Re: [Shorewall-users] quagga zebra + shorewall Strange Problem

Tom Eastep Wed, 18 Sep 2013 16:53:32 -0700

On 9/18/2013 9:04 AM, HL wrote:
> On 14/09/2013 08:57 μμ, Tom Eastep wrote:
>> But there is no point in even using Shorewall's Multi-ISP this way since
>> the above route is completely useless on an Ethernet interface.
> Hi, Tom
> 
> As promised
> before shorewall start
> 
> #ip r
> default  proto zebra
>     nexthop via 10.0.11.1  dev eth1 weight 1
>     nexthop via 10.0.12.1  dev eth2 weight 1
> 8.8.4.4 via 10.0.12.1 dev eth2  proto zebra
> 8.8.8.8 via 10.0.11.1 dev eth1  proto zebra
> 10.0.11.0/24 dev eth1  proto kernel  scope link  src 10.0.11.2
> 10.0.12.0/24 dev eth2  proto kernel  scope link  src 10.0.12.2
> 10.52.0.0/24 dev eth0  proto kernel  scope link  src 10.52.0.77
> ---------------------------------------------------------------------------------------
> 
> after
> shorewall start
> default  proto zebra
>     nexthop via 10.0.11.1  dev eth1 weight 1
>     nexthop via 10.0.12.1  dev eth2 weight 1
> 8.8.4.4 via 10.0.12.1 dev eth2  proto zebra
> 8.8.8.8 via 10.0.11.1 dev eth1  proto zebra
> 10.0.11.0/24 dev eth1  proto kernel  scope link  src 10.0.11.2
> 10.0.11.1 dev eth1  scope link  src 10.0.11.2  <============= THESE
> cause the problem ..
> 10.0.12.0/24 dev eth2  proto kernel  scope link  src 10.0.12.2
> 10.0.12.1 dev eth2  scope link  src 10.0.12.2 <============= **** Problem
> 10.52.0.0/24 dev eth0  proto kernel  scope link  src 10.52.0.77
> 
> Entered a
> and got an inactive route
> S>* 8.8.8.8/32 [1/0] via 10.0.11.1, eth1
> S   9.9.9.9/32 [1/0] via 10.0.11.1 inactive
> C>* 10.0.11.0/24 is directly connected, eth1
> 
> No mater what the providers file configuration was.
> 
> So I guess the question is,
> Isn't  the route entry "10.0.11.1 dev eth1  scope link  src 10.0.11.2
> redundant
> and covered all-ready by "10.0.11.0/24 dev eth1  proto kernel  scope
> link  src 10.0.11.2" ????
> 
> If I remove these routes from the tables all seem to work with no
> problem at all and very smoothly!


Those routes are there because the firewall won't start on some
distributions without them.

Apply the attached patch and add the 'nohostroute' option to your providers.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm
index 08ead0a..5c19875 100644
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -474,14 +474,14 @@ sub process_a_provider( $ ) {
 	$gateway = '';
     }
 
-    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what );
+    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute );
 
     if ( $pseudo ) {	
-	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what ) =
-	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface');
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute ) =
+	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface', 0);
     } else {
-	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what )=
-	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider');
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute )=
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1);
     }
 
     unless ( $options eq '-' ) {
@@ -535,6 +535,10 @@ sub process_a_provider( $ ) {
 		$noautosrc = 0;
 	    } elsif ( $option eq 'noautosrc' ) {
 		$noautosrc = 1;
+	    } elsif ( $option eq 'hostroute' ) {
+		$hostroute = 1;
+	    } elsif ( $option eq 'nohostroute' ) {
+		$hostroute = 0;
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
@@ -642,6 +646,7 @@ sub process_a_provider( $ ) {
 			   load        => $load ,
 			   pseudo      => $pseudo ,
 			   what        => $what ,
+			   hostroute   => $hostroute ,
 			   rules       => [] ,
 			   routes      => [] ,
 			   routedests  => {} ,
@@ -718,6 +723,7 @@ sub add_a_provider( $$ ) {
     my $pseudo      = $providerref->{pseudo};
     my $what        = $providerref->{what};
     my $label       = $pseudo ? 'Optional Interface' : 'Provider';
+    my $hostroute   = $providerref->{hostroute};
 
     my $dev         = var_base $physical;
     my $base        = uc $dev;
@@ -798,13 +804,16 @@ CEOF
 
     if ( $gateway ) {
 	$address = get_interface_address $interface unless $address;
-	if ( $family == F_IPV4 ) {
-	    emit "run_ip route replace $gateway src $address dev $physical ${mtu}";
-	    emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm";
-	} else {
-	    emit "qt \$IP -6 route add $gateway src $address dev $physical ${mtu}";
-	    emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm";
-	    emit "run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm";
+
+	if ( $hostroute ) {
+	    if ( $family == F_IPV4 ) {
+		emit "run_ip route replace $gateway src $address dev $physical ${mtu}";
+		emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm";
+	    } else {
+		emit "qt \$IP -6 route add $gateway src $address dev $physical ${mtu}" if $hostroute;
+		emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm";
+		emit "run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm";
+	    }
 	}
 
 	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] quagga zebra + shorewall Strange Problem

Reply via email to