Santa, add to my Christmas wish list: the switch test in the mangle table.
I have two sites (SiteA and SiteB) both using IPSEC.
SiteA has two internet providers (A1 and A2)
SiteB, also, has two ISPs (B1 and B2)
In my mangle table I have to decide which pair to send traffic over:
?COMMENT -vpn- mark for encryption
# these are in reverse preference
#$SiteB_VPN1_FWMARK/$CONNMASK $FW +$SiteB_VPN1_IPSET {
test=$SiteB_VPN_GRP_MARK/$CONNMASK:C } # A1 <-> B1
$SiteB_VPN2_FWMARK/$CONNMASK $FW +$SiteB_VPN2_IPSET {
test=$SiteB_VPN_GRP_MARK/$CONNMASK:C } # A2 <-> B2
$SiteB_VPN1_FWMARK/$CONNMASK $FW +$SiteB_VPN1_IPSET {
test=$SiteB_VPN_GRP_MARK/$CONNMASK:C } # A1 <-> B1
So the preferred flow is over A1 <-> B1. However if that flow goes flakey,
currently
I un-comment the first rule and comment the third rule so the preferred flow is
now over A2 <-> B2. If I could add a switch to the third rule
(switch=VPN_prefer_A=1)
then I wouldn't have to edit the mangle table to change preferred flows.
Similar rules
are in prerouting.
I'd also like a shinny new red wagon and maybe some cash. :-)
Thanks,
Bill
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
