providers — Shorewall Providers file
/etc/shorewall/providers 
This file is used to define additional routing tables. You will want to define an additional table if:
You have connections to more than one ISP or multiple connections to the same ISP
You run Squid as a transparent proxy on a host other than the firewall.
You have other requirements for policy routing.
Each entry in the file defines a single routing table.
If you wish to omit a column entry but want to include an entry in the next column, use "-" for the omitted entry.
The columns in the file are as follows.
The provider name. Must be a valid shell variable name. The names 'local', 'main', 'default' and 'unspec' are reserved and may not be used as provider names.
The provider number -- a number between 1 and 15. Each provider must be assigned a unique value.
A FWMARK value used in your shorewall-mangle(5) file to direct packets to this provider.
If PROVIDER_OFFSET is non-zero in shorewall.conf(5), then the value must be a multiple of 2^^PROVIDER_OFFSET. In all cases, the number of significant bits may not exceed PROVIDER_OFFSET + PROVIDER_BITS.
The name of an existing table to duplicate to create this
          routing table. May be main or the name of a
          previously listed provider. You may select only certain entries from
          the table to copy by using the COPY column below. This column should
          contain a dash ("-') when USE_DEFAULT_RT=Yes in shorewall.conf(5).
The name of the network interface to the provider. Must be
          listed in shorewall-interfaces(5). In
          general, that interface should not have the
          proxyarp or proxyndp option
          specified unless loose is given in the OPTIONS
          column of this entry.
For IPv6, if the interface is an Ethernet device and an IP address is supplied, it should be the upstream router's link-level address, not its global address.
Where more than one provider is serviced through a single interface, the interface must be followed by a colon and the IP address of the interface that is supplied by the associated provider.
The IP address of the provider's gateway router. Beginning with Shorewall 4.6.2, you may also specify the MAC address of the gateway when there are multiple providers serviced through the same interface. When the MAC is not specified, Shorewall will detect the MAC during firewall start or restart.
You can enter detect here and Shorewall will attempt to detect the gateway automatically.
Beginning with Shorewall 5.0.6, you may also enter none. This causes creation of a routing table with no default route in it.
For PPP devices, you may omit this column.
A comma-separated list selected from the following. The order of the options is not significant but the list may contain no embedded white-space.
Added in Shorewall 4.5.17. Causes a host route to the provider's gateway router to be added to the provider's routing table. This is the default behavior unless overridden by a following noautosrc option.
If specified, inbound connections on this interface are to be tracked so that responses may be routed back out this same interface.
You want to specify track if internet
                hosts will be connecting to local servers through this
                provider.
Beginning with Shorewall 4.4.3, track
                defaults to the setting of the TRACK_PROVIDERS option in
                shorewall.conf (5).
                If you set TRACK_PROVIDERS=Yes and want to override that
                setting for an individual provider, then specify
                notrack (see below).
weight]The providers that have balance
                specified will get outbound traffic load-balanced among them.
                By default, all interfaces with balance
                specified will have the same weight (1). You can change the
                weight of an interface by specifying
                balance=weight
                where weight is the weight of the
                route out of this interface.
Prior to Shorewall 5.1.1, when USE_DEFAULT_RT=Yes,
                balance=1 is assumed unless the
                fallback, loose,
                load or tproxy option is
                specified. Beginning with Shorewall 5.1.1, when
                BALANCE_PROVIDERS=Yes, balance=1 is assumed
                unless the fallback, loose,
                load or tproxy option is
                specified.I
In IPV6, the balance option does not
                  cause balanced default routes to be created; it rather
                  causes a sequence of default routes with different metrics
                  to be created.
Shorewall normally adds a routing rule for each IP
                address on an interface which forces traffic whose source is
                that IP address to be sent using the routing table for that
                interface. Setting loose prevents creation of
                such rules on this interface.
probabilityAdded in Shorewall 4.6.0. This option provides an
                alternative method of load balancing based on probabilities.
                Providers to be balanced are given a
                probability (a number 0 > n
                >= 1) with up to 8 digits to the right of the decimal
                point. Beginning with Shorewall 4.6.10, a warning is issued if
                the sum of the probabilities is not 1.00000000.
Added in Shorewall 4.5.17. Prevents the addition of a host route to the provider's gateway router from being added to the provider's routing table. This option must be used with caution as it can cause start and restart failures.
Added in Shorewall 4.4.3. When specified, turns off
                track.
If the interface named in the INTERFACE column is not up
                and configured with an IPv4 address then ignore this provider.
                If not specified, the value of the optional
                option for the INTERFACE in shorewall-interfaces(5)
                is assumed. Use of that option is preferred to this one,
                unless an address is provider in
                the INTERFACE column.
Added in Shorewall 4.6.6, primary is equivalent to balance=1 and is preferred when the remaining providers specify fallback or tproxy.
source-addressSpecifies the source address to use when routing to this
                provider and none is known (the local client has bound to the
                0 address). May not be specified when an
                address is given in the INTERFACE
                column. If this option is not used, Shorewall substitutes the
                primary IP address on the interface named in the INTERFACE
                column.
numberSpecifies the MTU when forwarding through this provider. If not given, the MTU of the interface named in the INTERFACE column is assumed.
weight]Indicates that a default route through the provider
                should be added to the default routing table (table 253). If a
                weight is given, a balanced route
                is added with the weight of this provider equal to the
                specified weight. If the option is
                given without a weight, a separate
                default route is added through the provider's gateway; the
                route has a metric equal to the provider's NUMBER.
Prior to Shorewall 4.4.24, the option is ignored with a
                warning message if USE_DEFAULT_RT=Yes in
                shorewall.conf.
In IPV6, specifying the fallback
                  option on multiple providers does not cause balanced
                  fallback routes to be created; it rather causes a sequence
                  of fallback routes with different metrics to be
                  created.
Added in Shorewall 4.5.4. Used for supporting the TPROXY
                action in shorewall-mangle(5). See https://shorewall.org/Shorewall_Squid_Usage.html.
                When specified, the MARK, DUPLICATE and GATEWAY columns should
                be empty, INTERFACE should be set to 'lo' and
                tproxy should be the only OPTION. Only one
                tproxy provider is allowed.
Added in Shorewall 4.5.21. This is the default behavior that results in a host route to the defined GATEWAY being inserted into the main routing table and into the provider's routing table. hostroute is required for older distributions but nohostroute (below) is appropriate for recent distributions. hostroute may interfere with Zebra's ability to add routes on some distributions such as Debian 7. This option defaults to on when BALANCE_PROVIDERS=Yes, in shorewall.conf(5).
Added in Shorewall 4.5.21. nohostroute inhibits addition of a host route to the defined GATEWAY being inserted into the main routing table and into the provider's routing table. nohostroute is not appropriate for older distributions but is appropriate for recent distributions. nohostroute allows Zebra's to correctly add routes on some distributions such as Debian 7. This option defaults to off when BALANCE_PROVIDERS=Yes, in shorewall.conf(5).
Added in Shorewall 5.0.2 and alters the behavior of the disable command:
The provider's routing table still contains the apprioriate default route.
Unless the noautosrc option is
                    specified, routing rules are generated to route traffic
                    from the interfaces address(es) out of the provider's
                    routing table.
Persistent routing rules in shorewall-rtrules(5) are present.
The generated script will attempt to reenable a
                  disabled persistent provider during execution of the
                  start, restart and
                  reload commands. When
                  persistent is not specified, only the
                  enable and reenable
                  commands can reenable the provider.
RESTORE_DEFAULT_ROUTE=Yes in shorewall[6].conf is not
                  recommended when the persistent option is
                  used, as restoring default routes to the main routing table
                  can prevent link status monitors such as foolsm from
                  correctly detecting non-working providers.
none|interface[,interface]...}]A comma-separated list of other interfaces on your firewall.
          Wildcards specified using an asterisk ("*") are permitted (e.g.,
          tun* ). Usually used only when DUPLICATE is main.
          Only copy routes through INTERFACE and through interfaces listed
          here. If you only wish to copy routes through INTERFACE, enter
          none in this column.
Beginning with Shorewall 4.5.17, blackhole, unreachable and prohibit routes are no longer copied by default but may be copied by including blackhole,unreachable and prohibit respectively in the COPY list.
You run squid in your DMZ on IP address 192.168.2.99. Your DMZ interface is eth2
        #NAME   NUMBER  MARK DUPLICATE  INTERFACE GATEWAY       OPTIONS
        Squid   1       1    -          eth2      192.168.2.99  -eth0 connects to ISP 1. The IP address of eth0 is 206.124.146.176 and the ISP's gateway router has IP address 206.124.146.254.
eth1 connects to ISP 2. The IP address of eth1 is 130.252.99.27 and the ISP's gateway router has IP address 130.252.99.254.
eth2 connects to a local network.
        #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY          OPTIONS            COPY
        ISP1  1       1    main      eth0      206.124.146.254 track,balance      eth2
        ISP2  2       2    main      eth1      130.252.99.254  track,balance      eth2You run squid in your DMZ on IP address 2002:ce7c:92b4:1::2. Your DMZ interface is eth2
        #NAME   NUMBER  MARK DUPLICATE  INTERFACE GATEWAY              OPTIONS
        Squid   1       1    -          eth2      2002:ce7c:92b4:1::2  -eth0 connects to ISP 1. The ISP's gateway router has IP address 2001:ce7c:92b4:1::2.
eth1 connects to ISP 2. The ISP's gateway router has IP address 2001:d64c:83c9:12::8b.
eth2 connects to a local network.
        #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY               OPTIONS    COPY
        ISP1  1       1    main      eth0     2001:ce7c:92b4:1::2   track      eth2
        ISP2  2       2    main      eth1     2001:d64c:83c9:12::8b track      eth2