Merge branch '5.0.6'

Shorewall/Perl/Shorewall/Providers.pm

@@ -828,12 +828,12 @@ sub add_a_provider( $$ ) {
 
 	if ( ! $noautosrc ) {
 	    if ( $shared ) {
-		emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+		emit  "qt \$IP -$family rule del from $address";
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
 		emit  ( "find_interface_addresses $physical | while read address; do" );
-		emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
+		emit  ( "    qt \$IP -$family rule del from \$address" );
 		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
@@ -993,12 +993,19 @@ CEOF
 	    }
 	} elsif ( ! $noautosrc ) {
 	    if ( $shared ) {
+		if ( $persistent ) {
+		    emit( qq(if ! egrep -q "^2000:[[:space:]]+from $address lookup $id"; then),
+			  qq(    run_ip rule add from $address pref 20000 table $id),
+			  qq(    echo "\$IP -$family rule del from $address pref 20000> /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing ),
+			  qq(fi) );
+		} else {
 		    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
 		    emit( "run_ip rule add from $address pref 20000 table $id" ,
 			  "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
+		}
 	    } elsif ( ! $pseudo ) {
 		emit  ( "find_interface_addresses $physical | while read address; do" );
-		emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
+		emit  ( "    qt \$IP -$family rule del from \$address" ) if $persistent || $config{DELETE_THEN_ADD};
 		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
 			'    rulenum=$(($rulenum + 1))',
@@ -1283,7 +1290,7 @@ sub add_an_rtrule1( $$$$$ ) {
     push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
 
     if ( $persistent ) {
-	push @{$providerref->{persistent_rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
+	push @{$providerref->{persistent_rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority";
 	push @{$providerref->{persistent_rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
     }
 

Shorewall/manpages/shorewall.conf.xml

@@ -2765,6 +2765,12 @@ INLINE          -       -       -       ; -j REJECT
           it was set to the empty string then USE_DEFAULT_RT=No was assumed.
           Beginning with Shorewall 4.6.0, the default is USE_DEFAULT_RT=Yes
           and use of USE_DEFAULT_RT=No is deprecated.</para>
+
+          <warning>
+            <para>The <command>enable</command>, <command>disable</command>
+            and <command>reenable</command> commands do not work correctly
+            when USE_DEFAULT_RT=No.</para>
+          </warning>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6.conf.xml

@@ -2419,6 +2419,12 @@ INLINE          -       -       -       ; -j REJECT
           it was set to the empty string then USE_DEFAULT_RT=No was assumed.
           Beginning with Shorewall 4.6.0, the default is USE_DEFAULT_RT=Yes
           and use of USE_DEFAULT_RT=No is deprecated.</para>
+
+          <warning>
+            <para>The <command>enable</command>, <command>disable</command>
+            and <command>reenable</command> commands do not work correctly
+            when USE_DEFAULT_RT=No.</para>
+          </warning>
         </listitem>
       </varlistentry>
 

docs/MultiISP.xml

@@ -213,6 +213,29 @@
       example.</para>
     </section>
 
+    <section>
+      <title>USE_DEFAULT_RT</title>
+
+      <para>The behavior and configuration of Multiple ISP support is
+      dependent on the setting of USE_DEFAULT_RT in shorewall[6].conf.</para>
+
+      <para>When USE_DEFAULT_RT=Yes, packets are first routed through the main
+      routing table <emphasis>which does not contain a default
+      route</emphasis>. Packets which fail to be routed by an entry in the
+      main table are then passed to shorewall-defined routing tables based on
+      your Multi-ISP configuration. The advantage of this approach is that
+      dynamic changes to the ip configuration, such as VPNs going up and down,
+      do not require notificaiton of Shorewall. USE_DEFAULT_RT is now the
+      default and use of USE_DEFAULT_RT=No is deprecated.</para>
+
+      <para>When USE_DEFAULT_RT=No, packets are routed via Shorewall-generated
+      routing tables. As a consequence, the main routing table must be copied
+      into each of those tables and must be recopied when there is a change to
+      the main table. This can only be accomplished via a
+      <command>shorewall[6] reload</command> or <command>restart</command>
+      command.</para>
+    </section>
+
     <section id="providers">
       <title>/etc/shorewall/providers File</title>
 
@@ -672,7 +695,7 @@ fi</programlisting>
       interfaces should be routed through the main table using entries in
       <filename>/etc/shorewall/rtrules</filename> (see Example 2 <link
       linkend="Examples">below</link>) or by using <link
-      linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes</link>.</para>
+      linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes</link> (recommended)</para>
 
       <para>In addition:</para>
 
@@ -902,6 +925,43 @@ eth0             0.0.0.0/0         206.124.146.176
 eth1             0.0.0.0/0         130.252.99.27</programlisting>
     </section>
 
+    <section id="Example2">
+      <title id="Example99"> Example using USE_DEFAULT_RT=Yes</title>
+
+      <para>This section shows the differences in configuring the above
+      example with USE_DEFAULT_RT=Yes. The changes are confined to the
+      DUPLICATE and COPY columns of the providers file.</para>
+
+      <para>The configuration in the figure at the top of this section would
+      be specified in <filename>/etc/shorewall/providers</filename> as
+      follows.</para>
+
+      <programlisting>#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS          COPY
+ISP1    1       1       <emphasis role="bold">- </emphasis>              eth0            206.124.146.254 track,balance    <emphasis
+          role="bold">-</emphasis>
+ISP2    2       2       <emphasis role="bold">-</emphasis>               eth1            130.252.99.254  track,balance    <emphasis
+          role="bold">-</emphasis></programlisting>
+
+      <para>Other configuration files go something like this:</para>
+
+      <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+      <programlisting>#ZONE    INTERFACE    BROADCAST       OPTIONS
+net      eth0         detect          …          
+net      eth1         detect          …</programlisting>
+
+      <para><filename>/etc/shorewall/policy</filename>:</para>
+
+      <programlisting>#SOURCE    DESTINATION    POLICY     LOGLEVEL     LIMIT
+net        net            DROP</programlisting>
+
+      <para><filename>/etc/shorewall/masq</filename>:</para>
+
+      <programlisting>#INTERFACE       SOURCE            ADDRESS
+eth0             0.0.0.0/0         206.124.146.176
+eth1             0.0.0.0/0         130.252.99.27</programlisting>
+    </section>
+
     <section id="Applications">
       <title>Routing a Particular Application Through a Specific
       Interface</title>