forked from extern/shorewall_code
Allow routing tables with no default route
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
21d9d56af0
commit
94cfe54f92
@ -492,6 +492,10 @@ sub process_a_provider( $ ) {
|
|||||||
fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
|
fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
|
||||||
$gateway = get_interface_gateway $interface;
|
$gateway = get_interface_gateway $interface;
|
||||||
$gatewaycase = 'detect';
|
$gatewaycase = 'detect';
|
||||||
|
} elsif ( $gateway eq 'none' ) {
|
||||||
|
fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
|
||||||
|
$gatewaycase = 'none';
|
||||||
|
$gateway = '';
|
||||||
} elsif ( $gateway && $gateway ne '-' ) {
|
} elsif ( $gateway && $gateway ne '-' ) {
|
||||||
( $gateway, $mac ) = split_host_list( $gateway, 0 );
|
( $gateway, $mac ) = split_host_list( $gateway, 0 );
|
||||||
validate_address $gateway, 0;
|
validate_address $gateway, 0;
|
||||||
@ -506,7 +510,7 @@ sub process_a_provider( $ ) {
|
|||||||
|
|
||||||
$gatewaycase = 'specified';
|
$gatewaycase = 'specified';
|
||||||
} else {
|
} else {
|
||||||
$gatewaycase = 'none';
|
$gatewaycase = 'omitted';
|
||||||
fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
|
fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
|
||||||
$gateway = '';
|
$gateway = '';
|
||||||
}
|
}
|
||||||
@ -529,10 +533,12 @@ sub process_a_provider( $ ) {
|
|||||||
} elsif ( $option eq 'notrack' ) {
|
} elsif ( $option eq 'notrack' ) {
|
||||||
$track = 0;
|
$track = 0;
|
||||||
} elsif ( $option =~ /^balance=(\d+)$/ ) {
|
} elsif ( $option =~ /^balance=(\d+)$/ ) {
|
||||||
|
fatal_error q('balance' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
|
||||||
fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
|
fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
|
||||||
fatal_error 'The balance setting must be non-zero' unless $1;
|
fatal_error 'The balance setting must be non-zero' unless $1;
|
||||||
$balance = $1;
|
$balance = $1;
|
||||||
} elsif ( $option eq 'balance' || $option eq 'primary') {
|
} elsif ( $option eq 'balance' || $option eq 'primary') {
|
||||||
|
fatal_error qq('$option' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
|
||||||
$balance = 1;
|
$balance = 1;
|
||||||
} elsif ( $option eq 'loose' ) {
|
} elsif ( $option eq 'loose' ) {
|
||||||
$loose = 1;
|
$loose = 1;
|
||||||
@ -550,11 +556,13 @@ sub process_a_provider( $ ) {
|
|||||||
} elsif ( $option =~ /^mtu=(\d+)$/ ) {
|
} elsif ( $option =~ /^mtu=(\d+)$/ ) {
|
||||||
$mtu = "mtu $1 ";
|
$mtu = "mtu $1 ";
|
||||||
} elsif ( $option =~ /^fallback=(\d+)$/ ) {
|
} elsif ( $option =~ /^fallback=(\d+)$/ ) {
|
||||||
|
fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
|
||||||
fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
|
fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
|
||||||
$default = $1;
|
$default = $1;
|
||||||
$default_balance = 0;
|
$default_balance = 0;
|
||||||
fatal_error 'fallback must be non-zero' unless $default;
|
fatal_error 'fallback must be non-zero' unless $default;
|
||||||
} elsif ( $option eq 'fallback' ) {
|
} elsif ( $option eq 'fallback' ) {
|
||||||
|
fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
|
||||||
$default = -1;
|
$default = -1;
|
||||||
$default_balance = 0;
|
$default_balance = 0;
|
||||||
} elsif ( $option eq 'local' ) {
|
} elsif ( $option eq 'local' ) {
|
||||||
@ -567,6 +575,7 @@ sub process_a_provider( $ ) {
|
|||||||
$track = 0 if $config{TRACK_PROVIDERS};
|
$track = 0 if $config{TRACK_PROVIDERS};
|
||||||
$default_balance = 0 if $config{USE_DEFAULT_RT};
|
$default_balance = 0 if $config{USE_DEFAULT_RT};
|
||||||
} elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
|
} elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
|
||||||
|
fatal_error q('fallback' may not be spacified when GATEWAY is 'none') if $gatewaycase eq 'none';
|
||||||
$load = sprintf "%1.8f", $1;
|
$load = sprintf "%1.8f", $1;
|
||||||
require_capability 'STATISTIC_MATCH', "load=$1", 's';
|
require_capability 'STATISTIC_MATCH', "load=$1", 's';
|
||||||
} elsif ( $option eq 'autosrc' ) {
|
} elsif ( $option eq 'autosrc' ) {
|
||||||
@ -596,13 +605,13 @@ sub process_a_provider( $ ) {
|
|||||||
fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
|
fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
|
||||||
|
|
||||||
if ( $local ) {
|
if ( $local ) {
|
||||||
fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
|
fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'omitted';
|
||||||
fatal_error "'track' not valid with 'local'" if $track;
|
fatal_error "'track' not valid with 'local'" if $track;
|
||||||
fatal_error "DUPLICATE not valid with 'local'" if $duplicate ne '-';
|
fatal_error "DUPLICATE not valid with 'local'" if $duplicate ne '-';
|
||||||
fatal_error "'persistent' is not valid with 'local" if $persistent;
|
fatal_error "'persistent' is not valid with 'local" if $persistent;
|
||||||
} elsif ( $tproxy ) {
|
} elsif ( $tproxy ) {
|
||||||
fatal_error "Only one 'tproxy' provider is allowed" if $tproxies++;
|
fatal_error "Only one 'tproxy' provider is allowed" if $tproxies++;
|
||||||
fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
|
fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
|
||||||
fatal_error "'track' not valid with 'tproxy'" if $track;
|
fatal_error "'track' not valid with 'tproxy'" if $track;
|
||||||
fatal_error "DUPLICATE not valid with 'tproxy'" if $duplicate ne '-';
|
fatal_error "DUPLICATE not valid with 'tproxy'" if $duplicate ne '-';
|
||||||
fatal_error "MARK not allowed with 'tproxy'" if $mark ne '-';
|
fatal_error "MARK not allowed with 'tproxy'" if $mark ne '-';
|
||||||
@ -649,7 +658,7 @@ sub process_a_provider( $ ) {
|
|||||||
warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
|
warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
|
||||||
}
|
}
|
||||||
|
|
||||||
$balance = $default_balance unless $balance;
|
$balance = $default_balance unless $balance || $gatewaycase eq 'none';
|
||||||
|
|
||||||
fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$interface};
|
fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$interface};
|
||||||
|
|
||||||
@ -789,7 +798,7 @@ sub add_a_provider( $$ ) {
|
|||||||
|
|
||||||
push_indent;
|
push_indent;
|
||||||
|
|
||||||
if ( $gatewaycase eq 'none' ) {
|
if ( $gatewaycase eq 'omitted' ) {
|
||||||
if ( $tproxy ) {
|
if ( $tproxy ) {
|
||||||
emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
|
emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
|
||||||
} else {
|
} else {
|
||||||
@ -867,7 +876,7 @@ sub add_a_provider( $$ ) {
|
|||||||
}
|
}
|
||||||
$provider_interfaces{$interface} = $table;
|
$provider_interfaces{$interface} = $table;
|
||||||
|
|
||||||
if ( $gatewaycase eq 'none' ) {
|
if ( $gatewaycase eq 'omitted' ) {
|
||||||
if ( $tproxy ) {
|
if ( $tproxy ) {
|
||||||
emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
|
emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
|
||||||
} else {
|
} else {
|
||||||
@ -907,7 +916,7 @@ CEOF
|
|||||||
|
|
||||||
emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
|
emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
|
||||||
"echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
|
"echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $duplicate ne '-' ) {
|
if ( $duplicate ne '-' ) {
|
||||||
|
|||||||
@ -130,7 +130,7 @@
|
|||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
|
<term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
|
||||||
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>mac</emphasis>]|<emphasis
|
role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>mac</emphasis>]|<emphasis
|
||||||
role="bold">detect</emphasis>}</term>
|
role="bold">detect|none</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The IP address of the provider's gateway router. Beginning
|
<para>The IP address of the provider's gateway router. Beginning
|
||||||
@ -139,8 +139,12 @@
|
|||||||
interface. When the MAC is not specified, Shorewall will detect the
|
interface. When the MAC is not specified, Shorewall will detect the
|
||||||
MAC during firewall start or restart.</para>
|
MAC during firewall start or restart.</para>
|
||||||
|
|
||||||
<para>You can enter "detect" here and Shorewall will attempt to
|
<para>You can enter <emphasis role="bold">detect</emphasis> here and
|
||||||
detect the gateway automatically.</para>
|
Shorewall will attempt to detect the gateway automatically.</para>
|
||||||
|
|
||||||
|
<para>Beginning with Shorewall 5.0.6, you may also enter <emphasis
|
||||||
|
role="bold">none</emphasis>. This causes creation of a routing table
|
||||||
|
with no default route in it.</para>
|
||||||
|
|
||||||
<para>For PPP devices, you may omit this column.</para>
|
<para>For PPP devices, you may omit this column.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|||||||
@ -119,13 +119,17 @@
|
|||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
|
<term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
|
||||||
role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis
|
role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis
|
||||||
role="bold">detect</emphasis>}</term>
|
role="bold">detect|none</emphasis>}</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The IP address of the provider's gateway router.</para>
|
<para>The IP address of the provider's gateway router.</para>
|
||||||
|
|
||||||
<para>You can enter "detect" here and Shorewall6 will attempt to
|
<para>You can enter <emphasis role="bold">detect</emphasis> here and
|
||||||
detect the gateway automatically.</para>
|
Shorewall6 will attempt to detect the gateway automatically.</para>
|
||||||
|
|
||||||
|
<para>Beginning with Shorewall 5.0.6, you may also enter <emphasis
|
||||||
|
role="bold">none</emphasis>. This causes creation of a routing table
|
||||||
|
with no default route in it.</para>
|
||||||
|
|
||||||
<para>For PPP devices, you may omit this column.</para>
|
<para>For PPP devices, you may omit this column.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user