 New Features in version 2.4.0
1) Shorewall 2.3.2 includes support for multiple internet interfaces to 1) Shorewall 2.4.0 includes support for multiple internet interfaces to
different ISPs. different ISPs.
The file /etc/shorewall/providers may be used to define the The file /etc/shorewall/providers may be used to define the
@ -63,109 +66,16 @@ New Features in version 2.3.2
Squid 1 1 - eth2 192.168.2.99 - Squid 1 1 - eth2 192.168.2.99 -
Use of this feature requires that your kernel and iptables Use of this feature requires that your kernel and iptables
support CONNTRACK target and conntrack match as well as extended support CONNMARK target and conntrack match as well as extended
MARK support. It does NOT require the ROUTE target extension. MARK support. It does NOT require the ROUTE target extension.
2) Shorewall 2.3.2 can now configure routing if your kernel and WARNING: The current version of iptables (1.3.1) is broken with
iptables support the ROUTE target extension. This extension is respect to CONNMARK and iptables-save/iptables-restore. This means
available in Patch-O-Matic-ng. This feature is *EXPERIMENTAL* since that if you configure multiple ISPs, "shorewall restore" will
the Netfilter team have no intention of ever releasing the ROUTE fail. You must patch your iptables using the patch at
target extension to kernel.org. http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff.
Routing is configured using the /etc/shorewall/routes file. Columns 2) Shorewall 2.3.0 supports the 'cmd-owner' option of the owner match
in the file are as follows:
SOURCE Source of the packet. May be any of the
following:
- A host or network address
- A network interface name.
- The name of an ipset prefaced with "+"
- $FW (for packets originating on the firewall)
- A MAC address in Shorewall format
- A range of IP addresses (assuming that your
kernel and iptables support range match)
- A network interface name followed by ":"
and an address or address range.
DEST Destination of the packet. May be any of the
following:
- A host or network address
- A network interface name (determined from
routing table(s))
- The name of an ipset prefaced with "+"
- A network interface name followed by ":"
and an address or address range.
PROTO Protocol - Must be "tcp", "udp", "icmp",
"ipp2p", a number, or "all". "ipp2p" requires
ipp2p match support in your kernel and
iptables.
PORT(S) Destination Ports. A comma-separated list of
Port names (from /etc/services), port numbers
or port ranges; if the protocol is "icmp", this
column is interpreted as the destination
icmp-type(s).
If the protocol is ipp2p, this column is
interpreted as an ipp2p option without the
leading "--" (example "bit" for bit-torrent).
If no PORT is given, "ipp2p" is assumed.
This column is ignored if PROTOCOL = all but
must be entered if any of the following field
is supplied. In that case, it is suggested that
this field contain "-"
SOURCE PORT(S) (Optional) Source port(s). If omitted,
any source port is acceptable. Specified as a
comma-separated list of port names, port
numbers or port ranges.
TEST Defines a test on the existing packet or
connection mark.
The rule will match only if the test returns
true. Tests have the format
[!]<value>[/<mask>][:C]
Where:
! Inverts the test (not equal)
<value> Value of the packet or
connection mark.
<mask> A mask to be applied to the
mark before testing
:C Designates a connection
mark. If omitted, the packet
mark's value is tested.
INTERFACE The interface that the packet is to be routed
out of. If you do not specify this field then
you must place "-" in this column and enter an
IP address in the GATEWAY column.
GATEWAY The gateway that the packet is to be forewarded
through.
-----------------------------------------------------------------------
Problems corrected in version 2.3.1
1) A typo in the 'tunnel' script has been corrected (thanks to Patrik
Varmecký).
2) Previously, if "shorewall save" was done with SAVE_IPSETS=Yes then
Shorewall would fail fast start on reboot because the ipset modules
were not loaded.
-----------------------------------------------------------------------
New Features in version 2.3.0
1) Shorewall 2.3.0 supports the 'cmd-owner' option of the owner match
facility in Netfilter. Like all owner match options, 'cmd-owner' may facility in Netfilter. Like all owner match options, 'cmd-owner' may
only be applied to traffic that originates on the firewall. only be applied to traffic that originates on the firewall.
@ -193,7 +103,7 @@ New Features in version 2.3.0
symbolic links, it's easy to alias command names to be anything you symbolic links, it's easy to alias command names to be anything you
want. want.
2) Support has been added for ipsets 3) Support has been added for ipsets
(see http://people.netfilter.org/kadlec/ipset/). (see http://people.netfilter.org/kadlec/ipset/).
In most places where a host or network address may be used, you may In most places where a host or network address may be used, you may
@ -308,3 +218,90 @@ New Features in version 2.3.0
ipset -B Blacklist 206.124.146.177 -b SMTP ipset -B Blacklist 206.124.146.177 -b SMTP
Now only port 25 will be blocked from 206.124.146.177. Now only port 25 will be blocked from 206.124.146.177.
4) Shorewall 2.4.0 can now configure routing if your kernel and
iptables support the ROUTE target extension. This extension is
available in Patch-O-Matic-ng. This feature is *EXPERIMENTAL* since
the Netfilter team have no intention of ever releasing the ROUTE
target extension to kernel.org.
Routing is configured using the /etc/shorewall/routes file. Columns
in the file are as follows:
SOURCE Source of the packet. May be any of the
following:
- A host or network address
- A network interface name.
- The name of an ipset prefaced with "+"
- $FW (for packets originating on the firewall)
- A MAC address in Shorewall format
- A range of IP addresses (assuming that your
kernel and iptables support range match)
- A network interface name followed by ":"
and an address or address range.
DEST Destination of the packet. May be any of the
following:
- A host or network address
- A network interface name (determined from
routing table(s))
- The name of an ipset prefaced with "+"
- A network interface name followed by ":"
and an address or address range.
PROTO Protocol - Must be "tcp", "udp", "icmp",
"ipp2p", a number, or "all". "ipp2p" requires
ipp2p match support in your kernel and
iptables.
PORT(S) Destination Ports. A comma-separated list of
Port names (from /etc/services), port numbers
or port ranges; if the protocol is "icmp", this
column is interpreted as the destination
icmp-type(s).
If the protocol is ipp2p, this column is
interpreted as an ipp2p option without the
leading "--" (example "bit" for bit-torrent).
If no PORT is given, "ipp2p" is assumed.
This column is ignored if PROTOCOL = all but
must be entered if any of the following field
is supplied. In that case, it is suggested that
this field contain "-"
SOURCE PORT(S) (Optional) Source port(s). If omitted,
any source port is acceptable. Specified as a
comma-separated list of port names, port
numbers or port ranges.
TEST Defines a test on the existing packet or
connection mark.
The rule will match only if the test returns
true. Tests have the format
[!]<value>[/<mask>][:C]
Where:
! Inverts the test (not equal)
<value> Value of the packet or
connection mark.
<mask> A mask to be applied to the
mark before testing
:C Designates a connection
mark. If omitted, the packet
mark's value is tested.
INTERFACE The interface that the packet is to be routed
out of. If you do not specify this field then
you must place "-" in this column and enter an
IP address in the GATEWAY column.
GATEWAY The gateway that the packet is to be forewarded
through.