[Shorewall-users] MARK ROUTES in FW

Harry Lachanas Wed, 10 Dec 2008 05:58:52 -0800

Hi all,

I Wish to route all fw traffic to ISP1
But the rule gets ignored ....



In my tcrules file I have only one rule.

0x100   $FW   -

with high route marks .

Then after executing a ping from fw->net  I found out that successive 
pings get routed interchanged to both isp providers.

my providers file is
NAME   NUMBER    MARK    DUPLICATE     INTERFACE GATEWAY      
OPTIONS         COPY
ISP1   1         0x100   main          eth0      10.10.10.1   
track,balance   eth2,br0
ISP2   2         0x200   main          eth1      10.0.12.1    
track,balance   eth2,br0

shorewall show mangle shows traffic getting marked ok.

Shorewall 3.4.8 Mangle Table at fw - Wed Dec 10 13:46:04 UTC 2008

Counters reset Wed Dec 10 13:44:30 UTC 2008

Chain PREROUTING (policy ACCEPT 1408 packets, 169K bytes)
 pkts bytes target     prot opt in     out     source               
destination
  111 92876 CONNMARK   all  --  *      *       0.0.0.0/0            
0.0.0.0/0           connmark match !0x0/0xff00 CONNMARK restore mask 0xff00
   43  6182 routemark  all  --  eth0   *       0.0.0.0/0            
0.0.0.0/0           mark match 0x0/0xff00
    0     0 routemark  all  --  eth1   *       0.0.0.0/0            
0.0.0.0/0           mark match 0x0/0xff00
  107 95942 tcpre      all  --  eth0   *       0.0.0.0/0            
0.0.0.0/0
    0     0 tcpre      all  --  eth1   *       0.0.0.0/0            
0.0.0.0/0
 1228 68313 tcpre      all  --  *      *       0.0.0.0/0            
0.0.0.0/0           mark match 0x0/0xff00

Chain INPUT (policy ACCEPT 1178 packets, 64120 bytes)
 pkts bytes target     prot opt in     out     source               
destination
 1152 62768 MARK       all  --  *      *       0.0.0.0/0            
0.0.0.0/0           MARK and 0xff

Chain FORWARD (policy ACCEPT 230 packets, 105K bytes)
 pkts bytes target     prot opt in     out     source               
destination
  230  105K MARK       all  --  *      *       0.0.0.0/0            
0.0.0.0/0           MARK and 0xff
  230  105K tcfor      all  --  *      *       0.0.0.0/0            
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 17103 packets, 3148K bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 CONNMARK   all  --  *      *       0.0.0.0/0            
0.0.0.0/0           connmark match !0x0/0xff00 CONNMARK restore mask 0xff00
 1201  205K tcout      all  --  *      *       0.0.0.0/0            
0.0.0.0/0           mark match 0x0/0xff00

Chain POSTROUTING (policy ACCEPT 1434 packets, 312K bytes)
 pkts bytes target     prot opt in     out     source               
destination
 1408  308K MARK       all  --  *      *       0.0.0.0/0            
0.0.0.0/0           MARK and 0xff
 1408  308K tcpost     all  --  *      *       0.0.0.0/0            
0.0.0.0/0

Chain routemark (2 references)
 pkts bytes target     prot opt in     out     source               
destination
   43  6182 MARK       all  --  eth0   *       0.0.0.0/0            
0.0.0.0/0           MARK xset 0x100/0xffffffff
    0     0 MARK       all  --  eth1   *       0.0.0.0/0            
0.0.0.0/0           MARK xset 0x200/0xffffffff
   43  6182 CONNMARK   all  --  *      *       0.0.0.0/0            
0.0.0.0/0           mark match !0x0/0xff00 CONNMARK save mask 0xff00

Chain tcfor (1 references)
 pkts bytes target     prot opt in     out     source               
destination

Chain tcout (1 references)
 pkts bytes target     prot opt in     out     source               
destination
 1201  205K MARK       all  --  *      *       0.0.0.0/0            
0.0.0.0/0           MARK xset 0x100/0xffffffff

Chain tcpost (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 CLASSIFY   all  --  *      eth0    0.0.0.0/0            
0.0.0.0/0           mark match 0x1/0xff CLASSIFY set 1:11
    0     0 CLASSIFY   all  --  *      eth0    0.0.0.0/0            
0.0.0.0/0           mark match 0x2/0xff CLASSIFY set 1:12
    0     0 CLASSIFY   all  --  *      eth0    0.0.0.0/0            
0.0.0.0/0           mark match 0x3/0xff CLASSIFY set 1:13
    0     0 CLASSIFY   all  --  *      eth0    0.0.0.0/0            
0.0.0.0/0           mark match 0x4/0xff CLASSIFY set 1:14
    0     0 CLASSIFY   all  --  *      eth1    0.0.0.0/0            
0.0.0.0/0           mark match 0x1/0xff CLASSIFY set 2:11
    0     0 CLASSIFY   all  --  *      eth1    0.0.0.0/0            
0.0.0.0/0           mark match 0x2/0xff CLASSIFY set 2:12
    0     0 CLASSIFY   all  --  *      eth1    0.0.0.0/0            
0.0.0.0/0           mark match 0x3/0xff CLASSIFY set 2:13
    0     0 CLASSIFY   all  --  *      eth1    0.0.0.0/0            
0.0.0.0/0           mark match 0x4/0xff CLASSIFY set 2:14

Chain tcpre (3 references)
 pkts bytes target     prot opt in     out     source               
destination
 1228 68313 MARK       all  --  br0    *       0.0.0.0/0            
0.0.0.0/0           MARK xset 0x100/0xffffffff

however when I add a rule from Loc->net and mark packets to go through a 
particular provider it also looked like both ISPs where used.

Then I replaced the balance option with loose and it the fw->net traffic 
got routed through the ISP1 but I am not sure that this package will do 
balance for packets that have no specific mark on them :-\

shorewall version 3.4.8
kernel  2.6.25

Thanks for your suggestions
Harry.


------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you.  Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] MARK ROUTES in FW

Reply via email to