This will be the final 2.3 release. It makes available multiple-ISP
support. There is one external change to the version that has been in
CVS for the last couple of days -- the ''default'' provider
option has
been named ''balance'' to better describe what the option does
(load
balancing).
Please see http://shorewall.net/Shorewall_and_Routing.html for more
information on the features in this release.
New Features in version 2.3.2
1) Shorewall 2.3.2 includes support for multiple internet interfaces to
different ISPs.
The file /etc/shorewall/providers may be used to define the
different providers. It can actually be used to define alternate
routing tables so uses like transparent proxy can use the file as
well.
Columns are:
NAME The provider name.
NUMBER The provider number -- a number between 1 and 15
MARK A FWMARK value used in your
/etc/shorewall/tcrules file to direct packets to
this provider.
DUPLICATE The name of an existing table to duplicate. May
be ''main'' or the name of a previous
provider.
INTERFACE The name of the network interface to the
provider. Must be listed in
/etc/shorewall/interfaces.
GATEWAY The IP address of the provider''s gateway router.
OPTIONS A comma-separated list selected from the
following:
track If specified, connections FROM this interface are
to be tracked so that responses may be routed
back out this same interface.
You want specify ''track'' if internet
hosts will
be connecting to local servers through this
provider.
Because of limitations in the ''ip''
utility and
policy routing, you may not use the SAVE or
RESTORE tcrules options or use connection
marking on any traffic to or from this
interface. For traffic control purposes, you
must mark packets in the FORWARD chain (or
better yet, use the CLASSIFY target).
balance The providers that have ''balance''
specified will
get outbound traffic load-balanced among them.
Example: You run squid in your DMZ on IP address
192.168.2.99. Your DMZ interface is eth2
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
Squid 1 1 - eth2 192.168.2.99 -
Use of this feature requires that your kernel and iptables
support CONNTRACK target and conntrack match as well as extended
MARK support. It does NOT require the ROUTE target extension.
2) Shorewall 2.3.2 can now configure routing if your kernel and
iptables support the ROUTE target extension. This extension is
available in Patch-O-Matic-ng. This feature is *EXPERIMENTAL* since
the Netfilter team have no intention of ever releasing the ROUTE
target extension to kernel.org.
Routing is configured using the /etc/shorewall/routes file. Columns
in the file are as follows:
SOURCE Source of the packet. May be any of the
following:
- A host or network address
- A network interface name.
- The name of an ipset prefaced with "+"
- $FW (for packets originating on the firewall)
- A MAC address in Shorewall format
- A range of IP addresses (assuming that your
kernel and iptables support range match)
- A network interface name followed by ":"
and an address or address range.
DEST Destination of the packet. May be any of the
following:
- A host or network address
- A network interface name (determined from
routing table(s))
- The name of an ipset prefaced with "+"
- A network interface name followed by ":"
and an address or address range.
PROTO Protocol - Must be "tcp", "udp",
"icmp",
"ipp2p", a number, or "all".
"ipp2p" requires
ipp2p match support in your kernel and
iptables.
PORT(S) Destination Ports. A comma-separated list of
Port names (from /etc/services), port numbers
or port ranges; if the protocol is "icmp",
this
column is interpreted as the destination
icmp-type(s).
If the protocol is ipp2p, this column is
interpreted as an ipp2p option without the
leading "--" (example "bit" for
bit-torrent).
If no PORT is given, "ipp2p" is assumed.
This column is ignored if PROTOCOL = all but
must be entered if any of the following field
is supplied. In that case, it is suggested that
this field contain "-"
SOURCE PORT(S) (Optional) Source port(s). If omitted,
any source port is acceptable. Specified as a
comma-separated list of port names, port
numbers or port ranges.
TEST Defines a test on the existing packet or
connection mark.
The rule will match only if the test returns
true. Tests have the format
[!]<value>[/<mask>][:C]
Where:
! Inverts the test (not equal)
<value> Value of the packet or
connection mark.
<mask> A mask to be applied to the
mark before testing
:C Designates a connection
mark. If omitted, the packet
mark''s value is tested.
INTERFACE The interface that the packet is to be routed
out of. If you do not specify this field then
you must place "-" in this column and enter an
IP address in the GATEWAY column.
GATEWAY The gateway that the packet is to be forewarded
through.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom, As sorry as I am to see you leave, you are totally my hero for putting this into a release before you leave! You, the man! Brooke Tom Eastep wrote:>This will be the final 2.3 release. It makes available multiple-ISP >support. There is one external change to the version that has been in >CVS for the last couple of days -- the ''default'' provider option has >been named ''balance'' to better describe what the option does (load >balancing). > >Please see http://shorewall.net/Shorewall_and_Routing.html for more >information on the features in this release. > >New Features in version 2.3.2 > >1) Shorewall 2.3.2 includes support for multiple internet interfaces to > different ISPs. > > The file /etc/shorewall/providers may be used to define the > different providers. It can actually be used to define alternate > routing tables so uses like transparent proxy can use the file as > well. > > Columns are: > > NAME The provider name. > > NUMBER The provider number -- a number between 1 and 15 > > MARK A FWMARK value used in your > /etc/shorewall/tcrules file to direct packets to > this provider. > > DUPLICATE The name of an existing table to duplicate. May > be ''main'' or the name of a previous provider. > > INTERFACE The name of the network interface to the > provider. Must be listed in > /etc/shorewall/interfaces. > > GATEWAY The IP address of the provider''s gateway router. > > OPTIONS A comma-separated list selected from the > following: > > track If specified, connections FROM this interface are > to be tracked so that responses may be routed > back out this same interface. > > You want specify ''track'' if internet hosts will > be connecting to local servers through this > provider. > > Because of limitations in the ''ip'' utility and > policy routing, you may not use the SAVE or > RESTORE tcrules options or use connection > marking on any traffic to or from this > interface. For traffic control purposes, you > must mark packets in the FORWARD chain (or > better yet, use the CLASSIFY target). > > balance The providers that have ''balance'' specified will > get outbound traffic load-balanced among them. > > Example: You run squid in your DMZ on IP address > 192.168.2.99. Your DMZ interface is eth2 > > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS > Squid 1 1 - eth2 192.168.2.99 - > > Use of this feature requires that your kernel and iptables > support CONNTRACK target and conntrack match as well as extended > MARK support. It does NOT require the ROUTE target extension. > >2) Shorewall 2.3.2 can now configure routing if your kernel and > iptables support the ROUTE target extension. This extension is > available in Patch-O-Matic-ng. This feature is *EXPERIMENTAL* since > the Netfilter team have no intention of ever releasing the ROUTE > target extension to kernel.org. > > Routing is configured using the /etc/shorewall/routes file. Columns > in the file are as follows: > > SOURCE Source of the packet. May be any of the > following: > > > - A host or network address > - A network interface name. > - The name of an ipset prefaced with "+" > - $FW (for packets originating on the firewall) > - A MAC address in Shorewall format > - A range of IP addresses (assuming that your > kernel and iptables support range match) > - A network interface name followed by ":" > and an address or address range. > > DEST Destination of the packet. May be any of the > following: > > - A host or network address > - A network interface name (determined from > routing table(s)) > - The name of an ipset prefaced with "+" > - A network interface name followed by ":" > and an address or address range. > > PROTO Protocol - Must be "tcp", "udp", "icmp", > "ipp2p", a number, or "all". "ipp2p" requires > ipp2p match support in your kernel and > iptables. > > PORT(S) Destination Ports. A comma-separated list of > Port names (from /etc/services), port numbers > or port ranges; if the protocol is "icmp", this > column is interpreted as the destination > icmp-type(s). > > If the protocol is ipp2p, this column is > interpreted as an ipp2p option without the > leading "--" (example "bit" for bit-torrent). > If no PORT is given, "ipp2p" is assumed. > > This column is ignored if PROTOCOL = all but > must be entered if any of the following field > is supplied. In that case, it is suggested that > this field contain "-" > > SOURCE PORT(S) (Optional) Source port(s). If omitted, > any source port is acceptable. Specified as a > comma-separated list of port names, port > numbers or port ranges. > > TEST Defines a test on the existing packet or > connection mark. > > The rule will match only if the test returns > true. Tests have the format > [!]<value>[/<mask>][:C] > > Where: > > ! Inverts the test (not equal) > <value> Value of the packet or > connection mark. > > <mask> A mask to be applied to the > mark before testing > :C Designates a connection > mark. If omitted, the packet > mark''s value is tested. > > INTERFACE The interface that the packet is to be routed > out of. If you do not specify this field then > you must place "-" in this column and enter an > IP address in the GATEWAY column. > > GATEWAY The gateway that the packet is to be forewarded > through. > >-Tom > >