[ I hope this isn't a dupe. Evolution crashed on my last send and I see nothing in my logs that leads me to believe the mail made it out before the crash ]
Well, it probably is working. I'm probably just misunderstanding
something.
Given routing rules that look like this:
0: from all lookup local
10000: from all fwmark 0x40 lookup CGCO
10001: from all fwmark 0x80 lookup IGS
20000: from 67.193.45.68 lookup CGCO
20256: from 66.11.173.224 lookup IGS
32766: from all lookup main
32767: from all lookup default
and given the CGCO routing table:
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
67.193.45.68 dev eth0.1 scope link
192.168.200.1 dev ppp0 proto kernel scope link src 66.11.173.224
10.8.0.0/24 via 10.8.0.2 dev tun0
10.75.22.0/24 dev br-lan proto kernel scope link src 10.75.22.254
10.75.23.0/24 via 10.8.0.2 dev tun0
67.193.44.0/23 dev eth0.1 proto kernel scope link src 67.193.45.68
default via 67.193.44.1 dev eth0.1
and given a routemark chain of (the first two rules I added manually,
but I think this chain is probably irrelevant but thought I'd include it
anyway):
Chain routemark (2 references)
pkts bytes target prot opt in out source destination
0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:1194 MARK set 0x40
6 252 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1194 MARK set 0x40
332 46438 MARK all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
MARK set 0x80
4600 737K MARK all -- eth0.1 * 0.0.0.0/0 0.0.0.0/0
MARK set 0x40
4932 783K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
MARK match !0x0/0xff CONNMARK save mask 0xff
and a tcpre chain of (who's purpose is to default traffic via the CGCO
table and connection):
Chain tcpre (3 references)
pkts bytes target prot opt in out source destination
1310K 1862M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
MARK match !0x0/0xc0
157K 14M MARK all -- * * 0.0.0.0/0 0.0.0.0/0
MARK set 0x40
42 5537 MARK all -- * * 10.75.22.101 0.0.0.0/0
MARK set 0x80
and given the following entry in the /proc/net/ip_conntrack
udp 17 59 src=99.228.107.5 dst=67.193.45.68 sport=34730 dport=1194
packets=125 bytes=5250 [UNREPLIED] src=67.193.45.68 dst=99.228.107.5 sport=1194
dport=34730 packets=0 bytes=0 mark=64 use=1
Why would I be seeing these:
Dec 28 17:46:07 gw.ilinx kernel: Shorewall:fw2all:REJECT:IN= OUT=ppp0
SRC=66.11.173.224 DST=99.228.107.5 LEN=50 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=1194 DPT=34730 LEN=30
Dec 28 17:46:09 gw.ilinx kernel: Shorewall:fw2all:REJECT:IN= OUT=ppp0
SRC=66.11.173.224 DST=99.228.107.5 LEN=50 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=1194 DPT=34730 LEN=30
Dec 28 17:46:10 gw.ilinx kernel: Shorewall:fw2all:REJECT:IN= OUT=ppp0
SRC=66.11.173.224 DST=99.228.107.5 LEN=42 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=1194 DPT=34730 LEN=22
Dec 28 17:46:11 gw.ilinx kernel: Shorewall:fw2all:REJECT:IN= OUT=ppp0
SRC=66.11.173.224 DST=99.228.107.5 LEN=42 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=1194 DPT=34730 LEN=22
I would have thought that the mark that is on the connection (as per the
ip_conntrack excerpt above) would have shuffled those packets through
the CGCO routing table and on out through eth0.1. What am I missing?
b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
