-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 11/10/2016 12:44 PM, Brian J. Murrell wrote:
> On Wed, 2016-11-09 at 10:25 -0800, Tom Eastep wrote:
>> On 11/09/2016 08:29 AM, Tom Eastep wrote:
>>
>>>
>>>
>>> You *always* need SNAT on a router that can direct traffic to
>>> one provider or another.
>
> That seems a pity. It doesn't seem unreasonable that an RA could
> include direction on how to choose a route/source address when
> more than one is present.
That works without SNAT, provided that the uplinks from the router are
always available or you don't want fallback. What I meant above is
that if the *router* is making the decision (and not the clients
behind the router), then SNAT is required.
>
>> Multi-hop routes are still not working quite correctly in
>> iproute2/kernel :-( They are adding multiple routes with all but
>> the last one specifying a metric. So multiple 'balance' or
>> 'fallback' providers still aren't working as expected in
>> Shorewall6.
>
> So what's the solution here? Just don't use balance or fallback
> at all? I tried removing all of those and I don't think I see any
> difference in my routing rules/tables than before.
>
> Maybe I should ask as this point, what should it look like, so that
> I have a point of reference.
>
Attached are an IPv4 providers file (providers) and an IPv6 file
(providers6).
The other attachments are:
fallback IPv4 routing when FALLBACK=Yes
balance IPv4 routing when BALANCE=Yes
statistical IPv4 routing and mangle table when STATISTICAL=Yes
fallback6 IPv6 routing when FALLBACK=Yes
statistical IPv6 routing and mangle table when FALLBACK is not
defined
HTH,
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJYJfYSAAoJEJbms/JCOk0QR8QP/3O40/SK+9ptwDPKdUyC8/q6
eER9XwV+ZZYvgM0faRr3sVfqaPwi9wQmCxmo+22KcvxktAXUiUGfX7sAtw+7WXPO
M1mFQi10a2BtP+xafgMP1XGcFOWNiz4DRTF9M05R1TYnxQu04wypas5iNQjYZA+w
fgKX4Ib/y8xCXXPZlPwAvph7OZk+CZqYiti3VjHyzQ9ZWiuQXAJFVCrWcePjXQa+
vPLxEJmx3JSKoVthnYUBc6c2JGtwN6ZXmwn/m+g05PRX685wcktjU8cVhtcuRAKE
ZJ2OWicyW3PP567gqFyRULEGNVITMJNQYDz89xi4hyN9NRZCNstP8RMk5WQYyEFS
FnuSzbfpWBrKIdqfyWQwxqM7fmtMnerJFahJpROZZWFci/JohGml3XTunTKewsfd
sZ3VDn2i2NHJx+bSTEKw6PFS0juL6Wmb6KDeR+U/SiDlKMibVw4wdtC9daylDeUd
jmcttfdtkDsXleV/KplfT3/jXVGiVswowmktviNJAEaqTLW7uKyUDgl4QCXLN7pn
6o0t/roXTRMP4xD9L4GARxL4SAer3bnVQEjV2hXNjyhx0SC+pQM/t5kM/MMxMODJ
EE0U+nBCSoc94KYAZgbbbKYIpo+d08xTQBbCgra1KabbnoGuKanwmvm9PN66hRNL
IAsZ+MKWgRcf9j0jK3qy
=R8s9
-----END PGP SIGNATURE-----
Shorewall 5.0.15-Beta1 Routing at gateway - Fri Nov 11 07:56:16 PST 2016
Routing Rules
0: from all lookup local
999: from all lookup main
1000: from 10.2.10.2 lookup IPv6Beta
1000: from 70.90.191.121 lookup ComcastB
1000: from 70.90.191.123 lookup ComcastB
10001: from all fwmark 0x20000/0x30000 lookup IPv6Beta
10003: from all fwmark 0x10000/0x30000 lookup ComcastB
11000: from all iif br0 lookup ComcastB
20000: from 10.2.10.2 lookup IPv6Beta
32765: from all lookup balance
32767: from all lookup default
Table balance:
default nexthop via 10.2.10.1 dev eth0 weight 3 nexthop via 10.1.10.1 dev eth1
weight 1
Table ComcastB:
default via 10.1.10.1 dev eth1 src 70.90.191.121
Table default:
Table IPv6Beta:
default via 10.2.10.1 dev eth0 src 10.2.10.2
Table local:
local 70.90.191.123 dev eth1 proto kernel scope host src 70.90.191.121
local 70.90.191.121 dev eth1 proto kernel scope host src 70.90.191.121
local 70.90.191.121 dev br0 proto kernel scope host src 70.90.191.121
local 172.20.2.254 dev br1 proto kernel scope host src 172.20.2.254
local 172.20.1.253 dev eth2 proto kernel scope host src 172.20.1.253
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 10.2.10.2 dev eth0 proto kernel scope host src 10.2.10.2
local 10.1.10.11 dev eth1 proto kernel scope host src 10.1.10.11
local 10.1.10.100 dev eth1 proto kernel scope host src 10.1.10.11
broadcast 70.90.191.127 dev eth1 proto kernel scope link src 70.90.191.121
broadcast 70.90.191.120 dev eth1 proto kernel scope link src 70.90.191.121
broadcast 172.20.2.255 dev br1 proto kernel scope link src 172.20.2.254
broadcast 172.20.2.0 dev br1 proto kernel scope link src 172.20.2.254
broadcast 172.20.1.255 dev eth2 proto kernel scope link src 172.20.1.253
broadcast 172.20.1.0 dev eth2 proto kernel scope link src 172.20.1.253
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 10.2.10.255 dev eth0 proto kernel scope link src 10.2.10.2
broadcast 10.2.10.0 dev eth0 proto kernel scope link src 10.2.10.2
broadcast 10.1.10.255 dev eth1 proto kernel scope link src 10.1.10.11
broadcast 10.1.10.0 dev eth1 proto kernel scope link src 10.1.10.11
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
unreachable 192.168.0.0/16
unreachable 172.16.0.0/12
unreachable 10.0.0.0/8
96.120.100.113 via 10.2.10.1 dev eth0
70.90.191.125 dev br0 scope link
70.90.191.124 dev br0 scope link
70.90.191.122 dev br0 scope link
10.2.10.1 dev eth0 scope link src 10.2.10.2
10.1.10.1 dev eth1 scope link src 70.90.191.121
70.90.191.120/29 dev eth1 proto kernel scope link src 70.90.191.121
172.20.2.0/24 dev br1 proto kernel scope link src 172.20.2.254
172.20.1.0/24 dev eth2 proto kernel scope link src 172.20.1.253
10.2.10.0/24 dev eth0 proto kernel scope link src 10.2.10.2
10.1.10.0/24 dev eth1 proto kernel scope link src 10.1.10.11
Shorewall 5.0.15-Beta1 Routing at gateway - Fri Nov 11 07:55:40 PST 2016
Routing Rules
0: from all lookup local
999: from all lookup main
1000: from 10.2.10.2 lookup IPv6Beta
1000: from 70.90.191.121 lookup ComcastB
1000: from 70.90.191.123 lookup ComcastB
10000: from all fwmark 0x20000/0x30000 lookup IPv6Beta
10003: from all fwmark 0x10000/0x30000 lookup ComcastB
11000: from all iif br0 lookup ComcastB
32765: from all lookup balance
32767: from all lookup default
Table balance:
default via 10.2.10.1 dev eth0
Table ComcastB:
10.1.10.1 dev eth1 scope link src 70.90.191.121
default via 10.1.10.1 dev eth1 src 70.90.191.121
Table default:
10.1.10.1 dev eth1 scope link
default via 10.1.10.1 dev eth1 src 70.90.191.121 metric 4
Table IPv6Beta:
10.2.10.1 dev eth0 scope link src 10.2.10.2
default via 10.2.10.1 dev eth0 src 10.2.10.2
Table local:
local 70.90.191.123 dev eth1 proto kernel scope host src 70.90.191.121
local 70.90.191.121 dev eth1 proto kernel scope host src 70.90.191.121
local 70.90.191.121 dev br0 proto kernel scope host src 70.90.191.121
local 172.20.2.254 dev br1 proto kernel scope host src 172.20.2.254
local 172.20.1.253 dev eth2 proto kernel scope host src 172.20.1.253
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 10.2.10.2 dev eth0 proto kernel scope host src 10.2.10.2
local 10.1.10.11 dev eth1 proto kernel scope host src 10.1.10.11
local 10.1.10.100 dev eth1 proto kernel scope host src 10.1.10.11
broadcast 70.90.191.127 dev eth1 proto kernel scope link src 70.90.191.121
broadcast 70.90.191.120 dev eth1 proto kernel scope link src 70.90.191.121
broadcast 172.20.2.255 dev br1 proto kernel scope link src 172.20.2.254
broadcast 172.20.2.0 dev br1 proto kernel scope link src 172.20.2.254
broadcast 172.20.1.255 dev eth2 proto kernel scope link src 172.20.1.253
broadcast 172.20.1.0 dev eth2 proto kernel scope link src 172.20.1.253
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 10.2.10.255 dev eth0 proto kernel scope link src 10.2.10.2
broadcast 10.2.10.0 dev eth0 proto kernel scope link src 10.2.10.2
broadcast 10.1.10.255 dev eth1 proto kernel scope link src 10.1.10.11
broadcast 10.1.10.0 dev eth1 proto kernel scope link src 10.1.10.11
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
unreachable 192.168.0.0/16
unreachable 172.16.0.0/12
unreachable 10.0.0.0/8
96.120.100.113 via 10.2.10.1 dev eth0
70.90.191.125 dev br0 scope link
70.90.191.124 dev br0 scope link
70.90.191.122 dev br0 scope link
10.2.10.1 dev eth0 scope link src 10.2.10.2
10.1.10.1 dev eth1 scope link src 70.90.191.121
70.90.191.120/29 dev eth1 proto kernel scope link src 70.90.191.121
172.20.2.0/24 dev br1 proto kernel scope link src 172.20.2.254
172.20.1.0/24 dev eth2 proto kernel scope link src 172.20.1.253
10.2.10.0/24 dev eth0 proto kernel scope link src 10.2.10.2
10.1.10.0/24 dev eth1 proto kernel scope link src 10.1.10.11
Shorewall6 5.0.15-Beta1 Routing at gateway - Fri Nov 11 07:59:46 PST 2016
Routing Rules
0: from all lookup local
1: from all fwmark 0x800/0x800 lookup Tproxy
999: from all lookup main
10000: from all fwmark 0x100/0x300 lookup IPv6Beta
10001: from all fwmark 0x200/0x300 lookup HE
11000: from 2601:601:8b00:bf0::/64 lookup IPv6Beta
11000: from 2001:470:b:227::/64 lookup HE
20000: from 2001:470:a:227::2 lookup HE
32765: from all lookup balance
32767: from all lookup default
Table balance:
default via fe80::22e5:2aff:feb7:f2cf dev eth0 metric 1024
default dev sit1 metric 1024
Table default:
default dev sit1 metric 2
Table HE:
default dev sit1 metric 1024
Table IPv6Beta:
fe80::22e5:2aff:feb7:f2cf dev eth0 src 2601:601:8b00:b00::1 metric 1024
default via fe80::22e5:2aff:feb7:f2cf dev eth0 src 2601:601:8b00:b00::1 metric
1024
Table local:
local fe80::fc8c:1eff:fee7:8a0 dev lo proto none metric 0
local fe80::fc18:feff:fefe:ca16 dev lo proto none metric 0
local fe80::fc0f:ccff:fef5:1637 dev lo proto none metric 0
local fe80:: dev lo proto none metric 0
local fe80:: dev lo proto none metric 0
local fe80:: dev lo proto none metric 0
local fe80:: dev lo proto none metric 0
local fe80:: dev lo proto none metric 0
local fe80:: dev lo proto none metric 0
local fe80:: dev lo proto none metric 0
local fe80:: dev lo proto none metric 0
local fe80::bcd1:92ff:fe59:354c dev lo proto none metric 0
local fe80::a2e:5fff:fe2d:1e7d dev lo proto none metric 0
local fe80::a236:9fff:feac:88dc dev lo proto none metric 0
local fe80::465a:bf7b dev lo proto none metric 0
local fe80::2060:aff:fe20:c10c dev lo proto none metric 0
local 2601:601:8b00:bf1:: dev lo proto none metric 0
local 2601:601:8b00:bf1::1 dev lo proto none metric 0
local 2601:601:8b00:bf0:: dev lo proto none metric 0
local 2601:601:8b00:bf0::1 dev lo proto none metric 0
local 2601:601:8b00:b00:: dev lo proto none metric 0
local 2601:601:8b00:b00::1 dev lo proto none metric 0
local 2001:470:b:227:: dev lo proto none metric 0
local 2001:470:b:227::1 dev lo proto none metric 0
local 2001:470:a:227:: dev lo proto none metric 0
local 2001:470:a:227::2 dev lo proto none metric 0
local ::1 dev lo proto none metric 0
ff00::/8 dev veth2 metric 256
ff00::/8 dev veth1 metric 256
ff00::/8 dev veth0 metric 256
ff00::/8 dev sit1 metric 256
ff00::/8 dev eth2 metric 256
ff00::/8 dev eth0 metric 256
ff00::/8 dev br1 metric 256
ff00::/8 dev br0 metric 256
Table main:
local ::1 dev lo proto kernel metric 256
fe80::22e5:2aff:feb7:f2cf dev eth0 src 2601:601:8b00:b00::1 metric 1024
2001:558:4082:b::1 via fe80::22e5:2aff:feb7:f2cf dev eth0 metric 1024
2001:470:a:227::1 dev sit1 metric 1024
fe80::/64 dev veth2 proto kernel metric 256
fe80::/64 dev veth1 proto kernel metric 256
fe80::/64 dev veth0 proto kernel metric 256
fe80::/64 dev sit1 proto kernel metric 256
fe80::/64 dev eth2 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev br1 proto kernel metric 256
fe80::/64 dev br0 proto kernel metric 256
2601:601:8b00:bf1::/64 dev br1 proto kernel metric 256
2601:601:8b00:bf0::/64 dev eth2 proto kernel metric 256
2601:601:8b00:b00::/64 dev eth0 proto kernel metric 256
2001:470:b:227::/64 dev br0 proto kernel metric 256
2001:470:a:227::/64 dev sit1 proto kernel metric 256
Table Tproxy:
local default dev lo metric 1024
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
COPY
?IF $FALLBACK
?INFO Compiling with FALLBACK
IPv6Beta 1 0x20000 - COMB_IF 10.2.10.1
loose,primary,persistent
ComcastB 4 0x10000 - IPV4_IF 10.1.10.1
loose,fallback,persistent
?ELSIF $STATISTICAL
?INFO Compiling with STATISTICAL
IPv6Beta 1 0x20000 - COMB_IF 10.2.10.1
loose,load=0.33333333
ComcastB 4 0x10000 - IPV4_IF 10.1.10.1
loose,load=0.66666667,fallback
?ELSE
?INFO Compiling with BALANCE
IPv6Beta 2 0x20000 - COMB_IF 10.2.10.1
nohostroute,balance=3,persistent
ComcastB 4 0x10000 - IPV4_IF 10.1.10.1
nohostroute,loose,balance,persistent
#ComcastB 4 0x10000 - dummy0 192.168.1.254
nohostroute,loose,balance,persistent
?ENDIF
?IF $PROXY && ! $SQUID2
TProxy 3 - - lo - tproxy
?ENDIF
#
# Shorewall6 version 4 - Providers File
#
# For information about entries in this file, type "man shorewall6-providers"
#
# For additional information, see http://shorewall.net/MultiISP.html
#
############################################################################################################
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY
OPTIONS COPY
?IF $FALLBACK
IPv6Beta 1 0x100 - eth0
fe80::22e5:2aff:feb7:f2cf\
track,primary,loose,persistent
HE 2 0x200 - sit1 -
track,fallback,persistent
?ELSE
IPv6Beta 1 0x100 - eth0
fe80::22e5:2aff:feb7:f2cf\
track,load=0.66666667,loose,persistent
HE 2 0x200 - sit1 -
track,load=0.33333333,persistent
?ENDIF
Tproxy 3 - - lo -
tproxy
Shorewall 5.0.15-Beta1 Routing at gateway - Fri Nov 11 07:56:57 PST 2016
Routing Rules
0: from all lookup local
999: from all lookup main
1000: from 10.2.10.2 lookup IPv6Beta
1000: from 70.90.191.121 lookup ComcastB
1000: from 70.90.191.123 lookup ComcastB
10000: from all fwmark 0x20000/0x30000 lookup IPv6Beta
10003: from all fwmark 0x10000/0x30000 lookup ComcastB
11000: from all iif br0 lookup ComcastB
32765: from all lookup balance
32767: from all lookup default
Table balance:
Table ComcastB:
10.1.10.1 dev eth1 scope link src 70.90.191.121
default via 10.1.10.1 dev eth1 src 70.90.191.121
Table default:
10.1.10.1 dev eth1 scope link
default via 10.1.10.1 dev eth1 src 70.90.191.121 metric 4
Table IPv6Beta:
10.2.10.1 dev eth0 scope link src 10.2.10.2
default via 10.2.10.1 dev eth0 src 10.2.10.2
Table local:
local 70.90.191.123 dev eth1 proto kernel scope host src 70.90.191.121
local 70.90.191.121 dev eth1 proto kernel scope host src 70.90.191.121
local 70.90.191.121 dev br0 proto kernel scope host src 70.90.191.121
local 172.20.2.254 dev br1 proto kernel scope host src 172.20.2.254
local 172.20.1.253 dev eth2 proto kernel scope host src 172.20.1.253
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 10.2.10.2 dev eth0 proto kernel scope host src 10.2.10.2
local 10.1.10.11 dev eth1 proto kernel scope host src 10.1.10.11
local 10.1.10.100 dev eth1 proto kernel scope host src 10.1.10.11
broadcast 70.90.191.127 dev eth1 proto kernel scope link src 70.90.191.121
broadcast 70.90.191.120 dev eth1 proto kernel scope link src 70.90.191.121
broadcast 172.20.2.255 dev br1 proto kernel scope link src 172.20.2.254
broadcast 172.20.2.0 dev br1 proto kernel scope link src 172.20.2.254
broadcast 172.20.1.255 dev eth2 proto kernel scope link src 172.20.1.253
broadcast 172.20.1.0 dev eth2 proto kernel scope link src 172.20.1.253
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 10.2.10.255 dev eth0 proto kernel scope link src 10.2.10.2
broadcast 10.2.10.0 dev eth0 proto kernel scope link src 10.2.10.2
broadcast 10.1.10.255 dev eth1 proto kernel scope link src 10.1.10.11
broadcast 10.1.10.0 dev eth1 proto kernel scope link src 10.1.10.11
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
unreachable 192.168.0.0/16
unreachable 172.16.0.0/12
unreachable 10.0.0.0/8
96.120.100.113 via 10.2.10.1 dev eth0
70.90.191.125 dev br0 scope link
70.90.191.124 dev br0 scope link
70.90.191.122 dev br0 scope link
10.2.10.1 dev eth0 scope link src 10.2.10.2
10.1.10.1 dev eth1 scope link src 70.90.191.121
70.90.191.120/29 dev eth1 proto kernel scope link src 70.90.191.121
172.20.2.0/24 dev br1 proto kernel scope link src 172.20.2.254
172.20.1.0/24 dev eth2 proto kernel scope link src 172.20.1.253
10.2.10.0/24 dev eth0 proto kernel scope link src 10.2.10.2
10.1.10.0/24 dev eth1 proto kernel scope link src 10.1.10.11
Shorewall 5.0.15-Beta1 Mangle Table at gateway - Fri Nov 11 07:58:22 PST 2016
Counters reset Fri Nov 11 07:56:44 PST 2016
Chain PREROUTING (policy ACCEPT 834 packets, 217K bytes)
pkts bytes target prot opt in out source destination
834 217K MARK all -- * * 0.0.0.0/0 0.0.0.0/0
MARK and 0x0
834 217K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK restore mask 0x30000
2 60 routemark all -- eth0 * 0.0.0.0/0 0.0.0.0/0
mark match 0x0/0x30000
165 9002 routemark all -- eth1 * 0.0.0.0/0 0.0.0.0/0
mark match 0x0/0x30000
Chain INPUT (policy ACCEPT 377 packets, 31210 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 457 packets, 186K bytes)
pkts bytes target prot opt in out source destination
457 186K MARK all -- * * 0.0.0.0/0 0.0.0.0/0
MARK and 0xfffcffff
Chain OUTPUT (policy ACCEPT 432 packets, 33173 bytes)
pkts bytes target prot opt in out source destination
432 33173 MARK all -- * * 0.0.0.0/0 0.0.0.0/0
MARK and 0x0
432 33173 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK restore mask 0x30000
8 567 balance all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate NEW,RELATED mark match 0x0/0x30000
Chain POSTROUTING (policy ACCEPT 813 packets, 215K bytes)
pkts bytes target prot opt in out source destination
4 304 CHECKSUM udp -- * eth0 0.0.0.0/0 0.0.0.0/0
CHECKSUM fill
9 855 CHECKSUM udp -- * br0 0.0.0.0/0 0.0.0.0/0
CHECKSUM fill
Chain balance (2 references)
pkts bytes target prot opt in out source destination
8 567 ~eth0 all -- * * 0.0.0.0/0 0.0.0.0/0
mark match 0x0/0x30000
2 151 ~eth1 all -- * * 0.0.0.0/0 0.0.0.0/0
mark match 0x0/0x30000
Chain routemark (2 references)
pkts bytes target prot opt in out source destination
2 60 MARK all -- eth0 * 0.0.0.0/0 0.0.0.0/0
MARK xset 0x20000/0x30000
165 9002 MARK all -- eth1 * 0.0.0.0/0 0.0.0.0/0
MARK xset 0x10000/0x30000
167 9062 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
mark match ! 0x0/0x30000 CONNMARK save mask 0x30000
0 0 balance all -- * * 0.0.0.0/0 0.0.0.0/0
[goto] mark match 0x0/0x30000
Chain ~eth0 (1 references)
pkts bytes target prot opt in out source destination
6 416 MARK all -- * * 0.0.0.0/0 0.0.0.0/0
statistic mode random probability 0.33333333023 MARK xset
0x20000/0x30000
Chain ~eth1 (1 references)
pkts bytes target prot opt in out source destination
2 151 MARK all -- * * 0.0.0.0/0 0.0.0.0/0
MARK xset 0x10000/0x30000
Shorewall6 5.0.15-Beta1 Routing at gateway - Fri Nov 11 08:23:41 PST 2016
Routing Rules
0: from all lookup local
1: from all fwmark 0x800/0x800 lookup Tproxy
999: from all lookup main
10000: from all fwmark 0x100/0x300 lookup IPv6Beta
10001: from all fwmark 0x200/0x300 lookup HE
11000: from 2601:601:8b00:bf0::/64 lookup IPv6Beta
11000: from 2001:470:b:227::/64 lookup HE
20000: from 2001:470:a:227::2 lookup HE
32765: from all lookup balance
32767: from all lookup default
Table balance:
default via fe80::22e5:2aff:feb7:f2cf dev eth0 metric 1024
default dev sit1 metric 1024
Table default:
Table HE:
default dev sit1 metric 1024
Table IPv6Beta:
fe80::22e5:2aff:feb7:f2cf dev eth0 src 2601:601:8b00:b00::1 metric 1024
default via fe80::22e5:2aff:feb7:f2cf dev eth0 src 2601:601:8b00:b00::1 metric
1024
Table local:
local fe80::fc8c:1eff:fee7:8a0 dev lo proto none metric 0
local fe80::fc18:feff:fefe:ca16 dev lo proto none metric 0
local fe80::fc0f:ccff:fef5:1637 dev lo proto none metric 0
local fe80:: dev lo proto none metric 0
local fe80:: dev lo proto none metric 0
local fe80:: dev lo proto none metric 0
local fe80:: dev lo proto none metric 0
local fe80:: dev lo proto none metric 0
local fe80:: dev lo proto none metric 0
local fe80:: dev lo proto none metric 0
local fe80:: dev lo proto none metric 0
local fe80::bcd1:92ff:fe59:354c dev lo proto none metric 0
local fe80::a2e:5fff:fe2d:1e7d dev lo proto none metric 0
local fe80::a236:9fff:feac:88dc dev lo proto none metric 0
local fe80::465a:bf7b dev lo proto none metric 0
local fe80::2060:aff:fe20:c10c dev lo proto none metric 0
local 2601:601:8b00:bf1:: dev lo proto none metric 0
local 2601:601:8b00:bf1::1 dev lo proto none metric 0
local 2601:601:8b00:bf0:: dev lo proto none metric 0
local 2601:601:8b00:bf0::1 dev lo proto none metric 0
local 2601:601:8b00:b00:: dev lo proto none metric 0
local 2601:601:8b00:b00::1 dev lo proto none metric 0
local 2001:470:b:227:: dev lo proto none metric 0
local 2001:470:b:227::1 dev lo proto none metric 0
local 2001:470:a:227:: dev lo proto none metric 0
local 2001:470:a:227::2 dev lo proto none metric 0
local ::1 dev lo proto none metric 0
ff00::/8 dev veth2 metric 256
ff00::/8 dev veth1 metric 256
ff00::/8 dev veth0 metric 256
ff00::/8 dev sit1 metric 256
ff00::/8 dev eth2 metric 256
ff00::/8 dev eth0 metric 256
ff00::/8 dev br1 metric 256
ff00::/8 dev br0 metric 256
Table main:
local ::1 dev lo proto kernel metric 256
fe80::22e5:2aff:feb7:f2cf dev eth0 src 2601:601:8b00:b00::1 metric 1024
2001:558:4082:b::1 via fe80::22e5:2aff:feb7:f2cf dev eth0 metric 1024
2001:470:a:227::1 dev sit1 metric 1024
fe80::/64 dev veth2 proto kernel metric 256
fe80::/64 dev veth1 proto kernel metric 256
fe80::/64 dev veth0 proto kernel metric 256
fe80::/64 dev sit1 proto kernel metric 256
fe80::/64 dev eth2 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev br1 proto kernel metric 256
fe80::/64 dev br0 proto kernel metric 256
2601:601:8b00:bf1::/64 dev br1 proto kernel metric 256
2601:601:8b00:bf0::/64 dev eth2 proto kernel metric 256
2601:601:8b00:b00::/64 dev eth0 proto kernel metric 256
2001:470:b:227::/64 dev br0 proto kernel metric 256
2001:470:a:227::/64 dev sit1 proto kernel metric 256
Table Tproxy:
local default dev lo metric 1024
Shorewall6 5.0.15-Beta1 Mangle Table at gateway - Fri Nov 11 08:23:55 PST 2016
Counters reset Fri Nov 11 08:01:20 PST 2016
Chain PREROUTING (policy ACCEPT 4687 packets, 645K bytes)
pkts bytes target prot opt in out source destination
4687 645K CONNMARK all * * ::/0 ::/0
CONNMARK restore mask 0x300
85 11879 routemark all eth0 * ::/0 ::/0
mark match 0x0/0x300
35 3135 routemark all sit1 * ::/0 ::/0
mark match 0x0/0x300
1749 178K tcpre all eth0 * ::/0 ::/0
1608 134K tcpre all sit1 * ::/0 ::/0
456 37632 tcpre all * * ::/0 ::/0
mark match 0x0/0x300
0 0 divert tcp * * ::/0 ::/0
[goto] tcp spt:80 flags:!0x17/0x02 socket --transparent
0 0 TPROXY tcp eth2 * ::/0
!2001:470:b:227::/64 tcp dpt:80 TPROXY redirect :::3129 mark 0x800/0x800
Chain INPUT (policy ACCEPT 3572 packets, 294K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 1102 packets, 345K bytes)
pkts bytes target prot opt in out source destination
1102 345K MARK all * * ::/0 ::/0
MARK and 0xfffffcff
Chain OUTPUT (policy ACCEPT 4951 packets, 431K bytes)
pkts bytes target prot opt in out source destination
4951 431K CONNMARK all * * ::/0 ::/0
CONNMARK restore mask 0x300
1450 149K balance all * * ::/0 ::/0
ctstate NEW,RELATED mark match 0x0/0x300
Chain POSTROUTING (policy ACCEPT 6052 packets, 775K bytes)
pkts bytes target prot opt in out source destination
249 223K MARK all * * 2001:470:b:227::40/124 ::/0
/* All DMZ traffic in band 3 by default */ MARK xset 0x3/0xff
102 9257 MARK udp * * ::/0 ::/0
udp dpt:53 /* But give a boost to DNS queries */ MARK xset 0x2/0xff
0 0 MARK udp * * ::/0 ::/0
udp spt:53 /* But give a boost to DNS queries */ MARK xset 0x2/0xff
Chain balance (2 references)
pkts bytes target prot opt in out source destination
1450 149K ~eth0 all * * ::/0 ::/0
mark match 0x0/0x300
508 52495 ~sit1 all * * ::/0 ::/0
mark match 0x0/0x300
Chain divert (1 references)
pkts bytes target prot opt in out source destination
0 0 MARK all * * ::/0 ::/0
MARK or 0x800
0 0 ACCEPT all * * ::/0 ::/0
Chain routemark (2 references)
pkts bytes target prot opt in out source destination
85 11879 MARK all eth0 * ::/0 ::/0
MARK xset 0x100/0x300
35 3135 MARK all sit1 * ::/0 ::/0
MARK xset 0x200/0x300
120 15014 CONNMARK all * * ::/0 ::/0
mark match ! 0x0/0x300 CONNMARK save mask 0x300
0 0 balance all * * ::/0 ::/0
[goto] mark match 0x0/0x300
Chain tcpre (3 references)
pkts bytes target prot opt in out source destination
209 18804 HL all eth2 * ::/0 ::/0
HL increment by 1
45 3652 HL all br0 * ::/0 ::/0
HL increment by 1
Chain ~eth0 (1 references)
pkts bytes target prot opt in out source destination
942 96930 MARK all * * ::/0 ::/0
statistic mode random probability 0.66666666977 MARK xset 0x100/0x300
Chain ~sit1 (1 references)
pkts bytes target prot opt in out source destination
508 52495 MARK all * * ::/0 ::/0
MARK xset 0x200/0x300
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
