forked from extern/shorewall_code
Couple of bug fixes in Provider feature
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2140 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
6eb4740995
commit
80430c3d81
@ -1060,11 +1060,23 @@ verify_mark() # $1 = value to test
|
|||||||
#
|
#
|
||||||
setup_providers()
|
setup_providers()
|
||||||
{
|
{
|
||||||
|
local table number mark duplicate interface gateway options provider
|
||||||
|
|
||||||
add_a_provider() {
|
add_a_provider() {
|
||||||
if list_search $table $PROVIDERS; then
|
local t n iface option
|
||||||
fatal_error "Duplicate Provider: $table, provider: \"$provider\""
|
|
||||||
fi
|
for t in $PROVIDERS; do
|
||||||
|
if [ "$t" = "$table" ]; then
|
||||||
|
fatal_error "Duplicate Provider: $table, provider: \"$provider\""
|
||||||
|
fi
|
||||||
|
|
||||||
|
eval n=\$${t}_number
|
||||||
|
|
||||||
|
if [ $n -eq $number ]; then
|
||||||
|
fatal_error "Duplicate Provider number: $number, provider: \"$provider\""
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
eval ${table}_number=$number
|
eval ${table}_number=$number
|
||||||
|
|
||||||
run_and_save_command qt ip route flush table $number
|
run_and_save_command qt ip route flush table $number
|
||||||
@ -1076,14 +1088,21 @@ setup_providers()
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
ensure_and_save_command ip route add default via $gateway dev $interface table $number
|
ensure_and_save_command ip route add default via $gateway dev $interface table $number
|
||||||
|
|
||||||
iface=$(chain_base $interface)
|
|
||||||
|
|
||||||
|
verify_mark $mark
|
||||||
|
|
||||||
|
eval ${table}_mark=$mark
|
||||||
|
|
||||||
|
run_and_save_command qt ip rule del fwmark $mark
|
||||||
|
|
||||||
|
ensure_and_save_command ip rule add fwmark $mark table $number
|
||||||
|
|
||||||
for option in $(separate_list $options); do
|
for option in $(separate_list $options); do
|
||||||
case $option in
|
case $option in
|
||||||
-)
|
-)
|
||||||
;;
|
;;
|
||||||
track)
|
track)
|
||||||
|
iface=$(chain_base $interface)
|
||||||
eval ${iface}_routemark=$mark
|
eval ${iface}_routemark=$mark
|
||||||
ROUTEMARK_INTERFACES="$ROUTEMARK_INTERFACES $interface"
|
ROUTEMARK_INTERFACES="$ROUTEMARK_INTERFACES $interface"
|
||||||
;;
|
;;
|
||||||
@ -1096,13 +1115,6 @@ setup_providers()
|
|||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
||||||
verify_mark $mark
|
|
||||||
|
|
||||||
eval ${table}_mark=$mark
|
|
||||||
|
|
||||||
run_and_save_command qt ip rule del fwmark $mark
|
|
||||||
|
|
||||||
ensure_and_save_command ip rule add fwmark $mark table $number
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -6446,12 +6458,6 @@ initialize_netfilter () {
|
|||||||
run_iptables -A INPUT -i lo -j ACCEPT
|
run_iptables -A INPUT -i lo -j ACCEPT
|
||||||
run_iptables -A OUTPUT -o lo -j ACCEPT
|
run_iptables -A OUTPUT -o lo -j ACCEPT
|
||||||
|
|
||||||
#
|
|
||||||
# [re]-Establish routing
|
|
||||||
#
|
|
||||||
|
|
||||||
setup_providers $(find_file providers)
|
|
||||||
setup_routes $(find_file routes)
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Allow DNS lookups during startup for FQDNs
|
# Allow DNS lookups during startup for FQDNs
|
||||||
@ -6504,7 +6510,6 @@ initialize_netfilter () {
|
|||||||
run_iptables -A newnotsyn -j DROP
|
run_iptables -A newnotsyn -j DROP
|
||||||
fi
|
fi
|
||||||
|
|
||||||
createchain icmpdef no
|
|
||||||
createchain reject no
|
createchain reject no
|
||||||
createchain dynamic no
|
createchain dynamic no
|
||||||
createchain smurfs no
|
createchain smurfs no
|
||||||
@ -7391,7 +7396,14 @@ define_firewall() # $1 = Command (Start or Restart)
|
|||||||
save_load_kernel_modules
|
save_load_kernel_modules
|
||||||
|
|
||||||
echo "Initializing..."; initialize_netfilter
|
echo "Initializing..."; initialize_netfilter
|
||||||
|
|
||||||
echo "Configuring Proxy ARP"; setup_proxy_arp
|
echo "Configuring Proxy ARP"; setup_proxy_arp
|
||||||
|
#
|
||||||
|
# [re]-Establish routing
|
||||||
|
#
|
||||||
|
setup_providers $(find_file providers)
|
||||||
|
setup_routes $(find_file routes)
|
||||||
|
|
||||||
echo "Setting up NAT..."; setup_nat
|
echo "Setting up NAT..."; setup_nat
|
||||||
echo "Setting up NETMAP..."; setup_netmap
|
echo "Setting up NETMAP..."; setup_netmap
|
||||||
echo "Adding Common Rules"; add_common_rules
|
echo "Adding Common Rules"; add_common_rules
|
||||||
|
@ -1,13 +1,16 @@
|
|||||||
Shorewall 2.3.2
|
Shorewall 2.4.0-RC1
|
||||||
|
|
||||||
-----------------------------------------------------------------------
|
-----------------------------------------------------------------------
|
||||||
Problems corrected in version 2.3.2
|
Upgrade Issues when moving to 2.4.0
|
||||||
|
|
||||||
None.
|
1) Shorewall now enforces the restriction that mark values used in
|
||||||
|
/etc/shorewall/tcrules are less than 256. If you are using mark
|
||||||
|
values >= 256, you must change your configuration before you
|
||||||
|
upgrade.
|
||||||
-----------------------------------------------------------------------
|
-----------------------------------------------------------------------
|
||||||
New Features in version 2.3.2
|
New Features in version 2.4.0
|
||||||
|
|
||||||
1) Shorewall 2.3.2 includes support for multiple internet interfaces to
|
1) Shorewall 2.4.0 includes support for multiple internet interfaces to
|
||||||
different ISPs.
|
different ISPs.
|
||||||
|
|
||||||
The file /etc/shorewall/providers may be used to define the
|
The file /etc/shorewall/providers may be used to define the
|
||||||
@ -63,109 +66,16 @@ New Features in version 2.3.2
|
|||||||
Squid 1 1 - eth2 192.168.2.99 -
|
Squid 1 1 - eth2 192.168.2.99 -
|
||||||
|
|
||||||
Use of this feature requires that your kernel and iptables
|
Use of this feature requires that your kernel and iptables
|
||||||
support CONNTRACK target and conntrack match as well as extended
|
support CONNMARK target and conntrack match as well as extended
|
||||||
MARK support. It does NOT require the ROUTE target extension.
|
MARK support. It does NOT require the ROUTE target extension.
|
||||||
|
|
||||||
2) Shorewall 2.3.2 can now configure routing if your kernel and
|
WARNING: The current version of iptables (1.3.1) is broken with
|
||||||
iptables support the ROUTE target extension. This extension is
|
respect to CONNMARK and iptables-save/iptables-restore. This means
|
||||||
available in Patch-O-Matic-ng. This feature is *EXPERIMENTAL* since
|
that if you configure multiple ISPs, "shorewall restore" will
|
||||||
the Netfilter team have no intention of ever releasing the ROUTE
|
fail. You must patch your iptables using the patch at
|
||||||
target extension to kernel.org.
|
http://shorewall.net/pub/shorewall/contrib/iptables/CONNMARK.diff.
|
||||||
|
|
||||||
Routing is configured using the /etc/shorewall/routes file. Columns
|
2) Shorewall 2.3.0 supports the 'cmd-owner' option of the owner match
|
||||||
in the file are as follows:
|
|
||||||
|
|
||||||
SOURCE Source of the packet. May be any of the
|
|
||||||
following:
|
|
||||||
|
|
||||||
|
|
||||||
- A host or network address
|
|
||||||
- A network interface name.
|
|
||||||
- The name of an ipset prefaced with "+"
|
|
||||||
- $FW (for packets originating on the firewall)
|
|
||||||
- A MAC address in Shorewall format
|
|
||||||
- A range of IP addresses (assuming that your
|
|
||||||
kernel and iptables support range match)
|
|
||||||
- A network interface name followed by ":"
|
|
||||||
and an address or address range.
|
|
||||||
|
|
||||||
DEST Destination of the packet. May be any of the
|
|
||||||
following:
|
|
||||||
|
|
||||||
- A host or network address
|
|
||||||
- A network interface name (determined from
|
|
||||||
routing table(s))
|
|
||||||
- The name of an ipset prefaced with "+"
|
|
||||||
- A network interface name followed by ":"
|
|
||||||
and an address or address range.
|
|
||||||
|
|
||||||
PROTO Protocol - Must be "tcp", "udp", "icmp",
|
|
||||||
"ipp2p", a number, or "all". "ipp2p" requires
|
|
||||||
ipp2p match support in your kernel and
|
|
||||||
iptables.
|
|
||||||
|
|
||||||
PORT(S) Destination Ports. A comma-separated list of
|
|
||||||
Port names (from /etc/services), port numbers
|
|
||||||
or port ranges; if the protocol is "icmp", this
|
|
||||||
column is interpreted as the destination
|
|
||||||
icmp-type(s).
|
|
||||||
|
|
||||||
If the protocol is ipp2p, this column is
|
|
||||||
interpreted as an ipp2p option without the
|
|
||||||
leading "--" (example "bit" for bit-torrent).
|
|
||||||
If no PORT is given, "ipp2p" is assumed.
|
|
||||||
|
|
||||||
This column is ignored if PROTOCOL = all but
|
|
||||||
must be entered if any of the following field
|
|
||||||
is supplied. In that case, it is suggested that
|
|
||||||
this field contain "-"
|
|
||||||
|
|
||||||
SOURCE PORT(S) (Optional) Source port(s). If omitted,
|
|
||||||
any source port is acceptable. Specified as a
|
|
||||||
comma-separated list of port names, port
|
|
||||||
numbers or port ranges.
|
|
||||||
|
|
||||||
TEST Defines a test on the existing packet or
|
|
||||||
connection mark.
|
|
||||||
|
|
||||||
The rule will match only if the test returns
|
|
||||||
true. Tests have the format
|
|
||||||
[!]<value>[/<mask>][:C]
|
|
||||||
|
|
||||||
Where:
|
|
||||||
|
|
||||||
! Inverts the test (not equal)
|
|
||||||
<value> Value of the packet or
|
|
||||||
connection mark.
|
|
||||||
|
|
||||||
<mask> A mask to be applied to the
|
|
||||||
mark before testing
|
|
||||||
:C Designates a connection
|
|
||||||
mark. If omitted, the packet
|
|
||||||
mark's value is tested.
|
|
||||||
|
|
||||||
INTERFACE The interface that the packet is to be routed
|
|
||||||
out of. If you do not specify this field then
|
|
||||||
you must place "-" in this column and enter an
|
|
||||||
IP address in the GATEWAY column.
|
|
||||||
|
|
||||||
GATEWAY The gateway that the packet is to be forewarded
|
|
||||||
through.
|
|
||||||
|
|
||||||
-----------------------------------------------------------------------
|
|
||||||
Problems corrected in version 2.3.1
|
|
||||||
|
|
||||||
1) A typo in the 'tunnel' script has been corrected (thanks to Patrik
|
|
||||||
Varmecký).
|
|
||||||
|
|
||||||
2) Previously, if "shorewall save" was done with SAVE_IPSETS=Yes then
|
|
||||||
Shorewall would fail fast start on reboot because the ipset modules
|
|
||||||
were not loaded.
|
|
||||||
|
|
||||||
-----------------------------------------------------------------------
|
|
||||||
New Features in version 2.3.0
|
|
||||||
|
|
||||||
1) Shorewall 2.3.0 supports the 'cmd-owner' option of the owner match
|
|
||||||
facility in Netfilter. Like all owner match options, 'cmd-owner' may
|
facility in Netfilter. Like all owner match options, 'cmd-owner' may
|
||||||
only be applied to traffic that originates on the firewall.
|
only be applied to traffic that originates on the firewall.
|
||||||
|
|
||||||
@ -193,7 +103,7 @@ New Features in version 2.3.0
|
|||||||
symbolic links, it's easy to alias command names to be anything you
|
symbolic links, it's easy to alias command names to be anything you
|
||||||
want.
|
want.
|
||||||
|
|
||||||
2) Support has been added for ipsets
|
3) Support has been added for ipsets
|
||||||
(see http://people.netfilter.org/kadlec/ipset/).
|
(see http://people.netfilter.org/kadlec/ipset/).
|
||||||
|
|
||||||
In most places where a host or network address may be used, you may
|
In most places where a host or network address may be used, you may
|
||||||
@ -308,3 +218,90 @@ New Features in version 2.3.0
|
|||||||
ipset -B Blacklist 206.124.146.177 -b SMTP
|
ipset -B Blacklist 206.124.146.177 -b SMTP
|
||||||
|
|
||||||
Now only port 25 will be blocked from 206.124.146.177.
|
Now only port 25 will be blocked from 206.124.146.177.
|
||||||
|
|
||||||
|
4) Shorewall 2.4.0 can now configure routing if your kernel and
|
||||||
|
iptables support the ROUTE target extension. This extension is
|
||||||
|
available in Patch-O-Matic-ng. This feature is *EXPERIMENTAL* since
|
||||||
|
the Netfilter team have no intention of ever releasing the ROUTE
|
||||||
|
target extension to kernel.org.
|
||||||
|
|
||||||
|
Routing is configured using the /etc/shorewall/routes file. Columns
|
||||||
|
in the file are as follows:
|
||||||
|
|
||||||
|
SOURCE Source of the packet. May be any of the
|
||||||
|
following:
|
||||||
|
|
||||||
|
|
||||||
|
- A host or network address
|
||||||
|
- A network interface name.
|
||||||
|
- The name of an ipset prefaced with "+"
|
||||||
|
- $FW (for packets originating on the firewall)
|
||||||
|
- A MAC address in Shorewall format
|
||||||
|
- A range of IP addresses (assuming that your
|
||||||
|
kernel and iptables support range match)
|
||||||
|
- A network interface name followed by ":"
|
||||||
|
and an address or address range.
|
||||||
|
|
||||||
|
DEST Destination of the packet. May be any of the
|
||||||
|
following:
|
||||||
|
|
||||||
|
- A host or network address
|
||||||
|
- A network interface name (determined from
|
||||||
|
routing table(s))
|
||||||
|
- The name of an ipset prefaced with "+"
|
||||||
|
- A network interface name followed by ":"
|
||||||
|
and an address or address range.
|
||||||
|
|
||||||
|
PROTO Protocol - Must be "tcp", "udp", "icmp",
|
||||||
|
"ipp2p", a number, or "all". "ipp2p" requires
|
||||||
|
ipp2p match support in your kernel and
|
||||||
|
iptables.
|
||||||
|
|
||||||
|
PORT(S) Destination Ports. A comma-separated list of
|
||||||
|
Port names (from /etc/services), port numbers
|
||||||
|
or port ranges; if the protocol is "icmp", this
|
||||||
|
column is interpreted as the destination
|
||||||
|
icmp-type(s).
|
||||||
|
|
||||||
|
If the protocol is ipp2p, this column is
|
||||||
|
interpreted as an ipp2p option without the
|
||||||
|
leading "--" (example "bit" for bit-torrent).
|
||||||
|
If no PORT is given, "ipp2p" is assumed.
|
||||||
|
|
||||||
|
This column is ignored if PROTOCOL = all but
|
||||||
|
must be entered if any of the following field
|
||||||
|
is supplied. In that case, it is suggested that
|
||||||
|
this field contain "-"
|
||||||
|
|
||||||
|
SOURCE PORT(S) (Optional) Source port(s). If omitted,
|
||||||
|
any source port is acceptable. Specified as a
|
||||||
|
comma-separated list of port names, port
|
||||||
|
numbers or port ranges.
|
||||||
|
|
||||||
|
TEST Defines a test on the existing packet or
|
||||||
|
connection mark.
|
||||||
|
|
||||||
|
The rule will match only if the test returns
|
||||||
|
true. Tests have the format
|
||||||
|
[!]<value>[/<mask>][:C]
|
||||||
|
|
||||||
|
Where:
|
||||||
|
|
||||||
|
! Inverts the test (not equal)
|
||||||
|
<value> Value of the packet or
|
||||||
|
connection mark.
|
||||||
|
|
||||||
|
<mask> A mask to be applied to the
|
||||||
|
mark before testing
|
||||||
|
:C Designates a connection
|
||||||
|
mark. If omitted, the packet
|
||||||
|
mark's value is tested.
|
||||||
|
|
||||||
|
INTERFACE The interface that the packet is to be routed
|
||||||
|
out of. If you do not specify this field then
|
||||||
|
you must place "-" in this column and enter an
|
||||||
|
IP address in the GATEWAY column.
|
||||||
|
|
||||||
|
GATEWAY The gateway that the packet is to be forewarded
|
||||||
|
through.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user