From my shorewall.conf:
TC_BITS=8
MASK_BITS=8
PROVIDER_OFFSET=24
PROVIDER_BITS=0
ZONE_BITS=5
# m Shorewall event mark
# t Shorewall tproxy
# x Shorewall exclusion
# z Shorewall zone bits
# j JUNK_MARK for dianostics
# o NEW_SERVER_OUTPUT - server's output chain
# u unsed bits
# p network-daemon ping mark
# i IPSEC VPN
# c connection bits
# s traffic shaping
# ------------------------------------------------------------------------------
# 2 2 2 1
# 9 4 0 6 8 0
# mtxzzzzzjouuuupiccccccccssssssss
# ------------------------------------------------------------------------------
The connection bits are broken down into 4 bits for the interface and 4 for the
IP address.
0x4000/0x3ff00 is interface #4, IP address 0.
0x4100/0x3ff00 is interface #4, IP address 1.
Shorewall params:
CONNMASK=0x3ff00 # change this - change network-daemon
NO_ND_CONNMASK=0x1ff00 # mask without ND ping bit
IF_MASK=0x3f000 # interface mask (any IP address)
IPSEC_MARK=0x10000 # 65536
# { test=$IPSET_NO_GRP_MARK/$IPSEC_NO_GRP_MASK:C} means IPSEC but no group
IPSET_NO_GRP_MARK=0x10000
IPSEC_NO_GRP_MASK=0x18000
ND_PING_MASK=0x20000 # 131072
NEW_SERVER_OUTPUT=0x400000 # 2097152
JUNK_MARK=0x800000 # 8388608
INET2_MARK1=0x4000 # 16384
INET2_IP1=173.xxx.yyy.249
INET2_MARK2=0x4100 # 16640
INET2_IP2=173.xxx.yyy.250
I have a network daemon that pings each ISP connection and VPN connection.
There is a rule
that is always available for ping with a mark (-m 16384, ping requires decimal):
5101: from all fwmark 0x24000/0x3ff00 lookup ping_Comcast
and rules that get removed if an interface goes down:
10101: from all fwmark 0x4000/0x3ff00 lookup Comcast_ip1
10102: from all fwmark 0x4100/0x3ff00 lookup Comcast_ip2
32101: from all lookup Comcast_ip1
HTH,
Bill
On 5/7/2017 12:53 PM, Norman Henderson wrote:
> Thank you Bill, that's immensely helpful. Just curious why you are using a
> mask for the marks? And why in particular, 0x3f000?
> - Norm
>
> On Sun, May 7, 2017 at 6:12 AM, Bill Shirley
> <[email protected]
> <mailto:[email protected]>> wrote:
>
> I don't have a providers file but I do have two internet providers and
> use ipsets. Perhaps this may help.
> (Note I use variables defined in Shorewall params):
>
> Shorewall mangle:
> MARK($COMCAST_MARK1/$CONNMASK):P - +$COMCAST1_IPSET
>
> ip rule:
> .
> .
> 10101: from all fwmark 0x4000/0x3ff00 lookup Comcast_ip1
>
> If you run a Red Hat distro, you can create a file
> /etc/sysconfig/network-scripts/rule-eth1 which will add
> the rule when the interface comes up:
> fwmark 0x4000/0x3f000 lookup Comcast_ip1 pri 10101
> and /etc/sysconfig/network-scripts/route-eth1:
> default via 173.xxx.y.254 dev ccast proto static src 173.xxx.y.249
> and of course, your table name(Comcast_ip1) has to be defined in
> /etc/iproute2/rt_tables.
>
> So in the mangle rule instead of +$COMCAST1_IPSET, you would use
> +unitelusers. Perhaps you
> can translate this into provider marks. Set the rule priority
> appropriately also.
>
> One additional thought: you might mark your low priority services to use
> your 2nd ISP and just wait
> until it comes back up:
> Shorewall mangle:
> MARK($BUDGET_ISP/$CONNMASK) $FW - tcp smtp
>
> HTH,
> Bill
>
>
> On 5/5/2017 8:23 PM, Tom Eastep wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > On 05/05/2017 09:52 AM, Norman Henderson wrote:
> >> Are ipsets not supposed to work with route_rules, or am I missing
> >> something?
> >>
> > Ipsets are not supported in rtrules -- this is a Linux networking
> > restriction, independent of Shorewall.
> >
> > - -Tom
> > - --
> > Tom Eastep \ Q: What do you get when you cross a mobster with
> > Shoreline, \ an international standard?
> > Washington, USA \ A: Someone who makes you an offer you can't
> > http://shorewall.net \________________________________________________
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2
> > Comment: GPGTools - http://gpgtools.org
> >
> > iQIcBAEBCAAGBQJZDReHAAoJEJbms/JCOk0QIXMP/RpLh6Dl5fjOw9AwaN0nqlvY
> > NUw6OOpc3gJJoH+yvNFVIs8d5jl/+kGVLJuWE4qBz2Br59T5upFn9AUtocX31H0K
> > N7zpc4OU9trx2arnPVVdvR8xksPi0ZtTF7hvkz0B3ce2cgKOh2SeSR3xMRxQkOCc
> > VMUSckhQ0niz/9txk1BxKV1rG3+5x+pbpPNdI4GN0HHICafTBihJiauJ1gxz54qj
> > 00k3PhdNIZWCdiwdi8Z/Y3OuSzIXuPK6paET6LtfFI9GpwkQ+7kz2NE7QSyUX8Xc
> > hKeKzWw7nQSsKLdhRwcZBkU0xFhBHdCqZkespBTtpzVnnlJSfJ1cyrBqTz4ExP+2
> > L3oBc0RNi0iSv5nPnf3ri7kJMBiJfuNVJc6yEnPx+Sr8n+BezMIudW9Q3F/zZqRI
> > YWDm/OyhYmiUSpMXta4VwJlF1g2V1xvt/e4pAhXdYUJKLxjlRI5k5WdzDyMKxfoP
> > 3NuwBPZe5M4D5vRbgcmb95YMrZO5FPWqJADuQWppi3QEfHRm7qEWWFH1vZBAjsl6
> > DpsSYh2GzwRXJaLZ7M4eHILWceKhNtfxJ3uqMiW0aQr8LnSFh/lsTukTSDz1IrEd
> > cqtrX2MdV6Iu37bjM/FnTXnlmfZu/jR2wzj6x3/9YNa5qFJW6EAEopzolWqF2I0Y
> > ABWSWQ+a9bJfni7AgqtV
> > =Vgt3
> > -----END PGP SIGNATURE-----
> >
> >
> ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Shorewall-users mailing list
> > [email protected]
> <mailto:[email protected]>
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
> <https://lists.sourceforge.net/lists/listinfo/shorewall-users>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> <https://lists.sourceforge.net/lists/listinfo/shorewall-users>
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
