Tom Eastep wrote:
> On 04/29/2013 10:36 AM, Dash Four wrote:
>
>> Dash Four wrote:
>>
>>>>> 3. How do I add a "default" route in "routes"?
>>>>>
>>>>>
>>>> You don't -- Shorewall generates the default routes based on the
>>>> provider GATEWAY (specified or detected).
>>>>
>>>>
>>> Got it now, thanks.
>>>
>> One further clarification on this: I need to have 2 "default" routes
>> (going via the same interface - eth0) - one in 'main' and one in my
>> 'provider' table (dmz7). If I have, say, "dmz7 2 - main eth0 10.1.7.1 -
>> none" would that do it or do I need to have something else in addition?
>>
>
> Use the 'balance' option on eth0 in /etc/shorewall/providers.
>
Nope. It turns out, that route "automagically" appears in both tables.
I've looked at the generated firewall file and could not find any
references to such statement, so it must be, somehow, added by the OS -
I have no other explanation.
>> Also, does shorewall wipe out existing routes when starting or are these
>> left intact? Same question for shorewall-init (when the interface is
>> brought back up).
>>
>
> It wipes out the provider tables only during 'start'.
>
I am about to test this more thoroughly tomorrow. In the meantime, a
couple of new (and quite annoying) bugs:
1. When I register a provider, like:
providers
~~~~~~~~~
dmz7 2 - main eth0 10.1.7.1 - none
and then
rtrules
~~~~~~~
10.1.7.7 - dmz7 26000
eth0 - dmz7 26001
In addition to the expected rules, I also get this little gem generated:
find_interface_addresses eth0 | while read address; do
qt $IP -4 rule del from $address
run_ip rule add from $address pref 20000 table dmz7
echo "$IP -4 rule del from $address > /dev/null 2>&1" >>
${VARDIR}/undo_dmz7_routing
rulenum=$(($rulenum + 1))
done
Why? I haven't specified, nor asked shorewall to assume my source
address and generate this (I specified what I need to be created - see
the 1st statement in rtrules above).
2. "iif" instead of "oif":
rtrules
~~~~~~~
eth0 - dmz7 26001
generates:
qt $IP -4 rule del iif eth0 to 0.0.0.0/0 priority 26001
run_ip rule add iif eth0 to 0.0.0.0/0 priority 26001 table dmz7
echo "$IP -4 rule del iif eth0 to 0.0.0.0/0 priority 26001 >
/dev/null 2>&1" >> ${VARDIR}/undo_dmz7_routing
which is wrong - "iif" should be "oif".
3. Specifying "blackhole" routes for a provider, as well as 'main'
generates an error:
routes
~~~~~~
dmz7 62.252.0.0/14 blackhole
main 62.252.0.0/14 blackhole
during either cold start, or a reload, I get the following error:
shorewall[7294]: Adding Providers...
shorewall[7294]: RTNETLINK answers: File exists
shorewall[7294]: ERROR: Command "ip -4 route add blackhole
62.252.0.0/14 table dmz7" Failed
root: ERROR:Shorewall start failed
This error is mystifying me, because in the generated .start file, there
is only one reference to 62.252.0.0/14 so I have absolutely no idea why
ip is moaning at me. When I execute this command from the shell, all is
well - no problem!
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
