Hallo, I'm updating some shorewall firewalls from CentOS6 to CentOS7. They have multiple internet providers. With CentOS6 kernel, routes were cached, and the same target was always reached via the same internet provider and the same IP. In linux-3.6, routing cache was removed, and I'm facing problems in CentOS7 accessing services which track where a client is coming from. The routing cache solution was sub-optimal, since all the sources were going to use the same provider to access the same host, but it did work. I worked around the problem by statically defining which provider to use to access the problematic services, changing the provider when needed (see LSM 0.178 and 0.179). But again this solution is not optimal. So, is it possible in Shorewall to make sure that the same triplet (source ip, dest ip, dest port) will always go with the same provider?
If not, I found a thread here http://www.spinics.net/lists/netfilter/msg55150.html . There, the outgoing packets are added to appropriate ipsets in the POSTROUTING mangle chain. The set is chosen based on the outgoing interface (i.e. the provider) chosen by the routing algorithm. The ipsets are of type hash:ip,port,ip. Then, the ipsets are used to mark subsequent packets to always go to the same provider. Is it possible to do something like this in Shorewall? If not, would it be fine to add an ACTION in the magle file, similarly to ADD/DEL in rules file? (or maybe, would it be possible to specify which chain to add the rule for ADD/DEL in rules?) Thank you Luigi ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
