In case of the following exemplary route_rules entries the _first_
rule is always lost after (re)starting shorewall:
#SOURCE DEST PROVIDER PRIORITY
$SRC_A $DESTIP1 ISP1 1000
$SRC_A $DESTIP2 SOMEISP 1000
$SRC_A - ISP2 1000
It happens, because shorewall deletes (or tries to delete) a rule
directly before adding it again, and when DEST is empty "ip" utility
deletes the first rule with matching source and priority (regardless
destination address and routing table).
The workaround is to specify priority explicitly instead of relying on
lines order.
I have several suggestions:
1. the patches in the attachment (add provider match requirement),
they are for shorewall 4.0.3
2. Maybe the procedure should be split up in two stages (two loops) -
the first would delete rules and the second would add them ?
3. Is that delete-before-add behaviour really needed ? Rule list seems
to be cleaned up during shorewall start/restart/refresh anyway (by
generated undo_routing script) ...
4. print a warning during (re)start when "-" is detected in DEST
column ("Your routing rules may work improperly!") ;)
NOTE: the report applies also to older versions of shorewall.
Greetings.
--
Artur
--- Providersold.pm 2007-09-02 22:58:59.000000000 +0200
+++ Providers.pm 2007-09-16 09:57:06.000000000 +0200
@@ -271,7 +271,7 @@
$providers{$table}{optional} = $optional;
- if ( $loose ) {
+ unless ( $loose ) {
my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
emit "\nrulenum=0\n";
@@ -348,14 +348,14 @@
$priority = "priority $priority";
- emit ( "qt ip rule del $source $dest $priority" );
-
my ( $base, $optional, $number ) = ( chain_base( $provider ), $providers{$provider}{optional} , $providers{$provider}{number} );
+ emit ( "qt ip rule del $source $dest $priority table $number" );
+
emit ( '', "if [ -n \$${base}_is_up ]; then" ), push_indent if $optional;
emit ( "run_ip rule add $source $dest $priority table $number",
- "echo \"qt ip rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );
+ "echo \"qt ip rule del $source $dest $priority table $number\" >> \${VARDIR}/undo_routing" );
pop_indent, emit ( "fi\n" ) if $optional;
--- lib.providersold 2007-09-16 09:42:25.000000000 +0200
+++ lib.providers 2007-09-16 09:56:18.000000000 +0200
@@ -307,10 +307,10 @@
priority="priority $priority"
- save_command "qt ip rule del $source $dest $priority"
+ save_command "qt ip rule del $source $dest $priority table $provider"
save_command "run_ip rule add $source $dest $priority table $provider"
indent >&3 << __EOF__
-echo "qt ip rule del $source $dest $priority" >> \${VARDIR}/undo_routing
+echo "qt ip rule del $source $dest $priority table $provider" >> \${VARDIR}/undo_routing
__EOF__
progress_message "Routing rule \"$rule\" $DONE"
}
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
