Thank you Bill, that's immensely helpful. Just curious why you are using a
mask for the marks? And why in particular, 0x3f000?
- Norm
On Sun, May 7, 2017 at 6:12 AM, Bill Shirley <
[email protected]> wrote:
> I don't have a providers file but I do have two internet providers and use
> ipsets. Perhaps this may help.
> (Note I use variables defined in Shorewall params):
>
> Shorewall mangle:
> MARK($COMCAST_MARK1/$CONNMASK):P - +$COMCAST1_IPSET
>
> ip rule:
> .
> .
> 10101: from all fwmark 0x4000/0x3ff00 lookup Comcast_ip1
>
> If you run a Red Hat distro, you can create a file
> /etc/sysconfig/network-scripts/rule-eth1
> which will add
> the rule when the interface comes up:
> fwmark 0x4000/0x3f000 lookup Comcast_ip1 pri 10101
> and /etc/sysconfig/network-scripts/route-eth1:
> default via 173.xxx.y.254 dev ccast proto static src 173.xxx.y.249
> and of course, your table name(Comcast_ip1) has to be defined in
> /etc/iproute2/rt_tables.
>
> So in the mangle rule instead of +$COMCAST1_IPSET, you would use
> +unitelusers. Perhaps you
> can translate this into provider marks. Set the rule priority
> appropriately also.
>
> One additional thought: you might mark your low priority services to use
> your 2nd ISP and just wait
> until it comes back up:
> Shorewall mangle:
> MARK($BUDGET_ISP/$CONNMASK) $FW - tcp smtp
>
> HTH,
> Bill
>
>
> On 5/5/2017 8:23 PM, Tom Eastep wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > On 05/05/2017 09:52 AM, Norman Henderson wrote:
> >> Are ipsets not supposed to work with route_rules, or am I missing
> >> something?
> >>
> > Ipsets are not supported in rtrules -- this is a Linux networking
> > restriction, independent of Shorewall.
> >
> > - -Tom
> > - --
> > Tom Eastep \ Q: What do you get when you cross a mobster with
> > Shoreline, \ an international standard?
> > Washington, USA \ A: Someone who makes you an offer you can't
> > http://shorewall.net \________________________________________________
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2
> > Comment: GPGTools - http://gpgtools.org
> >
> > iQIcBAEBCAAGBQJZDReHAAoJEJbms/JCOk0QIXMP/RpLh6Dl5fjOw9AwaN0nqlvY
> > NUw6OOpc3gJJoH+yvNFVIs8d5jl/+kGVLJuWE4qBz2Br59T5upFn9AUtocX31H0K
> > N7zpc4OU9trx2arnPVVdvR8xksPi0ZtTF7hvkz0B3ce2cgKOh2SeSR3xMRxQkOCc
> > VMUSckhQ0niz/9txk1BxKV1rG3+5x+pbpPNdI4GN0HHICafTBihJiauJ1gxz54qj
> > 00k3PhdNIZWCdiwdi8Z/Y3OuSzIXuPK6paET6LtfFI9GpwkQ+7kz2NE7QSyUX8Xc
> > hKeKzWw7nQSsKLdhRwcZBkU0xFhBHdCqZkespBTtpzVnnlJSfJ1cyrBqTz4ExP+2
> > L3oBc0RNi0iSv5nPnf3ri7kJMBiJfuNVJc6yEnPx+Sr8n+BezMIudW9Q3F/zZqRI
> > YWDm/OyhYmiUSpMXta4VwJlF1g2V1xvt/e4pAhXdYUJKLxjlRI5k5WdzDyMKxfoP
> > 3NuwBPZe5M4D5vRbgcmb95YMrZO5FPWqJADuQWppi3QEfHRm7qEWWFH1vZBAjsl6
> > DpsSYh2GzwRXJaLZ7M4eHILWceKhNtfxJ3uqMiW0aQr8LnSFh/lsTukTSDz1IrEd
> > cqtrX2MdV6Iu37bjM/FnTXnlmfZu/jR2wzj6x3/9YNa5qFJW6EAEopzolWqF2I0Y
> > ABWSWQ+a9bJfni7AgqtV
> > =Vgt3
> > -----END PGP SIGNATURE-----
> >
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Shorewall-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
