On 03/25/2013 07:41 PM, Mr Dash Four wrote:
>
>> Here's the patch extracted from that web page.
>>
>> Also attached is a patch that cleans up a few more cases of table
>> numbers/names and 'route replace'.
>>
> Hmm, I found a few annoying bits (following last) and one problem for
> which I can't figure out the cause (and I've been banging my head for
> the past hour). Here it is:
>
>
> providers
> ~~~~~~~
> dmz 2 - main eth0 <gw_address> - none
>
>
> This produces, among other things, the following set of statements:
>
> start_provider_dmz() {
> [...]
> run_ip route replace <gw_address> src $SW_ETH0_ADDRESS dev eth0
> run_ip route add <gw_address> src $SW_ETH0_ADDRESS dev eth0
> table dmz
> run_ip route add default via <gw_address> src $SW_ETH0_ADDRESS
> dev eth0 table dmz
>
>
> Now, during "start" (I tried "reload" first though) I get this message:
>
> Mar 26 01:53:59 test1 shorewall[13102]: Adding Providers...
> Mar 26 01:53:59 test1 shorewall[13102]: RTNETLINK answers: File exists
> Mar 26 01:53:59 test1 shorewall[13102]: ERROR: Command "ip -4 route
> add <gw_address> src <eth0_address> dev eth0 table dmz" Failed
> Mar 26 01:53:59 test1 root: ERROR:Shorewall restart failed
>
>
> I may be mistaken, but from the above 3 statements the last two are
> identical I think,
No. The 2nd adds a host route to the gateway while the 3rd adds a
default route via that gateway.
> yet I get the error message from ip about the second, not the 3rd
> statement. What is more puzzling is that when I attempt to execute
> that statement from the command line, it succeeds.
The problem here is that you have USE_DEFAULT_RT=No and copy routes from
the main table to the provider cable. The main table had that route and
it has been copied into the 'dmz' table. That was a bug in the
CLEANUP.patch I sent. The attached DUPLICATE.patch should eliminate the
problem.
>
>
> OK, now for the leftovers...in a few places table numbers are still
> appearing instead of names:
>
> start_provider_dmz() {
> [...]
> $IP -4 -o route show table main | while read net route; do
> case $net in
> default)
> ;;
> blackhole)
> => run_ip route add table 2 blackhole $route
> ;;
> *)
> case $(find_device $route) in
> eth0)
> case $net in
> 255.255.255.255*)
> ;;
> *)
> => run_ip route add table 2 $net $route
> ;;
> esac
> ;;
> esac
> ;;
> esac
> done
>
> Also, when I have NULL_ROUTE_RFC1918=Yes, I get "run_ip route replace
> ..." statements. Is that how it is supposed to be (with "replace")?
Yes, I think I want to leave it that way in case the user is actually
routing an entire RFC1918 network in the main table.
>
> When I have statements of the sort of:
>
> routes
> ~~~~
> main 10.0.0.0/8 blackhole
> main 172.16.0.0/12 blackhole
> main 192.168.0.0/16 blackhole
>
> That seems to be translated to:
>
> run_ip route add blackhole 10.0.0.0/8 table 254
> echo "$IP -4 route del blackhole 10.0.0.0/8 table 254 >
> /dev/null 2>&1" >> ${VARDIR}/undo_main_routing
> run_ip route add blackhole 172.16.0.0/12 table 254
> echo "$IP -4 route del blackhole 172.16.0.0/12 table 254 >
> /dev/null 2>&1" >> ${VARDIR}/undo_main_routing
> run_ip route add blackhole 192.168.0.0/16 table 254
> echo "$IP -4 route del blackhole 192.168.0.0/16 table 254 >
> /dev/null 2>&1" >> ${VARDIR}/undo_main_routing
>
> (note table numbers instead of names).
BUILTINTABLES.patch corrects this problem.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm
index f90e873..f8af385 100644
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -378,7 +378,6 @@ sub start_provider( $$$$$ ) {
emit $test;
push_indent;
-
if ( $number ) {
emit "qt ip -$family route flush table $id";
emit "echo \"\$IP -$family route flush table $id > /dev/null 2>&1\" > \${VARDIR}/undo_${table}_routing";
@@ -810,7 +809,7 @@ CEOF
emit '';
if ( $gateway ) {
if ( $family == F_IPV4 ) {
- emit qq(run_ip route add $gateway/32 dev $physical table $id);
+ emit qq(run_ip route replace $gateway/32 dev $physical table $id);
emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
} else {
emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table $id metric $number);
diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm
index c474f0d..36cb6d6 100644
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -104,7 +104,9 @@ sub initialize( $ ) {
$first_fallback_route = 1;
$maxload = 0;
$tproxies = 0;
-
+ #
+ # The 'id' member is initialized in process_providers(), after the .conf file has been processed
+ #
%providers = ( local => { provider => 'local', number => LOCAL_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] , routedests => {} } ,
main => { provider => 'main', number => MAIN_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] , routedests => {} } ,
default => { provider => 'default', number => DEFAULT_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] , routedests => {} } ,
@@ -112,15 +114,6 @@ sub initialize( $ ) {
unspec => { provider => 'unspec', number => UNSPEC_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] , routedests => {} } );
@providers = ();
- unless ( $config{USE_RT_NAMES} ) {
- for ( values %providers ) {
- $_->{id} = $_->{number};
- }
- } else {
- for ( values %providers ) {
- $_->{id} = $_->{provider};
- }
- }
}
#
@@ -227,8 +220,8 @@ sub copy_table( $$$ ) {
);
}
-sub copy_and_edit_table( $$$$ ) {
- my ( $duplicate, $number, $copy, $realm) = @_;
+sub copy_and_edit_table( $$$$$ ) {
+ my ( $duplicate, $number, $id, $copy, $realm) = @_;
my $filter = $family == F_IPV6 ? q(fgrep -v ' cache ' | sed 's/ via :: / /' | ) : '';
my %copied;
@@ -263,8 +256,8 @@ sub copy_and_edit_table( $$$$ ) {
emit ( ' case $net in',
' default)',
' ;;',
- ' blackhole)',
- " run_ip route add table $number blackhole \$route $realm",
+ ' blackhole|prohibit|unreachable)',
+ " run_ip route add table $id \$net \$route $realm",
' ;;',
' *)',
' case $(find_device $route) in',
@@ -274,12 +267,12 @@ sub copy_and_edit_table( $$$$ ) {
' 255.255.255.255*)',
' ;;',
' *)',
- " run_ip route add table $number \$net \$route $realm",
+ " run_ip route add table $id \$net \$route $realm",
' ;;',
' esac',
);
} else {
- emit ( " run_ip route add table $number \$net \$route $realm" );
+ emit ( " run_ip route add table $id \$net \$route $realm" );
}
emit ( ' ;;',
@@ -378,7 +371,6 @@ sub start_provider( $$$$$ ) {
emit $test;
push_indent;
-
if ( $number ) {
emit "qt ip -$family route flush table $id";
emit "echo \"\$IP -$family route flush table $id > /dev/null 2>&1\" > \${VARDIR}/undo_${table}_routing";
@@ -783,7 +775,7 @@ CEOF
$copy = "$interface,$copy";
}
- copy_and_edit_table( $duplicate, $number ,$copy , $realm);
+ copy_and_edit_table( $duplicate, $number, $id, $copy, $realm);
}
}
@@ -1347,6 +1339,16 @@ sub process_providers( $ ) {
our $providers = 0;
our $pseudoproviders = 0;
+ unless ( $config{USE_RT_NAMES} ) {
+ for ( values %providers ) {
+ $_->{id} = $_->{number};
+ }
+ } else {
+ for ( values %providers ) {
+ $_->{id} = $_->{provider};
+ }
+ }
+
$lastmark = 0;
if ( my $fn = open_file 'providers' ) {
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Own the Future-Intel® Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
