Beta 3 is now available for testing. Problems Corrected:
1) The value '0' is once again accepted in the IN_BANDWIDTH columns of
tcinterfaces and tcrules, and causes no ingress policing to be
configured.
2) MARK_IN_FORWARD_CHAIN=Yes no longer generates an error when
$FW:<address> is entered in the SOURCE column of the tcrules file.
New Features:
1) The route_rules file has been renamed to 'rtrules'. The Shorewall
and Shorewall6 installers will perform the rename on an existing
file.
If both files exist, route_rules will be processed and rtrules
will be ignored.
2) Run-time address variables (e.g., ð0) may now be used in the
SOURCE column of the rtrules file.
3) A 'PROBABILITY' column has been added to the tcrules files. It
causes the rule to match randomly with the probability specified in
the column. See shorewall-tcrules(5) and shorewall6-tcrules(5) for
details.
This column provides an alternative to the balance=<weight> option
in the providers file.
Example:
/etc/shorewall/shorewall.conf
MARK_IN_FORWARD_CHAIN=No
...
USE_DEFAULT_RT=Yes
...
TC_BITS=0
PROVIDER_BITS=2
PROVIDER_OFFSET=16
MASK_BITS=8
ZONE_BITS=4
Note: PROVIDER_OFFSET=16 and ZONE_BITS=4 means that the provider
mask will be 0xf0000.
/etc/shorewall/providers:
#NAME NUMBER MARK DUP INTERFACE GATEWAY OPTIONS
ComcastB 1 - - eth1 70.90.191.126 loose,balance
ComcastC 2 - - eth0 detect loose,balance
Note: The 'loose' option is specified so that the compiler will not
generate and rules based on interface IP addresses. That way
we have complete control over the priority of such rules
through entries in the rtrules file.
/etc/shorewall/rtrules
#SOURCE DEST PROVIDER PRIORITY
70.90.191.120/29 - ComcastB 1000
ð0 - ComcastC 1000
Note: eth0 has a dynamic address, so ð0 is used in the SOURCE
column.
Note: Priority = 1000 means that these rules will come before rules
that select a provider based on marks.
/etc/shorewall/tcrules
#MARK SOURCE DEST PROTO DEST
# PORT(S)
CONTINUE - 70.90.191.120/29
CONTINUE - 10.0.10.0/24
# 70.90.191.120/29 is the local public subnet. 10.0.10.0/24 is a
# local network on eth1.
0X10000/0xf0000 eth2 - ; probability=0.66666667
0x20000/0xf0000 eth2 - ; test=0/0x30000
# The above two split traffic entering the firewall through eth2
# (local LAN) between the two providers with 2/3 of the traffic
# going to eth1 and 1/3 going to eth0.
CONTINUE fw:70.90.191.120/29
CONTINUE fw 172.20.1.0/22
CONTINUE fw 70.90.191.120/29
CONTINUE fw 10.0.10.0/24
# Similar to rules above
0X10000/0xf0000 fw - ; probability=0.66666667
0x20000/0xf0000 fw - ; test=0/0x30000
# Again, split traffic from the firewall 2:1 in favor of eth1.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
