Add 'default_rt' option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9249 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2009-01-06 18:33:19 +00:00 · 2009-01-06 18:33:19 +00:00 · ee6cdfe001
commit ee6cdfe001
parent d4d8d79dc2
5 changed files with 102 additions and 41 deletions
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@ -253,6 +253,21 @@ our $mode;
 our $family;
 #
 # These are the zone-oriented builtin targets
 #
 our %builtin_target = ( ACCEPT   => 1,
 			REJECT   => 1,
 			DROP     => 1,
 			RETURN   => 1,
 			DNAT     => 1,
 			SAME     => 1,
 			LOG      => 1,
 			NFLOG    => 1,
 			QUEUE    => 1,
 			NFQUEUE  => 1,
 			REDIRECT => 1 );
 #
 # Initialize globals -- we take this novel approach to globals initialization to allow
 #                       the compiler to run multiple times in the same process. The
@ -471,7 +486,7 @@ sub add_rule($$;$)
 	push_rule ( $chainref, $rule );
    }
 }
-
+		 
 #
 # Add a jump from the chain represented by the reference in the first argument to
 # the target in the second argument. The optional third argument specifies any
@ -494,7 +509,7 @@ sub add_jump( $$$;$ ) {
 	#
 	# Ensure that we have the chain unless it is a builtin like 'ACCEPT'
 	#
-	$toref = ensure_chain( $fromref->{table} , $to ) unless ( $targets{$to} || 0 ) & STANDARD;
+	$toref = ensure_chain( $fromref->{table} , $to ) unless $builtin_target{ $to };
    }
    #
@ -525,7 +540,6 @@ sub insert_rule($$$)
    $iprangematch = 0;
    $chainref->{referenced} = 1;
 }
 #
@ -769,7 +783,7 @@ sub new_chain($$)
 {
    my ($table, $chain) = @_;
-    fatal_error "Internal error in new_chain()" if $chain_table{$table}{$chain};
+    fatal_error "Internal error in new_chain()" if $chain_table{$table}{$chain} || $builtin_target{ $chain };
    $chain_table{$table}{$chain} = { name      => $chain,
 				     rules     => [],
@ -1136,33 +1150,29 @@ sub newexclusionchain() {
 # one for destination exclusion.
 #
 sub source_exclusion( $$ ) {
-    my ( $exclusions, $targetref ) = @_;
+    my ( $exclusions, $target ) = @_;
    return $targetref unless @$exclusions;
    $targetref = ensure_filter_chain( $targetref, 0 ) unless reftype $targetref;
    my $chainref = new_chain( $targetref->{table}, newexclusionchain );
    return $target unless @$exclusions;
    my $chainref = new_chain( reftype $target ? $target->{table} : 'filter' , newexclusionchain );
    add_rule( $chainref, match_source_net( $_ ) . '-j RETURN' ) for @$exclusions;
-    add_jump( $chainref, $targetref, 1 );
+    add_jump( $chainref, $target, 1 );
-    reftype $_[1] ? $chainref : $chainref->{name};
+    reftype $target ? $chainref : $chainref->{name};
 }
 sub dest_exclusion( $$ ) {
-    my ( $exclusions, $targetref ) = @_;
+    my ( $exclusions, $target ) = @_;
-    return $targetref unless @$exclusions;
+    return $target unless @$exclusions;
    $targetref = ensure_filter_chain( $targetref, 0 ) unless reftype $targetref;
    my $chainref = new_chain( $targetref->{table}, newexclusionchain );
    my $chainref = new_chain( reftype $target ? $target->{table} : 'filter' , newexclusionchain );
    add_rule( $chainref, match_dest_net( $_ ) . '-j RETURN' ) for @$exclusions;
-    add_jump( $chainref, $targetref, 1 );
+    add_jump( $chainref, $target, 1 );
-    reftype $_[1] ? $targetref : $targetref->{name};
+    reftype $target ? $chainref : $chainref->{name};
 }
 sub clearrule() {
--- a/Shorewall-perl/Shorewall/Config.pm
+++ b/Shorewall-perl/Shorewall/Config.pm
@ -299,7 +299,7 @@ sub initialize( $ ) {
 		    LOGPARMS => '',
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
-		    VERSION => "4.2.4-RC3",
+		    VERSION => "4.2.4",
 		    CAPVERSION => 40203 ,
 		  );
    #
@ -995,7 +995,7 @@ sub create_temp_object( $ ) {
    fatal_error "A compiled script may not be named 'shorewall'" if "$file" eq 'shorewall' && $suffix eq '';
    eval {
-	$dir = abs_path $dir;
+	$dir = abs_path $dir unless $dir =~ m|^/|; # Work around http://rt.cpan.org/Public/Bug/Display.html?id=1385
 	( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
    };
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@ -462,6 +462,20 @@
                  the INTERFACE column is assumed.</para>
                </listitem>
              </varlistentry>
              <varlistentry>
                <term>default_rt (Added in Shorewall-perl 4.2.5)</term>
                <listitem>
                  <para>Indicates that a default route through the provider
                  should be added to the default routing table (table 253).
                  The route is added with a metric equal to the provider
                  NUMBER so multiple providers can have this option. The
                  option is ignored with a warning message if
                  USE_DEFAULT_RT=Yes in
                  <filename>shorewall.conf</filename>.</para>
                </listitem>
              </varlistentry>
            </variablelist>
            <para>For those of you who are terminally confused
@ -1256,7 +1270,7 @@ wlan0                   192.168.0.0/24</programlisting><note>
    </section>
  </section>
-  <section>
+  <section id="Complete">
    <title>A Complete Working Example</title>
    <para>This section describes the network at shorewall.net early in 2009.
@ -1298,9 +1312,30 @@ wlan0                   192.168.0.0/24</programlisting><note>
    <para>Because of the speed of the cable provider, all traffic uses that
    provider unless there is a specific need for the traffic to use the DSL
-    line. As a consequence, I have disabled all route filtering on the
+    line.</para>
    <itemizedlist>
      <listitem>
        <para>Responses to connections from the Internet to one of the DSL IP
        addresses -- the <emphasis role="bold">track</emphasis> option takes
        care of that.</para>
      </listitem>
      <listitem>
        <para>Connections initiated by the server and connection requested by
        clients on the firewall that have bound their local socket to one of
        the DSL IP addresses. Two entries in
        <filename>/etc/shorewall/route_rules</filename> take care of that
        traffic.</para>
      </listitem>
    </itemizedlist>
    <para>As a consequence, I have disabled all route filtering on the
    firewall and do not use the <emphasis role="bold">balance</emphasis>
-    option in <filename>/etc/shorewall/providers</filename>.</para>
+    option in <filename>/etc/shorewall/providers</filename>. The default route
    in the main table is established by DHCP. By specifying the
    <emphasis>default_rt</emphasis> option on Avvanta, I ensure that there is
    a default route when Comcast is down.</para>
    <para><filename>/etc/sysctl.conf</filename>:</para>
@ -1308,9 +1343,9 @@ wlan0                   192.168.0.0/24</programlisting><note>
    <para><filename>/etc/shorewall/providers</filename>:</para>
-    <programlisting>#NAME  NUMBER MARK  DUPLICATE INTERFACE GATEWAY         OPTIONS      COPY
+    <programlisting>#NAME  NUMBER MARK  DUPLICATE INTERFACE GATEWAY         OPTIONS                 COPY
-Avvanta     1 0x100 main      eth0      206.124.146.254 track,loose  eth2,eth4,tun*
+Avvanta     1 0x100 main      eth0      206.124.146.254 track,loose,default_rt  eth2,eth4,tun*
-Comcast     2 0x200 main      eth3      detect          track        eth2,eth4,tun*
+Comcast     2 0x200 main      eth3      detect          track                   eth2,eth4,tun*
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
    <para>The <emphasis role="bold">loose</emphasis> option on Avvanta results
@ -1370,6 +1405,8 @@ default via 71.227.156.1 dev eth3  src 71.227.156.229
 Table default:
 default via 206.124.146.254 dev eth0 metric 1
 Table local:
 broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1 
--- a/manpages/shorewall-providers.xml
+++ b/manpages/shorewall-providers.xml
@ -1,4 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
    <refentrytitle>shorewall-providers</refentrytitle>
@ -97,7 +99,7 @@
          previously listed provider. You may select only certain entries from
          the table to copy by using the COPY column below. This column should
          contain a dash ("-') when USE_DEFAULT_RT=Yes in <ulink
-          url="shorewall.conf.html">shorewall.conf(5)</ulink>. </para>
+          url="shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
        </listitem>
      </varlistentry>
@ -199,7 +201,8 @@
            </varlistentry>
            <varlistentry>
-              <term>src=<replaceable>source-address</replaceable></term>
+              <term><emphasis
              role="bold">src=</emphasis><replaceable>source-address</replaceable></term>
              <listitem>
                <para>Added in Shorewall-perl 4.1.5. Specifies the source
@ -213,7 +216,8 @@
            </varlistentry>
            <varlistentry>
-              <term>mtu=<replaceable>number</replaceable></term>
+              <term><emphasis
              role="bold">mtu=</emphasis><replaceable>number</replaceable></term>
              <listitem>
                <para>Added in Shorewall-perl 4.1.5. Specifies the MTU when
@ -221,6 +225,20 @@
                interface named in the INTERFACE column is assumed.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">default_rt</emphasis></term>
              <listitem>
                <para>Added in Shorewall-perl 4.2.5. Indicates that a default
                route through the provider should be added to the default
                routing table (table 253). The route is added with a metric
                equal to the provider NUMBER so multiple providers can have
                this option. The option is ignored with a warning message if
                USE_DEFAULT_RT=Yes in
                <filename>shorewall.conf</filename>.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
@ -301,4 +319,4 @@
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
-</refentry>
+</refentry>
--- a/web/Documentation.html
+++ b/web/Documentation.html
@ -8,7 +8,7 @@
 <h1 style="text-align: left;">Shorewall Documentation</h1>
 <span style="font-weight: bold;">Tom Eastep</span><br>
 <span style="font-weight: bold;">
-</span>Copyright © 2005-2007 Thomas M. Eastep<br>
+</span>Copyright © 2005-2009 Thomas M. Eastep<br>
 <p>Permission is granted to copy, distribute and/or modify this
 document
 under the terms of the GNU Free Documentation License, Version 1.2 or
@ -21,7 +21,7 @@ license is included in the section entitled “<span class="quote"><a
 href="GnuCopyright.htm" target="_self">GNU Free Documentation
 License</a></span>”.<br>
 </p>
-<p>2008-10-05<br>
+<p>2009-01-02<br>
 </p>
 <hr style="width: 100%; height: 2px;"> <strong></strong>
 <ul>
@ -53,7 +53,7 @@ released with Shorewall 3.4.0 and later <br>
    <a href="/3.0/manpages/Manpages.html">Shorewall 3.x</a><br>
    <a href="/4.0/Manpages.html">Shorewall 4.0</a><br>
    <a href="Manpages.html">Shorewall 4.2</a><br>
-    <a href="Manpages6.html">Shorewall6 4.x (IPv6 Support)</a><br>
+    <a href="Manpages6.html">Shorewall6 4.2 (IPv6 Support)</a><br>
    <br>
  </li>
  <li><a href="shorewall_features.htm">Shorewall <span
@ -70,11 +70,7 @@ Guide</a> -- Look here when "it doesn't work"<br>
  <li><strong>PPPPPPPS</strong> ( or, Paul's Principles for Practical
 Provision of Packet Processing with Shorewall ) <a
 href="http://linuxman.wikispaces.com/PPPPPPS">http://linuxman.wikispaces.com/PPPPPPS</a>
-- Some very useful tips for dealing with Shorewall from Paul Gear<br>
+-- Some very useful tips for dealing with Shorewall from Paul Gear</li>
  </li>
 </ul>
 <div style="margin-left: 40px;">
 <a href="2.0/">Shorewall 2.x Documentation</a> </div>
 <br>
 </body>
 </html>