Re: [Shorewall-users] restructure routing rules

Tue, 01 Jul 2008 11:59:52 -0700 

Brian J. Murrell wrote:



Is it "two models" or just a re-implementation of the existing model?
What if the only change was to do the route rules re-ordering so that
applications populating the main table would get what they want?  Does
anything "user visible" (i.e. anything in /etc/shorewall/) really need
to change? route_rules could even still be functional, just not needed
as much (there might still be corner cases) or at all.



Consider the case of a transparent Squid proxy in the local net. The 
recommended rule there is


#NAME   NUMBER  MARK    DUPLICATE    INTERFACE       GATEWAY         OPTIONS
Squid   1       202     -            eth1            192.168.1.3     loose


Packets with mark 202 are sent to 192.168.1.3 regardless of the destination 
IP address. Under the new scheme (I'm currently calling the option 
ROUTING_NG), packets with mark 202 are sent to 192.168.1.3 *only if there is 
no route to the destination IP address in the main routing table*.



So the new behavior is definitely different and incompatible with the old 
behavior.




I guess there is the slight user visible change that they have to ensure
that interface plumbing processes don't plumb a default route.  Then
again, shorewall could always just [re]move them [to the default table].
I think it's generally a requirement that shorewall be reloaded when
interfaces go up and down anyway.


Yes.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




Attachment:
signature.asc

Description: OpenPGP digital signature


-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users























					Reply via email to