On 03/06/2013 10:53 AM, Tom Eastep wrote: > On 03/06/2013 09:13 AM, Mr Dash Four wrote: >> >>>> Currently I can't see a way of adding blackhole routes (there isn't >>>> anything in either "rtrules" or "routes"), which means that if I have a >>>> custom-set blackhole routes (via the Linux network scripts or via >>>> "start"/"started"), they will not be copied over to the providers >>>> table(s) and there is no way to add them in either of these two files. >>>> >>> >>> I highly recommend USE_DEFAULT_RT=Yes. This causes the main routing >>> table to be traversed prior to the provider tables and avoids all of the >>> copying nonsense altogether. >> No, that is not an option for me and is precisely why I had to use >> "providers", though, unaware of the fact that blackhole routes can't >> be/won't be copied over. >> >> Besides, I have routes in my "providers" file, which "puncture" holes in >> the routes defined as blackhole, so even if I follow your advice above, >> that won't work - I need to copy the blackhole routes concerned, as well >> as those routes I am using in my "providers" file, together as a >> package, otherwise the whole thing won't work. >> >> Currently, with a bit of hacking and by defining things in "start", >> "started" and also using "postcompile" I can survive (for now!), but >> that isn't a solution. >> >>> I really don't want to put any effort into improving USE_DEFAULT_RT=No. >>> >> At the end of the day, it is your call - I am just highlighting an >> issue. Whether you decide to address it or not is up to you, not me. > > Please try the attached patch. I believe that it is creating the correct > shell code but I don't have a convenient way to test it.
And here's one that allows adding blackhole routes via /etc/shorewall/routes. Just specify 'blackhole' in the GATEWAY column and leave the DEVICE column empty. If the copy patch works okay, I'll include it in 4.5.14. The attached one will not be released until 4.5.15 Beta 1. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm
index 3c59157..54788c2 100644
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -1104,7 +1104,11 @@ sub add_a_route( ) {
fatal_error 'DEST must be specified' if $dest eq '-';
$dest = validate_net ( $dest, 0 );
- validate_address ( $gateway, 1 ) if $gateway ne '-';
+ if ( $gateway eq 'blackhole' ) {
+ fatal_error q('blackhole' routes may not specify a DEVICE) unless $device eq '-';
+ } else {
+ validate_address ( $gateway, 1 ) if $gateway ne '-';
+ }
my $providerref = $providers{$provider};
my $number = $providerref->{number};
@@ -1117,6 +1121,9 @@ sub add_a_route( ) {
if ( $device ne '-' ) {
push @$routes, qq(run_ip route add $dest via $gateway dev $physical table $number);
emit qq(echo "qt \$IP -$family route del $dest via $gateway dev $physical table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
+ } elsif ( $gateway eq 'blackhole' ) {
+ push @$routes, qq(run_ip route add blackhole $dest table $number);
+ emit qq(echo "\$IP -$family route del blackhole $dest table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
} else {
push @$routes, qq(run_ip route add $dest via $gateway table $number);
emit qq(echo "\$IP -$family route del $dest via $gateway table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
