Documentation and error message tweaks

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7894 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/releasenotes.txt

@@ -62,7 +62,7 @@ New Features in Shorewall 4.1.
 
     d) This feature requires Realm Match support in your kernel and
        iptables. If you use a capabilities file, you need to regenerate
-       the file with Shorewall 4.0.6 or Shorewall-lite 4.0.6.
+       the file with Shorewall 4.1 or Shorewall-lite 4.1.
  
     e) You must add route_rules entries for networks that are accessed
        through a particular provider.
@@ -71,6 +71,9 @@ New Features in Shorewall 4.1.
        you must add route_rules to direct traffic FROM each of those
        addresses through the appropriate provider.
 
+    g) You must add MARK rules for any traffic that you know originates
+       from a particular provider.
+
      Example:
 
      Providers Blarg (1) and Avvanta (2) are both connected to
@@ -100,6 +103,12 @@ New Features in Shorewall 4.1.
 	-		130.252.144.0/24	Avvanta		1000
 	206.124.146.177	-			Blarg		26000
 
+     /etc/shorewall/tcrules
+
+	#MARK/CLASSIFY  SOURCE	               DEST
+	1		eth0:206.124.146.0/24  0.0.0.0/0
+	2		eth0:130.242.144.0/24  0.0.0.0/0
+
 2)  You may now include the name of a table (nat, mangle or filter) in
     a 'shorewall refresh' command by following the table name with a
     colon (e.g., mangle:). This causes all non-builtin chains in the

Shorewall-perl/Shorewall/Chains.pm

@@ -1590,7 +1590,7 @@ sub interface_nets( $ ) {
 }
 
 #
-# Record that the ruleset requires the first IP address on the passed interface
+# Record that the ruleset requires the networks routed out of the passed interface
 #
 sub get_interface_nets ( $ ) {
     my ( $interface ) = $_[0];

Shorewall-perl/Shorewall/Providers.pm

@@ -299,7 +299,7 @@ sub add_a_provider( $$$$$$$$ ) {
 	
 	if ( $routemarked_interfaces{$interface} ) {
 	    fatal_error "Interface $interface is tracked through an earlier provider" if $routemarked_interfaces{$interface} > 1;
-	    fatal_error "Multiple providers through the same interface must have the 'share' option" unless $shared;
+	    fatal_error "Multiple providers through the same interface must their IP address specified in the INTERFACES" unless $shared;
 	} else {
 	    $routemarked_interfaces{$interface} = $shared ? 1 : 2;
 	    push @routemarked_interfaces, $interface;

docs/Actions.xml

@@ -148,12 +148,14 @@ ACCEPT   -              -               tcp     135,139,445
       </listitem>
     </orderedlist>
 
-    <para>Shorewall supports default actions for the ACCEPT, REJECT, DROP and
-    QUEUE policies. These default actions are specified in the
+    <para>Shorewall supports default actions for the ACCEPT, REJECT, DROP,
+    QUEUE and NFQUEUE policies. These default actions are specified in the
     /etc/shorewall/shorewall.conf file using the ACCEPT_DEFAULT,
-    REJECT_DEFAULT, DROP_DEFAULT and QUEUE_DEFAULT options respectively.
-    Policies whose default is set to a value of "none" have no default
-    action.</para>
+    REJECT_DEFAULT, DROP_DEFAULT, QUEUE_DEFAULT and NFQUEUE_DEFAULT options
+    respectively. Policies whose default is set to a value of "none" have no
+    default action.</para>
+
+    <para></para>
 
     <para>In addition, the default specified in /etc/shorewall/shorewall.conf
     may be overridden by specifying a different default in the POLICY column

docs/MultiISP.xml

@@ -251,15 +251,12 @@
           <term>INTERFACE</term>
 
           <listitem>
-            <para>The name of the interface to the provider.</para>
-
-            <caution>
-              <para>The Shorewall implementation of Multi-ISP support requires
-              that each provider has its own interface -- and remember that
-              "virtual interfaces" (e.g., eth0:0) are <ulink
-              url="Shorewall_and_Aliased_Interfaces.html">not
-              interfaces</ulink>.</para>
-            </caution>
+            <para>The name of the interface to the provider. Where multiple
+            providers share the same interface (which is not recommended), you
+            must follow the name of the interface by a colon (":") and the IP
+            address assigned by this provider (e.g., eth0:206.124.146.176).
+            See <link linkend="Shared">below</link> for additional
+            considerations.</para>
           </listitem>
         </varlistentry>
 
@@ -932,5 +929,83 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
 -                       10.8.0.0/24     main            1000</programlisting>
       </section>
     </section>
+
+    <section id="Shared">
+      <title>Two Providers Sharing an Interface</title>
+
+      <para>Shared interface support is available only in Shorewall-perl 4.1.2
+      and later.</para>
+
+      <orderedlist numeration="loweralpha">
+        <listitem>
+          <para>Only ethernet (or ethernet-like) interfaces can be used. For
+          inbound traffic, the MAC addresses of the gateway routers is used to
+          determine which provider a packet was received through. Note that
+          only routed traffic can be categorized using this technique.</para>
+        </listitem>
+
+        <listitem>
+          <para>You must specify the address on the interface that corresponds
+          to a particular provider in the INTERFACE column by following the
+          interface name with a colon (":") and the address.</para>
+        </listitem>
+
+        <listitem>
+          <para>Entries in <filename>/etc/shorewall/masq</filename> must be
+          qualified by the provider name (or number).</para>
+        </listitem>
+
+        <listitem>
+          <para>This feature requires Realm Match support in your kernel and
+          iptables.</para>
+        </listitem>
+
+        <listitem>
+          <para>You must add route_rules entries for networks that are
+          accessed through a particular provider.</para>
+        </listitem>
+
+        <listitem>
+          <para>If you have additional IP addresses through either provider,
+          you must add <filename>route_rules</filename> to direct traffic FROM
+          each of those addresses through the appropriate provider.</para>
+        </listitem>
+
+        <listitem>
+          <para>You must manually add MARK rules for traffic known to come
+          from each provider.</para>
+        </listitem>
+      </orderedlist>
+
+      <para>Example:</para>
+
+      <para>Providers <emphasis role="bold">Blarg</emphasis> (1) and <emphasis
+      role="bold">Avvanta</emphasis> (2) are both connected to eth0. The
+      firewall's IP address with <emphasis role="bold">Blarg</emphasis> is
+      206.124.146.176/24 (gateway 206.124.146.254) and the IP address from
+      <emphasis role="bold">Avvanta</emphasis> is 130.252.144.8/24 (gateway
+      130.252.144.254). We have a second IP address (206.124.146.177) from
+      <emphasis role="bold">Blarg</emphasis>.</para>
+
+      <para>/etc/shorewall/providers:<programlisting>#PROVIDER NUMBER MARK DUPLICATE INTERFACE            GATEWAY
+Blarg     1      1    main      eth0:206.124.146.176 206.124.146.254 ...
+Avvanta   2      2    main      eth0:130.252.144.8   130.252.144.254 ... </programlisting></para>
+
+      <para>/etc/shorewall/masq:<programlisting>#INTERFACE    SOURCE          ADDRESS
+eth0(Blarg)   130.252.144.8   206.124.146.176
+eth0(Avvanta) 206.124.146.176 130.252.144.8
+eth0(Blarg)   eth1            206.124.146.176
+eth0(Avvanta) eth1            130.252.144.8 </programlisting>
+      /etc/shorewall/route_rules:</para>
+
+      <programlisting>#SOURCE           DEST             PROVIDER PRIORITY
+-                 206.124.146.0/24 Blarg    1000
+-                 130.252.144.0/24 Avvanta  1000
+206.124.146.177   -                Blarg    26000</programlisting>
+
+      <para>/etc/shorewall/tcrules:<programlisting>#MARK/CLASSIFY    SOURCE                DEST          PROTO
+1:P               eth0:206.124.146.0/24 0.0.0.0/0
+2:P               eth0:130.252.144.8/24 0.0.0.0/0</programlisting></para>
+    </section>
   </section>
 </article>