On 03/06/2013 04:21 AM, Mr Dash Four wrote: > >> You need to re-apply the patches. Those went in after I had already >> uploaded RC1. >> > The RC1 announcement wasn't posted on the list either.
> I don't know whether it is late in the cycle for this release or not, but the
> following problem, I think, merits some attention:
>
> 1. "providers" file and treatment of (custom-specified) blackhole rules:
>
> They are not captured either by the DUPLICATE or COPY columns, so they
> must always be copied (somehow manually?) regardless.
>
> Currently I can't see a way of adding blackhole routes (there isn't
> anything in either "rtrules" or "routes"), which means that if I have a
> custom-set blackhole routes (via the Linux network scripts or via
> "start"/"started"), they will not be copied over to the providers
> table(s) and there is no way to add them in either of these two files.
I highly recommend USE_DEFAULT_RT=Yes. This causes the main routing
table to be traversed prior to the provider tables and avoids all of the
copying nonsense altogether. I really don't want to put any effort into
improving USE_DEFAULT_RT=No.
>
> Also worth reporting:
>
> 2. "firewall" script - ${VARDIR}/<iface>.status optimisation:
>
> providers
> ~~~~~~~~~
> internal 7 - - eth2 10.1.7.13
>
> produces:
>
> [...]
> find_interface_addresses eth2 | while read address; do
> qt $IP -4 rule del from $address
> run_ip rule add from $address pref 20000 table 7
> echo "qt $IP -4 rule del from $address" >>
> ${VARDIR}/undo_internal_routing
> rulenum=$(($rulenum + 1))
> done
>
> echo 0 > ${VARDIR}/eth2.status
> echo 0 > ${VARDIR}/eth2.status
> progress_message "Provider internal (2) Started"
> else
> echo 1 > ${VARDIR}/eth2.status
> fatal_error "Interface eth2 is not usable -- Provider internal
> (2) Cannot be Started"
> fi
> } # End of start_provider_internal();
> [...]
>
> Note the double "echo 0 > ..." statement above.
Patch attached.
>
> 3. The definition of DUPLICATE and COPY columns in "providers" is
> different in http://www.shorewall.net/MultiISP.html and
> http://www.shorewall.net/manpages/shorewall-providers.html. In
> MultiISP.html we have:
>
> "...When you specify an existing table in the DUPLICATE column,
> Shorewall copies all routes through the interface specified in the
> INTERFACE column plus the interfaces listed in this column. Normally,
> you will list all interfaces on your firewall in this column except
> those Internet interfaces specified in the INTERFACE column of entries
> in this file."
>
> So, according to this, if I have the above "providers" configuration
> (see 2 above), save for setting "main" in the DUPLICATE column, then
> only routes defined in the main table for "eth2" should be copied to the
> "internal" table. In reality, every subnet defined in the main table,
> regardless of which interface it is defined for, is copied. The
> providers man page describes the correct behaviour.
Thanks -- I'll update the web page.
>
> In addition, if I specify "eth2" in the COPY column (continue to have
> "main" in DUPLICATE), then the following code is produced:
>
> [...]
> case $(find_device $route) in
> eth2|eth2)
> case $net in
> 255.255.255.255*)
> [...]
> "eth2|eth2)" is the equivalent of "eth2)", so this should be optimised
Patch attached.
>
> 4. Manpages -> rtrules is a dead link.
Corrected - thanks.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm
index 233cf42..41c6a5a 100644
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -867,7 +867,6 @@ CEOF
emit "fi\n";
} else {
- emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
emit( qq(progress_message "Provider $table ($number) Started") );
}
diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm
index 41c6a5a..c419fcf 100644
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -221,10 +221,21 @@ sub copy_and_edit_table( $$$$ ) {
my ( $duplicate, $number, $copy, $realm) = @_;
my $filter = $family == F_IPV6 ? q(fgrep -v ' cache ' | sed 's/ via :: / /' | ) : '';
+ my %copied;
+ my @copy;
+ #
+ # Remove duplicates
+ #
+ for ( split ',', $copy ) {
+ unless ( $copied{$_} ) {
+ push @copy, $_;
+ $copied{$_} = 1;
+ }
+ }
#
# Map physical names in $copy to logical names
#
- $copy = join( '|' , map( physical_name($_) , split( ',' , $copy ) ) );
+ $copy = join( '|' , map( physical_name($_) , @copy ) );
#
# Shell and iptables use a different wildcard character
#
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
