Problem default routes, Shorewall and Multi ISPs
I am testing a Firewall configuration with multi ISPs and two routers
behind the firewall,
routing between firewall and routers will be handled by ospf later.
After "shorewall start" the default route is totally messed up.
I am running Shorewall 4.4.11.6-3 on Debian squeeze (should happen on
later Versions too).
The configuration looks like this:
ISP1-----\ /---- R1 (10.100.0/30)
\__FW__/
/ \
ISP2-----/ \---- R2 (10.100.8/30)
FW$> ip route
10.0.0.1 dev ppp0 proto kernel scope link src 10.67.15.1
10.0.1.1 dev eth3 scope link
10.100.100.0/30 dev eth0 proto kernel scope link src 10.100.100.1
10.100.100.8/30 dev eth0 proto kernel scope link src 10.100.100.10
10.168.0.0/16 metric 100
nexthop via 10.100.100.2 dev eth0 weight 1
nexthop via 10.100.100.9 dev eth0 weight 1
default via 10.0.1.1 dev eth3
default dev ppp0 scope link
The shorewall configuration is as following:
FW$> cat zones
fw firewall
net ipv4
trust ipv4
FW$> cat interfaces
net ppp0
net eth3
trust eth0
FW$> cat providers
ISP1 1 1 - ppp0 - track
ISP1 1 1 - ppp0 - track
The important point in this configuration is the multipath route from
10.168.0.0/16 with two netxhops and the default routes from the two ISPs
and that I am using the providers file.
After "shorewall start" the routing in table main looks as following:
FW$> ip route
10.0.0.1 dev ppp0 proto kernel scope link src 10.67.15.1
10.0.1.1 dev eth3 scope link
10.100.100.0/30 dev eth0 proto kernel scope link src 10.100.100.1
10.100.100.8/30 dev eth0 proto kernel scope link src 10.100.100.10
10.168.0.0/16 metric 100
nexthop via 10.100.100.2 dev eth0 weight 1
nexthop via 10.100.100.9 dev eth0 weight 1
default
nexthop via 10.100.100.2 dev eth0 weight 1
nexthop via 10.100.100.9 dev eth0 weight 1
default dev ppp0 scope link
So what happened here? During "shorewall start" shorewall tells me after
"Adding Providers..." that it does the following:
...
Adding Providers...
Provider ISP1 (1) Added
Provider ISP2 (2) Added
Default Route (nexthop via 10.100.100.2 dev eth0 weight 1 nexthop
via 10.100.100.9
dev eth0 weight 1) restored
...
There was no default route with nexthops in my routing table! So where
did it screw up? The problem is in restore_default_route() and the
parsing of default_route file generated in
setup_routing_and_traffic_shaping().
... $IP -4 route list | grep -E '^\s*(default |nexthop )' >
${VARDIR}/default_route
This generates following default_route file:
FW$> cat default_route
nexthop via 10.100.100.2 dev eth0 weight 1
nexthop via 10.100.100.9 dev eth0 weight 1
default via 10.0.1.1 dev eth3
default dev ppp0 scope link
So here are the nexthops wich really do not belong here. Consequently
the parsing in restore_default_route() screws up.
How about following changes:
* Add option "-o" (one-line output), to the $IP and grep only for
"default":
... $IP -o -4 route list | grep -E '^default ' >
${VARDIR}/default_route
This would generate following default_route file:
FW$> cat default_route
default via 10.0.1.1 dev eth3
default dev ppp0 scope link
We don't accidently catch nexthops from other multipath routes with
this anymore.
* the parsing in restore_default_route() can be simpler, we don't need
to parse multiline routes anymore.
...
while read route ; do
case $route in
*metric*)
# Don't restore a route with a metric -- we only
replace the one
with metric == 0
qt $IP -4 route delete default metric 0 &&\
progress_message "Default Route with metric
0 deleted"
;;
*)
qt $IP -4 route replace $route && \
result=0 && \
progress_message "Default Route with
(${route# }) restored"
;;
esac
done < ${VARDIR}/default_route
${VARDIR}/default_route
...
BTW I don't know if this is the right solution. What should the
restore_default_route() function do precisely? The "$IP -4 route delete
default metric 0" deletes even routes with metric <> 0 if it's the only
default route. There was a "break" before in the "if [ -n
"$default_route" ]; then" statement, what should it do?
Any help with this problem would be appreciated.
Greetings Jörg Kleuver
--
CISS TDI GmbH
Jörg Kleuver CISS TDI GmbH
Tel. +49 2642 97 80 28 Barbarossastraße 36
Fax. +49 2642 97 80 10 53489 Sinzig, Germany
Sitz der Gesellschaft: Sinzig AG Koblenz, HR-Nummer 13357
Geschäftsführer: Dipl.-Math. Joachim Figura, Dipl.-Inform. Berthold Bärk
------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
