Re: [Shorewall-users] quagga zebra + shorewall Strange Problem

Tom Eastep Sat, 14 Sep 2013 07:23:15 -0700

On 09/13/2013 10:17 AM, HL wrote:
> On 13/09/2013 07:25 μμ, Tom Eastep wrote:
>> On 09/13/2013 09:21 AM, HL wrote:
>>> On 13/09/2013 05:52 μμ, Tom Eastep wrote:
>>>> On 9/13/2013 7:08 AM, HL wrote:
>>>>
>>>>> For instance in your case you only need to install zebra with *no*
>>>>> other
>>>>> daemon to test it.
>>>>>
>>>>> In my case
>>>>> zebra GETS Blocked. Why?
>>>> I'll try it over the weekend. After I've installed and started zebra,
>>>> what must I do to try to reproduce your problem?
>>>>
>>>> -Tom
>>>>
>>> just place a '-' under column COPY of your providers file
>>> and under "OPTIONS"  track,loose
>>>
>>> Restart Shorewall
>>>
>>> Then
>>> from vtysh
>>> or zebra shell
>>> conf t
>>> ip route 8.8.8.8/32 "ip address of a specific provider"
>>>
>>> exit vtysh or zebra
>>>
>>> ip route
>>> will not show the route to 8.8.8.8
>>>
>>> vtysh -c "show ip route"
>>> will list the enty 8.8.8.8 as inactive
>>>
>>> Further digging  regarding quagga zebra + iproute2 and rt_tables I've
>>> found this.
>>> http://lists.quagga.net/pipermail/quagga-users/2008-February/009359.html
>> Let's back up a bit. I've just installed quagga on my Debian gateway.
>>
>> If I run vtysh, I get:
>>
>> root@gateway:/etc/pam.d# vtysh
>> Exiting: failed to connect to any daemons.
>> root@gateway:/etc/pam.d#
>>
>> -Tom
> your have to start zebra first ... ;-)
> 
> with minimal conf in /etc/quagga/zebra.conf
> Commets start with !
> 
> ------------------------------------------------------------------
> hostname Router
> password zebra
> enable password zebra
> !
> ! Interface's description.
> !
> !interface lo
> ! description test of desc.
> !
> !interface sit0
> ! multicast
> 
> !
> ! Static default route sample.
> !
> !ip route 0.0.0.0/0 203.181.89.241
> !


I can't even get this to work when Shorewall is cleared. See attached log:

-Tom


-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Comment: Remove all Shorewall-configured settings

root@gateway:~# shorewall clear
Clearing Shorewall....
Processing /etc/shorewall-common/tcclear ...
Running /usr/local/sbin/iptables-restore...
IPv4 Forwarding Enabled
Processing /etc/shorewall/stopped ...
done.

Comment: Start Quagga

root@gateway:~# service quagga start
Loading capability module if not yet done.
Starting Quagga daemons (prio:10): zebra.
Starting Quagga monitor daemon: watchquagga.

Comment: Show Zebra's notion of the routes

root@gateway:~# vtysh -c "show ip route"
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, A - Babel,
       > - selected route, * - FIB route

K>* 0.0.0.0/0 via 10.1.10.1, eth1
C>* 10.0.0.0/24 is directly connected, eth0
K>* 10.0.0.1/32 is directly connected, eth0
C>* 10.1.10.0/24 is directly connected, eth1
C>* 70.90.191.120/29 is directly connected, eth1
C>* 70.90.191.121/32 is directly connected, br0
K>* 70.90.191.122/32 is directly connected, br0
K>* 70.90.191.124/32 is directly connected, br0
K>* 70.90.191.125/32 is directly connected, br0
K>* 70.90.191.126/32 is directly connected, eth1
K * 76.20.230.188/32 via 10.0.0.1, eth0 inactive
C>* 127.0.0.0/8 is directly connected, lo
K>* 169.254.0.0/16 is directly connected, eth0
K>* 172.20.0.0/25 via 172.20.0.2, tun0
C>* 172.20.0.2/32 is directly connected, tun0
C>* 172.20.1.0/24 is directly connected, eth2
K>* 172.20.1.44/32 is directly connected, br0
C>* 172.20.2.0/24 is directly connected, br0
K * 216.218.226.238/32 via 70.90.191.126, eth1 inactive

Comment: Note the 'inactive' routes above. See what 'ip' thinks:

root@gateway:~# ip route ls
default via 10.1.10.1 dev eth1 
10.0.0.0/24 dev eth0  proto kernel  scope link  src 10.0.0.4 
10.0.0.1 dev eth0  scope link  src 10.0.0.4 
10.1.10.0/24 dev eth1  proto kernel  scope link  src 10.1.10.11 
70.90.191.120/29 dev eth1  proto kernel  scope link  src 70.90.191.121 
70.90.191.122 dev br0  scope link 
70.90.191.124 dev br0  scope link 
70.90.191.125 dev br0  scope link 
70.90.191.126 dev eth1  scope link  src 70.90.191.121 
76.20.230.188 via 10.0.0.1 dev eth0 
169.254.0.0/16 dev eth0  scope link 
172.20.0.0/25 via 172.20.0.2 dev tun0 
172.20.0.2 dev tun0  proto kernel  scope link  src 172.20.0.1 
172.20.1.0/24 dev eth2  proto kernel  scope link  src 172.20.1.254 
172.20.1.44 dev br0  scope link 
172.20.2.0/24 dev br0  proto kernel  scope link  src 172.20.2.254 
216.218.226.238 via 70.90.191.126 dev eth1 

Comment: Show the entire routing picture

root@gateway:~# shorewall show routing
Shorewall 4.5.21-Beta1 Routing at gateway - Sat Sep 14 06:53:26 PDT 2013


Routing Rules

0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 

Table default:


Table local:

local 70.90.191.123 dev eth1 proto kernel scope host src 70.90.191.121
local 70.90.191.121 dev eth1 proto kernel scope host src 70.90.191.121
local 70.90.191.121 dev br0 proto kernel scope host src 70.90.191.121
local 172.20.2.254 dev br0 proto kernel scope host src 172.20.2.254
local 172.20.1.254 dev eth2 proto kernel scope host src 172.20.1.254
local 172.20.0.1 dev tun0 proto kernel scope host src 172.20.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 10.1.10.11 dev eth1 proto kernel scope host src 10.1.10.11
local 10.0.0.4 dev eth0 proto kernel scope host src 10.0.0.4
broadcast 70.90.191.127 dev eth1 proto kernel scope link src 70.90.191.121
broadcast 70.90.191.120 dev eth1 proto kernel scope link src 70.90.191.121
broadcast 172.20.2.255 dev br0 proto kernel scope link src 172.20.2.254
broadcast 172.20.2.0 dev br0 proto kernel scope link src 172.20.2.254
broadcast 172.20.1.255 dev eth2 proto kernel scope link src 172.20.1.254
broadcast 172.20.1.0 dev eth2 proto kernel scope link src 172.20.1.254
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 10.1.10.255 dev eth1 proto kernel scope link src 10.1.10.11
broadcast 10.1.10.0 dev eth1 proto kernel scope link src 10.1.10.11
broadcast 10.0.0.255 dev eth0 proto kernel scope link src 10.0.0.4
broadcast 10.0.0.0 dev eth0 proto kernel scope link src 10.0.0.4
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1

Table main:

76.20.230.188 via 10.0.0.1 dev eth0
70.90.191.126 dev eth1 scope link src 70.90.191.121
70.90.191.125 dev br0 scope link
70.90.191.124 dev br0 scope link
70.90.191.122 dev br0 scope link
216.218.226.238 via 70.90.191.126 dev eth1
172.20.1.44 dev br0 scope link
172.20.0.2 dev tun0 proto kernel scope link src 172.20.0.1
10.0.0.1 dev eth0 scope link src 10.0.0.4
70.90.191.120/29 dev eth1 proto kernel scope link src 70.90.191.121
172.20.0.0/25 via 172.20.0.2 dev tun0
172.20.2.0/24 dev br0 proto kernel scope link src 172.20.2.254
172.20.1.0/24 dev eth2 proto kernel scope link src 172.20.1.254
10.1.10.0/24 dev eth1 proto kernel scope link src 10.1.10.11
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.4
169.254.0.0/16 dev eth0 scope link
default via 10.1.10.1 dev eth1

Comment: Now add a route via Zebra

root@gateway:~# vtysh

Hello, this is Quagga (version 0.99.21).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

gateway# conf t
gateway(config)# ip route 8.8.8.8 70.90.191.126
% Command incomplete.
gateway(config)# ip route 8.8.8.8/32 70.90.191.126
gateway(config)# exit
gateway# exit

Comment: Now what does Zebra think

root@gateway:~# vtysh -c "show ip route"
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, A - Babel,
       > - selected route, * - FIB route

K>* 0.0.0.0/0 via 10.1.10.1, eth1
S   8.8.8.8/32 [1/0] via 70.90.191.126 inactive
C>* 10.0.0.0/24 is directly connected, eth0
K>* 10.0.0.1/32 is directly connected, eth0
C>* 10.1.10.0/24 is directly connected, eth1
C>* 70.90.191.120/29 is directly connected, eth1
C>* 70.90.191.121/32 is directly connected, br0
K>* 70.90.191.122/32 is directly connected, br0
K>* 70.90.191.124/32 is directly connected, br0
K>* 70.90.191.125/32 is directly connected, br0
K>* 70.90.191.126/32 is directly connected, eth1
K * 76.20.230.188/32 via 10.0.0.1, eth0 inactive
C>* 127.0.0.0/8 is directly connected, lo
K>* 169.254.0.0/16 is directly connected, eth0
K>* 172.20.0.0/25 via 172.20.0.2, tun0
C>* 172.20.0.2/32 is directly connected, tun0
C>* 172.20.1.0/24 is directly connected, eth2
K>* 172.20.1.44/32 is directly connected, br0
C>* 172.20.2.0/24 is directly connected, br0
K * 216.218.226.238/32 via 70.90.191.126, eth1 inactive

Comment: Same result without Shorewall even running; Restart Shorewall

root@gateway:~# shorewall start
Starting Shorewall....
...

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] quagga zebra + shorewall Strange Problem

Reply via email to