#!/bin/sh # # ifrt implements simple route-table into /etc/network/interfaces # # Version: $Id: ifrt,v 1.107 2012/10/26 01:53:58 $ # ## This program is free software; you can redistribute it and/or modify ## it under the terms of the GNU General Public License as published by ## the Free Software Foundation; either version 2 of the License, or ## (at your option) any later version. ## ## This program is distributed in the hope that it will be useful, ## but WITHOUT ANY WARRANTY; without even the implied warranty of ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ## GNU General Public License for more details. ## ## You should have received a copy of the GNU General Public License ## along with this program; if not, write to the Free Software ## Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA ## ## Copyright 2012 Helios le Guillou de Creisquer [ -z "$IF_RT" ] && exit 0 [ -z "$IF_RT_GW" ] && exit 0 if [ "$MODE" = "start" ]; then # Creates the VRF if not present in /etc/iproute2/rt_tables grep -qEi "$IF_RT[ ]*$IFACE" /etc/iproute2/rt_tables \ || /bin/echo -e "$IF_RT\t$IFACE" >> /etc/iproute2/rt_tables # Add the default route (rt-gw) in the VRF if not present ip route show table $IF_RT | grep -qEi "default via $IF_RT_GW" \ || ip route add default via $IF_RT_GW table $IF_RT # Creates a rule to ensure that packets marked with rt-fwmark are routed accordingly for fwmark in $IF_RT_FWMARK; do ip rule show | grep -qEi "from all fwmark $fwmark lookup $IFACE" \ || ip rule add from all fwmark $fwmark lookup $IFACE # Ensure that the mangle table correctly marks new connections incoming on the interface if ! iptables -L -nv -t mangle | grep -q 'CONNMARK.*'$IFACE'.*'$IF_ADDRESS'.*state NEW CONNMARK set.*'$IF_RT_FWMARK; then iptables -t mangle -A PREROUTING -i $IFACE -d $IF_ADDRESS -m state --state NEW -j CONNMARK --set-mark $IF_RT_FWMARK fi # Ensure that the mangle table correctly restore the mark for packets from existing connections if ! iptables -L -nv -t mangle | grep -q 'CONNMARK.*eth+.*CONNMARK restore'; then iptables -t mangle -A PREROUTING -i eth+ -j CONNMARK --restore-mark fi done # for each address listed as rt-oa on the interface, add a rule to say that this source IP # should be routed on the correct VRF. for addr in $IF_ADDRESS $IF_RT_OA; do ip rule show | grep -qEi "from $addr lookup $IFACE" \ || ip rule add from $addr table $IF_RT done # Imports global route table into VRF table if [ ! -z "$IF_RT_IMPORTGLOBAL" ]; then ip route show \ | sed -e 's/$/ table '$IF_RT'/g' -e 's/^/ip route add /g' \ | sh 2>&1 || true fi elif [ "$MODE" = "stop" ]; then for addr in $IF_ADDRESS $IF_RT_OA; do ip rule show | grep -qEi "from $addr lookup $IFACE" \ && ip rule del from $addr lookup $IFACE done for fwmark in $IF_RT_FWMARK; do ip rule show | grep -qEi "from all fwmark $fwmark lookup $IFACE" \ || ip rule del from all fwmark $fwmark lookup $IFACE if iptables -L -nv -t mangle | grep -q 'CONNMARK.*'$IFACE'.*'$IF_ADDRESS'.*state NEW CONNMARK set.*'$IF_RT_FWMARK; then iptables -t mangle -D PREROUTING -i $IFACE -d $IF_ADDRESS -m state --state NEW -j CONNMARK --set-mark $IF_RT_FWMARK fi done ip route show table $IF_RT | grep -qEi "default via $IF_RT_GW" \ && ip route del default via $IF_RT_GW table $IF_RT grep -v "$IF_RT[ ]*$IFACE" /etc/iproute2/rt_tables \ > /etc/iproute2/rt_tables.tmp mv /etc/iproute2/rt_tables.tmp /etc/iproute2/rt_tables fi