Hi, Can I beg some help handling the some corner cases with the goal to achieve very rigid routing via specific interfaces
To recap the goal: - I have a router connected to several internet connections, lets call them eth0, wlan1, ppp0. Some of the internet connections may have substantial cost, eg satellite - The use case will be end user, mobile, and we will assume that it's fair game to add/remove interfaces while in use, eg wifi networks could drop, 3g router could drop - Desire that individual local IPs will be routed out through specific internet connections. User will agree to use a specific interface in advance and should not use another internet interface until they have confirmed agreement (web interface) - Currently using several ipsets RT1,RT2, etc to mark which provider an IP should be using. This applies a packet mark in tcrules that matches the provider number allocated in providers file. - Local network is via either eth0 or wlan0, these are part of a bridge br0 (no requirement to filter between eth0/wlan0) What has become clear in the last few hours, is that I don't appear to understand linux routing as well as I thought... In particular, how should I setup shorewall if I want to *require* that a connection marked in tcrules:prerouting with a specific packet mark (say 0x10000 ie equiv of high_routemarks/wide_tc) will either exit through a specific interface, say ppp0. Simply marking with the correct provider number routes through that provider most of the time, but appears vulnerable to external processes breaking the routing table? For example, my understanding, given this (abbreviated) routing output which results when ppp changes its IP and butchers my routes: Routing Rules 0: from all lookup local 10000: from all fwmark 0x10000/0xff0000 lookup peth0 10007: from all fwmark 0x80000/0xff0000 lookup pppp0 10011: from all fwmark 0xc0000/0xff0000 lookup pppp10 20000: from 192.168.105.71 lookup peth0 20000: from 10.64.64.74 lookup pppp10 20000: from 10.64.64.64 lookup pppp0 32766: from all lookup main 32767: from all lookup default Table pppp0: 192.168.111.0/24 dev br0 proto kernel scope link src 192.168.111.1 Then my mark will cause the table pppp0 to be tried, however, because it doesn't match anything outbound, then the main/default tables will be checked next and packets may exit via some other interface (remember the spec *requires* that this doesn't happen) So I *think* I need to add additional fallback routes for each mark which will null route anything which escapes from the prescribed routing table? How might I best do this through shorewall features? I guess the "routes" file is an option, but this appears to alter the existing pppp0 table, which raises the question of how to deal with: If something is in say RT4, but that associated provider interface isn't currently up, then we won't have a rule in the route database at all for the relevant mark... (eg consider packets for eth1, ie fwmark 0x20000 which isn't mentioned at all in the output above) Therefore I would expect that in the situation above, we would fallback to some other route (probably main) and packets could go out of some unexpected interface. I think again the solution is to add a second much lower priority "null" route which is pointed to by the same route marks. This way if either the desired table is missing, or simply fails to capture our packet then the second table will capture the same mark and null route it So if that were indeed the best solution, what might be the best way to implement it within shorewall? I have 15 fixed providers which map to all possible providers we could ever have, although not all will be around or up at any given moment (but we know them all the interfaces in advance, just not the ip addresses of the interfaces) I think I will need to achieve something like: 0: from all lookup local 10000: from all fwmark 0x10000/0xff0000 lookup peth0 10007: from all fwmark 0x80000/0xff0000 lookup pppp0 10011: from all fwmark 0xc0000/0xff0000 lookup pppp10 32000: from all fwmark 0x10000/0xff0000 lookup peth0_kill_it 32007: from all fwmark 0x80000/0xff0000 lookup pppp0_kill_it 32011: from all fwmark 0xc0000/0xff0000 lookup pppp10_kill_it Thanks for any suggestions on how to proceed? Ed W ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
