Feature #2740
Firewall: rules to divert traffic via specific provider
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-firewall-base | |||
Target version: | v6.5 | |||
Resolution: | NEEDINFO: | No |
Description
In a multi-ISP scenario is a common need to route certain traffic using a specific provider.
The firewall should be able to manage mangle rules. A rule can be something like this inside the tc
database:
1=rule Src=host;myhost Dst=0.0.0.0/0 Service=service;ssh Provider=provider;myadsl status=enabled Description=Where:
- key: numeric id
- Src: can be a host, an IP or CIDR
- Dst: can be a host, an IP or CIDR
- Provider: provider name to use for this kind of traffic
- Service: (optional) can be a service object
- status: can be enabled or disabled. Default is enabled
- Description: (optional)
Related issues
Associated revisions
Firewall.pm, template: route traffic via specifc provider. Refs #2740
tcrules: add zones support. Refs #2740
History
#1 Updated by Giacomo Sanchietti over 7 years ago
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
#2 Updated by Giacomo Sanchietti over 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#3 Updated by Giacomo Sanchietti over 7 years ago
- Description updated (diff)
#4 Updated by Giacomo Sanchietti over 7 years ago
- Assignee deleted (
Giacomo Sanchietti)
Template-only implementation on branch 2705.
#5 Updated by Giacomo Sanchietti about 7 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#6 Updated by Giacomo Sanchietti about 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
Packages in nethserver-testing:
- nethserver-firewall-base-1.1.0-66.0git67ac1559.ns6.noarch.rpm
- nethserver-lsm-0.0.3-7.0gitd4a46e58.ns6.noarch.rpm
- nethserver-squid-1.1.1-3.0git37fbdd7c.ns6.noarch.rpm (già su testing)
- nethserver-snort-0.0.1-5.0git32850266.ns6.noarch.rpm
- nethserver-base-2.2.1-57.0git27156ae2.ns6.noarch.rpm
- nethserver-nethgui-1.5.0-22.0git051080ae.ns6.noarch.rpm
#7 Updated by Giacomo Sanchietti about 7 years ago
- Related to Feature #2809: Firewall: web interface for policy routing added
#8 Updated by Giacomo Sanchietti about 7 years ago
Test case
- Configure two providers
- Create a rule to divert the traffic on a custom port to a specific provider
- Verify that a rule is created inside
/etc/shorewall/tcrules
file - Get the third field of the
/etc/shorewall/providers
for the selected provider, then check the value (something like0x10000
) matches the first field of generated rules in/etc/shorewall/tcrules
#9 Updated by Filippo Carletti about 7 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
# db tc show 5 5=rule Description=Force Nagios over fweb Dst=0.0.0.0/0 Position=5 Provider=provider;fweb Service=5666 Src=192.168.5.0/24 status=enabled # grep -A 1 Nagios /etc/shorewall/tcrules ?COMMENT Force Nagios over fweb 0x10000:P 192.168.5.0/24 0.0.0.0/0 udp 5666 -- ?COMMENT Force Nagios over fweb 0x10000:P 192.168.5.0/24 0.0.0.0/0 tcp 5666
#10 Updated by Davide Principi almost 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-firewall-base-2.0.0-1.ns6.noarch.rpm