On 02/17/2016 07:45 AM, Steve Wray wrote: > We use shorewall TProxy to do some transparent proxying (of clients > coming in via haproxy, so that the back-end servers can see the client > IP address rather than the haproxy IP address). Part of the problem I've > encountered is that either Shorewall does the whole thing or we do the > policy routing and transparency outside of Shorewall or we stop > shorewall managing the /etc/iproute2/rt_tables file (This is in Debian > 8) and do them separately, its getting ugly. > > xxx.xxx.xxx.121 and/or xxx.xxx.xxx.122 are local addresses assigned to > eth2, however its under keepalived and .122 is the floating IP. > > The routing table looks like this: > > 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.8 > xxx.xxx.xxx.112/28 dev eth1 proto kernel scope link src xxx.xxx.xxx.118 > xxx.xxx.xxx.112/28 dev eth2 proto kernel scope link src xxx.xxx.xxx.121 > 224.0.0.0/4 dev eth1 scope link >
Shorewall cannot replicate this routing configuration, because there is no default route in this table. Shorewall's policy routing only handles: - Multiple active uplinks - TProxy - HAProxy transparent mode (Added in 5.0.4) The last two are mutually-exclusive. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
