On 5/1/13 5:26 PM, Dash Four wrote: > > > Tom Eastep wrote: >> Regrettably, Shorewall 4.5.16 has a serious problem when used on systems >> running a 3.x kernel that include CT Target support and that do not use >> a capabilities file. >> > I am attaching 4 patches, implementing 3 new features and fixing one > minor inconsistency in this version. These are: > > 1. Introduce DEST interface capabilities to "rtrules". I did report this > as a "bug" previously, but, as it turned out, "source" and "destination" > interfaces are not treated the same as source and destination ip > addresses (I've had a long-drawn arguments about this in the netfilter > mailing list, so I won't go into anything like this on here). So, what > this new feature does is to allow output interface to be specified, > along with destination ip address, in the DEST column in "rtrules" and > generate the necessary "ip rule" rules to make it happen. > > This patch comes with one caveat though - the "oif" ip rule capability > in the iproute package was introduced fairly "recently", so if this > feature is going to be made available "mainstream", I suspect a new > capability needs to be added to shorewall (my perl skills aren't quite > there yet, so I'll leave this up to you Tom, if you decide to > incorporate this new feature into shorewall - "It works for me (tm)"). >
What are the semantics associated with oif? Given that ip rules are applied before routing, the output interface has not yet been determined. > 2. Allow "blackhole", "unreachable" and "prohibit" COPY options to be > specified in "providers" (this is in addition to interfaces) so that > these type of routes can also be transferred over to the new provider > tables, as desired, and not, as it was the case up until now - at the > behest of shorewall. > > This also addresses a bug I reported recently where there was a possible > clash during adding/creating/transferring blackhole-type routes in > between 'main' and the provider's tables. Example of use: > > dmz7 2 - main eth0 10.1.7.1 - blackhole,eth0,prohibit > > The above statement copies all "blackhole" and "prohibit" routes from > 'main' to the 'dmz7' provider table, in addition to all 'eth0' routes > (it does *not* touch the "unreachable" routes in main, if they exist). > > 3. Introduce a new pair of OPTIONs in "providers" called "autosrc" and > "noautosrc". Up until now, shorewall used to create iproute rule in > "firewall" for each provider, adding the provider's interface source IP > address and placing that rule with priority 20000 automatically. The > above pair of options allows for fine-tuning of this. > > Specifically, if "noautosrc" is specified, no such rule is created by > default (useful, if either no such rule is needed or that rule needs to > be created with a different priority, other than the one "assumed" by > shorewall). By default (and to keep backwards compatibility with > previous releases), if nothing is specified, then "autosrc" is assumed > (in other words, the "old" behaviour is in effect - the rule is > created). Example of use: > > dmz7 2 - main eth0 10.1.7.1 noautosrc blackhole,eth0,prohibit > > With the above statement, the "ip rule del from <eth0_src>" and "ip rule > add from <eth0_src> pref 20000" rules are *not* created, but can be > added by the user, if needed (and with a different priority!), by adding > the following statement in "rtrules": > > - eth0 dmz7 26001 > > 4. A minor bugfix, which ensures consistency in creating ip rules, > always using "pref" instead of "priority". > The last three look okay. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
