From d4e2508a904a48d881b4ce236019be8b38d5eb61 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 4 Mar 2016 14:26:42 -0800 Subject: [PATCH 1/3] Clarify USE_DEFAULT_RT Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall.conf.xml | 6 +++ Shorewall6/manpages/shorewall6.conf.xml | 6 +++ docs/MultiISP.xml | 62 ++++++++++++++++++++++++- 3 files changed, 73 insertions(+), 1 deletion(-) diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 31c318574..98115b55e 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -2765,6 +2765,12 @@ INLINE - - - ; -j REJECT it was set to the empty string then USE_DEFAULT_RT=No was assumed. Beginning with Shorewall 4.6.0, the default is USE_DEFAULT_RT=Yes and use of USE_DEFAULT_RT=No is deprecated. + + + The enable, disable + and reenable commands do not work correctly + when USE_DEFAULT_RT=No. + diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index 4236bb28f..82e7052ea 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -2419,6 +2419,12 @@ INLINE - - - ; -j REJECT it was set to the empty string then USE_DEFAULT_RT=No was assumed. Beginning with Shorewall 4.6.0, the default is USE_DEFAULT_RT=Yes and use of USE_DEFAULT_RT=No is deprecated. + + + The enable, disable + and reenable commands do not work correctly + when USE_DEFAULT_RT=No. + diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index e5839d5e2..33bfe7cf2 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -213,6 +213,29 @@ example. +
+ USE_DEFAULT_RT + + The behavior and configuration of Multiple ISP support is + dependent on the setting of USE_DEFAULT_RT in shorewall[6].conf. + + When USE_DEFAULT_RT=Yes, packets are first routed through the main + routing table which does not contain a default + route. Packets which fail to be routed by an entry in the + main table are then passed to shorewall-defined routing tables based on + your Multi-ISP configuration. The advantage of this approach is that + dynamic changes to the ip configuration, such as VPNs going up and down, + do not require notificaiton of Shorewall. USE_DEFAULT_RT is now the + default and use of USE_DEFAULT_RT=No is deprecated. + + When USE_DEFAULT_RT=No, packets are routed via Shorewall-generated + routing tables. As a consequence, the main routing table must be copied + into each of those tables and must be recopied when there is a change to + the main table. This can only be accomplished via a + shorewall[6] reload or restart + command. +
+
/etc/shorewall/providers File @@ -672,7 +695,7 @@ fi interfaces should be routed through the main table using entries in /etc/shorewall/rtrules (see Example 2 below) or by using USE_DEFAULT_RT=Yes. + linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes (recommended) In addition: @@ -902,6 +925,43 @@ eth0 0.0.0.0/0 206.124.146.176 eth1 0.0.0.0/0 130.252.99.27
+
+ Example using USE_DEFAULT_RT=Yes + + This section shows the differences in configuring the above + example with USE_DEFAULT_RT=Yes. The changes are confined to the + DUPLICATE and COPY columns of the providers file. + + The configuration in the figure at the top of this section would + be specified in /etc/shorewall/providers as + follows. + + #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY +ISP1 1 1 - eth0 206.124.146.254 track,balance - +ISP2 2 2 - eth1 130.252.99.254 track,balance - + + Other configuration files go something like this: + + /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS +net eth0 detect … +net eth1 detect … + + /etc/shorewall/policy: + + #SOURCE DESTINATION POLICY LOGLEVEL LIMIT +net net DROP + + /etc/shorewall/masq: + + #INTERFACE SOURCE ADDRESS +eth0 0.0.0.0/0 206.124.146.176 +eth1 0.0.0.0/0 130.252.99.27 +
+
Routing a Particular Application Through a Specific Interface From c5bb04dcb228cc4412e5d06144ed174ac529e398 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 5 Mar 2016 14:40:37 -0800 Subject: [PATCH 2/3] Add FAQ 1105 (Wifidog) Signed-off-by: Tom Eastep --- docs/FAQ.xml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/docs/FAQ.xml b/docs/FAQ.xml index 449341a80..e17e4e959 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -2938,6 +2938,29 @@ else
+
+ Wifidog + +
+ (FAQ 105) Can Shorewall work with Wifidog? + + Answer: Yes, with a couple of + restrictions: + + + + Wifidog must be started after Shorewall. If Shorewall is + restarted/reloaded, then wifidog must be restarted. + + + + FORWARD_CLEAR_MARK must be set to in + shorewall.conf. + + +
+
+
Miscellaneous From c37e41ee9cd5c52fd31468a9e1d88dc0857c78b2 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 6 Mar 2016 15:48:33 -0800 Subject: [PATCH 3/3] Avoid duplicate route rules from 'disable' Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 967326c0d..f5e1e5fbe 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -828,12 +828,12 @@ sub add_a_provider( $$ ) { if ( ! $noautosrc ) { if ( $shared ) { - emit "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD}; + emit "qt \$IP -$family rule del from $address"; emit( "run_ip rule add from $address pref 20000 table $id" , "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" ); } else { emit ( "find_interface_addresses $physical | while read address; do" ); - emit ( " qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD}; + emit ( " qt \$IP -$family rule del from \$address" ); emit ( " run_ip rule add from \$address pref 20000 table $id", " echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing", ' rulenum=$(($rulenum + 1))', @@ -993,12 +993,19 @@ CEOF } } elsif ( ! $noautosrc ) { if ( $shared ) { - emit "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD}; - emit( "run_ip rule add from $address pref 20000 table $id" , - "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" ); + if ( $persistent ) { + emit( qq(if ! egrep -q "^2000:[[:space:]]+from $address lookup $id"; then), + qq( run_ip rule add from $address pref 20000 table $id), + qq( echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ), + qq(fi) ); + } else { + emit "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD}; + emit( "run_ip rule add from $address pref 20000 table $id" , + "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" ); + } } elsif ( ! $pseudo ) { emit ( "find_interface_addresses $physical | while read address; do" ); - emit ( " qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD}; + emit ( " qt \$IP -$family rule del from \$address" ) if $persistent || $config{DELETE_THEN_ADD}; emit ( " run_ip rule add from \$address pref 20000 table $id", " echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing", ' rulenum=$(($rulenum + 1))', @@ -1283,7 +1290,7 @@ sub add_an_rtrule1( $$$$$ ) { push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id"; if ( $persistent ) { - push @{$providerref->{persistent_rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD}; + push @{$providerref->{persistent_rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority"; push @{$providerref->{persistent_rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id"; }