diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm
index 967326c0d..f5e1e5fbe 100644
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -828,12 +828,12 @@ sub add_a_provider( $$ ) {
if ( ! $noautosrc ) {
if ( $shared ) {
- emit "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+ emit "qt \$IP -$family rule del from $address";
emit( "run_ip rule add from $address pref 20000 table $id" ,
"echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
} else {
emit ( "find_interface_addresses $physical | while read address; do" );
- emit ( " qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
+ emit ( " qt \$IP -$family rule del from \$address" );
emit ( " run_ip rule add from \$address pref 20000 table $id",
" echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
' rulenum=$(($rulenum + 1))',
@@ -993,12 +993,19 @@ CEOF
}
} elsif ( ! $noautosrc ) {
if ( $shared ) {
- emit "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
- emit( "run_ip rule add from $address pref 20000 table $id" ,
- "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
+ if ( $persistent ) {
+ emit( qq(if ! egrep -q "^2000:[[:space:]]+from $address lookup $id"; then),
+ qq( run_ip rule add from $address pref 20000 table $id),
+ qq( echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),
+ qq(fi) );
+ } else {
+ emit "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+ emit( "run_ip rule add from $address pref 20000 table $id" ,
+ "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
+ }
} elsif ( ! $pseudo ) {
emit ( "find_interface_addresses $physical | while read address; do" );
- emit ( " qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
+ emit ( " qt \$IP -$family rule del from \$address" ) if $persistent || $config{DELETE_THEN_ADD};
emit ( " run_ip rule add from \$address pref 20000 table $id",
" echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
' rulenum=$(($rulenum + 1))',
@@ -1283,7 +1290,7 @@ sub add_an_rtrule1( $$$$$ ) {
push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
if ( $persistent ) {
- push @{$providerref->{persistent_rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
+ push @{$providerref->{persistent_rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority";
push @{$providerref->{persistent_rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
}
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index 31c318574..98115b55e 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -2765,6 +2765,12 @@ INLINE - - - ; -j REJECT
it was set to the empty string then USE_DEFAULT_RT=No was assumed.
Beginning with Shorewall 4.6.0, the default is USE_DEFAULT_RT=Yes
and use of USE_DEFAULT_RT=No is deprecated.
+
+
+ The enable, disable
+ and reenable commands do not work correctly
+ when USE_DEFAULT_RT=No.
+
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index 4236bb28f..82e7052ea 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -2419,6 +2419,12 @@ INLINE - - - ; -j REJECT
it was set to the empty string then USE_DEFAULT_RT=No was assumed.
Beginning with Shorewall 4.6.0, the default is USE_DEFAULT_RT=Yes
and use of USE_DEFAULT_RT=No is deprecated.
+
+
+ The enable, disable
+ and reenable commands do not work correctly
+ when USE_DEFAULT_RT=No.
+
diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml
index e5839d5e2..33bfe7cf2 100644
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -213,6 +213,29 @@
example.
+
+ USE_DEFAULT_RT
+
+ The behavior and configuration of Multiple ISP support is
+ dependent on the setting of USE_DEFAULT_RT in shorewall[6].conf.
+
+ When USE_DEFAULT_RT=Yes, packets are first routed through the main
+ routing table which does not contain a default
+ route. Packets which fail to be routed by an entry in the
+ main table are then passed to shorewall-defined routing tables based on
+ your Multi-ISP configuration. The advantage of this approach is that
+ dynamic changes to the ip configuration, such as VPNs going up and down,
+ do not require notificaiton of Shorewall. USE_DEFAULT_RT is now the
+ default and use of USE_DEFAULT_RT=No is deprecated.
+
+ When USE_DEFAULT_RT=No, packets are routed via Shorewall-generated
+ routing tables. As a consequence, the main routing table must be copied
+ into each of those tables and must be recopied when there is a change to
+ the main table. This can only be accomplished via a
+ shorewall[6] reload or restart
+ command.
+
+
/etc/shorewall/providers File
@@ -672,7 +695,7 @@ fi
interfaces should be routed through the main table using entries in
/etc/shorewall/rtrules (see Example 2 below) or by using USE_DEFAULT_RT=Yes.
+ linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes (recommended)
In addition:
@@ -902,6 +925,43 @@ eth0 0.0.0.0/0 206.124.146.176
eth1 0.0.0.0/0 130.252.99.27
+
+ Example using USE_DEFAULT_RT=Yes
+
+ This section shows the differences in configuring the above
+ example with USE_DEFAULT_RT=Yes. The changes are confined to the
+ DUPLICATE and COPY columns of the providers file.
+
+ The configuration in the figure at the top of this section would
+ be specified in /etc/shorewall/providers as
+ follows.
+
+ #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
+ISP1 1 1 - eth0 206.124.146.254 track,balance -
+ISP2 2 2 - eth1 130.252.99.254 track,balance -
+
+ Other configuration files go something like this:
+
+ /etc/shorewall/interfaces:
+
+ #ZONE INTERFACE BROADCAST OPTIONS
+net eth0 detect …
+net eth1 detect …
+
+ /etc/shorewall/policy:
+
+ #SOURCE DESTINATION POLICY LOGLEVEL LIMIT
+net net DROP
+
+ /etc/shorewall/masq:
+
+ #INTERFACE SOURCE ADDRESS
+eth0 0.0.0.0/0 206.124.146.176
+eth1 0.0.0.0/0 130.252.99.27
+
+
Routing a Particular Application Through a Specific
Interface