Add 'default_rt' option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9249 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2009-01-06 18:33:19 +00:00 · 2009-01-06 18:33:19 +00:00 · ee6cdfe001
commit ee6cdfe001
parent d4d8d79dc2
5 changed files with 102 additions and 41 deletions
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@ -253,6 +253,21 @@ our $mode;

 our $family;

+#
+# These are the zone-oriented builtin targets
+#
+our %builtin_target = ( ACCEPT   => 1,
+			REJECT   => 1,
+			DROP     => 1,
+			RETURN   => 1,
+			DNAT     => 1,
+			SAME     => 1,
+			LOG      => 1,
+			NFLOG    => 1,
+			QUEUE    => 1,
+			NFQUEUE  => 1,
+			REDIRECT => 1 );
+
 #
 # Initialize globals -- we take this novel approach to globals initialization to allow
 #                       the compiler to run multiple times in the same process. The
@ -471,7 +486,7 @@ sub add_rule($$;$)
 	push_rule ( $chainref, $rule );
    }
 }
-
+		 
 #
 # Add a jump from the chain represented by the reference in the first argument to
 # the target in the second argument. The optional third argument specifies any
@ -494,7 +509,7 @@ sub add_jump( $$$;$ ) {
 	#
 	# Ensure that we have the chain unless it is a builtin like 'ACCEPT'
 	#
-	$toref = ensure_chain( $fromref->{table} , $to ) unless ( $targets{$to} || 0 ) & STANDARD;
+	$toref = ensure_chain( $fromref->{table} , $to ) unless $builtin_target{ $to };
    }
    
    #
@ -525,7 +540,6 @@ sub insert_rule($$$)
    $iprangematch = 0;

    $chainref->{referenced} = 1;
-
 }

 #
@ -769,7 +783,7 @@ sub new_chain($$)
 {
    my ($table, $chain) = @_;

-    fatal_error "Internal error in new_chain()" if $chain_table{$table}{$chain};
+    fatal_error "Internal error in new_chain()" if $chain_table{$table}{$chain} || $builtin_target{ $chain };

    $chain_table{$table}{$chain} = { name      => $chain,
 				     rules     => [],
@ -1136,33 +1150,29 @@ sub newexclusionchain() {
 # one for destination exclusion.
 #
 sub source_exclusion( $$ ) {
-    my ( $exclusions, $targetref ) = @_;
-    
-    return $targetref unless @$exclusions;
-    
-    $targetref = ensure_filter_chain( $targetref, 0 ) unless reftype $targetref;
-    
-    my $chainref = new_chain( $targetref->{table}, newexclusionchain );
+    my ( $exclusions, $target ) = @_;
    
+    return $target unless @$exclusions;
+
+    my $chainref = new_chain( reftype $target ? $target->{table} : 'filter' , newexclusionchain );
+
    add_rule( $chainref, match_source_net( $_ ) . '-j RETURN' ) for @$exclusions;
-    add_jump( $chainref, $targetref, 1 );
+    add_jump( $chainref, $target, 1 );
    
-    reftype $_[1] ? $chainref : $chainref->{name};
+    reftype $target ? $chainref : $chainref->{name};
 }

 sub dest_exclusion( $$ ) {
-    my ( $exclusions, $targetref ) = @_;
+    my ( $exclusions, $target ) = @_;
    
-    return $targetref unless @$exclusions;
-    
-    $targetref = ensure_filter_chain( $targetref, 0 ) unless reftype $targetref;
-    
-    my $chainref = new_chain( $targetref->{table}, newexclusionchain );
+    return $target unless @$exclusions;
    
+    my $chainref = new_chain( reftype $target ? $target->{table} : 'filter' , newexclusionchain );
+
    add_rule( $chainref, match_dest_net( $_ ) . '-j RETURN' ) for @$exclusions;
-    add_jump( $chainref, $targetref, 1 );
+    add_jump( $chainref, $target, 1 );
    
-    reftype $_[1] ? $targetref : $targetref->{name};
+    reftype $target ? $chainref : $chainref->{name};
 }

 sub clearrule() {
--- a/Shorewall-perl/Shorewall/Config.pm
+++ b/Shorewall-perl/Shorewall/Config.pm
@ -299,7 +299,7 @@ sub initialize( $ ) {
 		    LOGPARMS => '',
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
-		    VERSION => "4.2.4-RC3",
+		    VERSION => "4.2.4",
 		    CAPVERSION => 40203 ,
 		  );
    #
@ -995,7 +995,7 @@ sub create_temp_object( $ ) {
    fatal_error "A compiled script may not be named 'shorewall'" if "$file" eq 'shorewall' && $suffix eq '';

    eval {
-	$dir = abs_path $dir;
+	$dir = abs_path $dir unless $dir =~ m|^/|; # Work around http://rt.cpan.org/Public/Bug/Display.html?id=1385
 	( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
    };

--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@ -462,6 +462,20 @@
                  the INTERFACE column is assumed.</para>
                </listitem>
              </varlistentry>
+
+              <varlistentry>
+                <term>default_rt (Added in Shorewall-perl 4.2.5)</term>
+
+                <listitem>
+                  <para>Indicates that a default route through the provider
+                  should be added to the default routing table (table 253).
+                  The route is added with a metric equal to the provider
+                  NUMBER so multiple providers can have this option. The
+                  option is ignored with a warning message if
+                  USE_DEFAULT_RT=Yes in
+                  <filename>shorewall.conf</filename>.</para>
+                </listitem>
+              </varlistentry>
            </variablelist>

            <para>For those of you who are terminally confused
@ -1256,7 +1270,7 @@ wlan0                   192.168.0.0/24</programlisting><note>
    </section>
  </section>

-  <section>
+  <section id="Complete">
    <title>A Complete Working Example</title>

    <para>This section describes the network at shorewall.net early in 2009.
@ -1298,9 +1312,30 @@ wlan0                   192.168.0.0/24</programlisting><note>

    <para>Because of the speed of the cable provider, all traffic uses that
    provider unless there is a specific need for the traffic to use the DSL
-    line. As a consequence, I have disabled all route filtering on the
+    line.</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>Responses to connections from the Internet to one of the DSL IP
+        addresses -- the <emphasis role="bold">track</emphasis> option takes
+        care of that.</para>
+      </listitem>
+
+      <listitem>
+        <para>Connections initiated by the server and connection requested by
+        clients on the firewall that have bound their local socket to one of
+        the DSL IP addresses. Two entries in
+        <filename>/etc/shorewall/route_rules</filename> take care of that
+        traffic.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>As a consequence, I have disabled all route filtering on the
    firewall and do not use the <emphasis role="bold">balance</emphasis>
-    option in <filename>/etc/shorewall/providers</filename>.</para>
+    option in <filename>/etc/shorewall/providers</filename>. The default route
+    in the main table is established by DHCP. By specifying the
+    <emphasis>default_rt</emphasis> option on Avvanta, I ensure that there is
+    a default route when Comcast is down.</para>

    <para><filename>/etc/sysctl.conf</filename>:</para>

@ -1308,9 +1343,9 @@ wlan0                   192.168.0.0/24</programlisting><note>

    <para><filename>/etc/shorewall/providers</filename>:</para>

-    <programlisting>#NAME  NUMBER MARK  DUPLICATE INTERFACE GATEWAY         OPTIONS      COPY
-Avvanta     1 0x100 main      eth0      206.124.146.254 track,loose  eth2,eth4,tun*
-Comcast     2 0x200 main      eth3      detect          track        eth2,eth4,tun*
+    <programlisting>#NAME  NUMBER MARK  DUPLICATE INTERFACE GATEWAY         OPTIONS                 COPY
+Avvanta     1 0x100 main      eth0      206.124.146.254 track,loose,default_rt  eth2,eth4,tun*
+Comcast     2 0x200 main      eth3      detect          track                   eth2,eth4,tun*
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>

    <para>The <emphasis role="bold">loose</emphasis> option on Avvanta results
@ -1370,6 +1405,8 @@ default via 71.227.156.1 dev eth3  src 71.227.156.229

 Table default:

+default via 206.124.146.254 dev eth0 metric 1
+
 Table local:

 broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1 
--- a/manpages/shorewall-providers.xml
+++ b/manpages/shorewall-providers.xml
@ -1,4 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
    <refentrytitle>shorewall-providers</refentrytitle>
@ -97,7 +99,7 @@
          previously listed provider. You may select only certain entries from
          the table to copy by using the COPY column below. This column should
          contain a dash ("-') when USE_DEFAULT_RT=Yes in <ulink
-          url="shorewall.conf.html">shorewall.conf(5)</ulink>. </para>
+          url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
        </listitem>
      </varlistentry>

@ -199,7 +201,8 @@
            </varlistentry>

            <varlistentry>
-              <term>src=<replaceable>source-address</replaceable></term>
+              <term><emphasis
+              role="bold">src=</emphasis><replaceable>source-address</replaceable></term>

              <listitem>
                <para>Added in Shorewall-perl 4.1.5. Specifies the source
@ -213,7 +216,8 @@
            </varlistentry>

            <varlistentry>
-              <term>mtu=<replaceable>number</replaceable></term>
+              <term><emphasis
+              role="bold">mtu=</emphasis><replaceable>number</replaceable></term>

              <listitem>
                <para>Added in Shorewall-perl 4.1.5. Specifies the MTU when
@ -221,6 +225,20 @@
                interface named in the INTERFACE column is assumed.</para>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">default_rt</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall-perl 4.2.5. Indicates that a default
+                route through the provider should be added to the default
+                routing table (table 253). The route is added with a metric
+                equal to the provider NUMBER so multiple providers can have
+                this option. The option is ignored with a warning message if
+                USE_DEFAULT_RT=Yes in
+                <filename>shorewall.conf</filename>.</para>
+              </listitem>
+            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
@ -301,4 +319,4 @@
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
-</refentry>
+</refentry>
--- a/web/Documentation.html
+++ b/web/Documentation.html
@ -8,7 +8,7 @@
 <h1 style="text-align: left;">Shorewall Documentation</h1>
 <span style="font-weight: bold;">Tom Eastep</span><br>
 <span style="font-weight: bold;">
-</span>Copyright © 2005-2007 Thomas M. Eastep<br>
+</span>Copyright © 2005-2009 Thomas M. Eastep<br>
 <p>Permission is granted to copy, distribute and/or modify this
 document
 under the terms of the GNU Free Documentation License, Version 1.2 or
@ -21,7 +21,7 @@ license is included in the section entitled “<span class="quote"><a
 href="GnuCopyright.htm" target="_self">GNU Free Documentation
 License</a></span>”.<br>
 </p>
-<p>2008-10-05<br>
+<p>2009-01-02<br>
 </p>
 <hr style="width: 100%; height: 2px;"> <strong></strong>
 <ul>
@ -53,7 +53,7 @@ released with Shorewall 3.4.0 and later <br>
    <a href="/3.0/manpages/Manpages.html">Shorewall 3.x</a><br>
    <a href="/4.0/Manpages.html">Shorewall 4.0</a><br>
    <a href="Manpages.html">Shorewall 4.2</a><br>
-    <a href="Manpages6.html">Shorewall6 4.x (IPv6 Support)</a><br>
+    <a href="Manpages6.html">Shorewall6 4.2 (IPv6 Support)</a><br>
    <br>
  </li>
  <li><a href="shorewall_features.htm">Shorewall <span
@ -70,11 +70,7 @@ Guide</a> -- Look here when "it doesn't work"<br>
  <li><strong>PPPPPPPS</strong> ( or, Paul's Principles for Practical
 Provision of Packet Processing with Shorewall ) <a
 href="http://linuxman.wikispaces.com/PPPPPPS">http://linuxman.wikispaces.com/PPPPPPS</a>
-- Some very useful tips for dealing with Shorewall from Paul Gear<br>
-  </li>
+-- Some very useful tips for dealing with Shorewall from Paul Gear</li>
 </ul>
-<div style="margin-left: 40px;">
-<a href="2.0/">Shorewall 2.x Documentation</a> </div>
-<br>
 </body>
 </html>