> what DOES happen when the destination is 192.168.1.0/24? Can you provide a > traceroute? > > I don't know what "table 3" means, but I'm pretty sure that if it doesn't > show up in "ip route list" it's not going to be effective. > > >From the ip(8) man page: > > ... > Route tables: Linux-2.x can pack routes into several routing tables > identified by a number in the range from 1 to 255 or by name from the > file /etc/iproute2/rt_tables main table (ID 254) and the kernel only > uses this table when calculating routes. > ... > > On my system, ip route list gives the same output as ip route list table > 254. I would expect the same result on your system. > > -wes
Dodo is a Fedora Core 1 network root system: Linux dodo.w2.robinson-west.pri 2.4.22-1.2115.nptlcustom2 #1 Sun Jun 29 20:59:36 PDT 2008 i686 i686 i386 GNU/Linux [r...@dodo firewall]# ping -c3 192.168.1.1 connect: Network is unreachable [r...@dodo firewall]# [r...@dodo firewall]# ip rule show 0: from all lookup local 32764: from all fwmark 0x3 lookup 3 32765: from all fwmark 0x2 lookup 2 32766: from all lookup main 32767: from all lookup 253 [r...@dodo firewall]# [r...@dodo firewall]# ip route show table local local 192.168.3.1 dev eth0 proto kernel scope host src 192.168.3.1 local 192.168.3.17 dev eth0 proto kernel scope host src 192.168.3.17 broadcast 192.168.3.0 dev eth0 proto kernel scope link src 192.168.3.1 broadcast 192.168.3.16 dev eth0 proto kernel scope link src 192.168.3.17 broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.2 broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 local 192.168.5.2 dev eth1 proto kernel scope host src 192.168.5.2 local 192.168.5.3 dev eth1 proto kernel scope host src 192.168.5.2 local 192.168.5.4 dev eth1 proto kernel scope host src 192.168.5.2 broadcast 192.168.4.15 dev eth2 proto kernel scope link src 192.168.4.1 broadcast 192.168.4.0 dev eth2 proto kernel scope link src 192.168.4.1 broadcast 192.168.0.0 dev eth1 proto kernel scope link src 192.168.0.2 local 192.168.4.1 dev eth2 proto kernel scope host src 192.168.4.1 local 192.168.0.2 dev eth1 proto kernel scope host src 192.168.0.2 broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 broadcast 192.168.3.15 dev eth0 proto kernel scope link src 192.168.3.1 broadcast 192.168.3.31 dev eth0 proto kernel scope link src 192.168.3.17 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 broadcast 192.168.5.15 dev eth1 proto kernel scope link src 192.168.5.2 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 [r...@dodo firewall]# [r...@dodo firewall]# ip route show table 3 192.168.1.0/24 via 192.168.3.2 dev eth0 [r...@dodo firewall]# [r...@dodo firewall]# ip route show table 2 192.168.1.0/24 via 192.168.3.18 dev eth0 [r...@dodo firewall]# [r...@dodo firewall]# ip route show table main 192.168.4.16/28 via 192.168.4.2 dev eth2 192.168.4.0/28 dev eth2 scope link 192.168.5.0/28 dev eth1 proto kernel scope link src 192.168.5.2 192.168.3.0/28 dev eth0 proto kernel scope link src 192.168.3.1 192.168.4.48/28 via 192.168.4.2 dev eth2 192.168.3.16/28 dev eth0 scope link 192.168.4.32/28 via 192.168.4.2 dev eth2 192.168.0.0/24 dev eth1 scope link 127.0.0.0/8 dev lo scope link [r...@dodo firewall]# [r...@dodo firewall]# ip route show table 253 [r...@dodo firewall]# [r...@dodo firewall]# iptables -nvL -t mangle Chain PREROUTING (policy ACCEPT 576K packets, 127M bytes) pkts bytes target prot opt in out source destination 879 66553 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:02:E3:02:C8:8F MARK set 0x3 144 10713 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MAC 00:40:F4:2D:AF:5C MARK set 0x2 95 29259 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x3 Chain INPUT (policy ACCEPT 576K packets, 127M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 178 packets, 52674 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 552K packets, 151M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 552K packets, 151M bytes) pkts bytes target prot opt in out source destination [r...@dodo firewall]# If I understand things correctly, when fwmark 0x3 is seen routing table 3 should be used and when fwmark 0x2 is seen routing table 2 should be used. If I do: ip rule add table 2 or ip rule add table 3 then this table will get used and ping works. I can't hard wire the route, sometimes packets will come from web and sometimes they will come from xerxes. Which is why I have mac_route added to the firewall: [r...@dodo firewall]# cat mac_route iptables -t mangle -A PREROUTING -m mac --mac-source 00:02:E3:02:C8:8F \ -j MARK --set-mark 3 iptables -t mangle -A PREROUTING -m mac --mac-source 00:40:F4:2D:AF:5C \ -j MARK --set-mark 2 [r...@dodo firewall]# The following is route_web.bash: #!/bin/bash # PATH=/sbin:/usr/bin # Get line count PREROUTING -t mangle... line_count=`iptables -nvL PREROUTING -t mangle|wc -l|tr -d ' '` let line_count-=2 if [ "$line_count" == "2" ] then iptables -t mangle -I PREROUTING 3 -j MARK --set-mark 2 else iptables -t mangle -R PREROUTING 3 -j MARK --set-mark 2 fi The following is route_xerxes.bash: #!/bin/bash # PATH=/sbin:/usr/bin # Get line count PREROUTING -t mangle... line_count=`iptables -nvL PREROUTING -t mangle|wc -l|tr -d ' '` let line_count-=2 if [ "$line_count" == "2" ] then iptables -t mangle -I PREROUTING 3 -j MARK --set-mark 3 else iptables -t mangle -R PREROUTING 3 -j MARK --set-mark 3 fi The following is the portion of the firewall that manipulates the routing tables: ... export lan_net="192.168.1.0/24" ... export w1nweb="192.168.3.18" export w1nxer="192.168.3.2" ip route flush table 2 ip route flush table 3 ip route add $lan_net dev eth0 via $w1nweb table 2 ip route add $lan_net dev eth0 via $w1nxer table 3 ip rule add fwmark 2 table 2 ip rule add fwmark 3 table 3 As far as traceroute, Network is unreachable doesn't seem traceable. Another routing table can get used, the problem is that the MARK applied to packets in the PREROUTING chain of the mangle table never seems to trigger use of the appropriate table. I'm beginning to wonder if there is some sysctl option breaking this or something similar. _______________________________________________ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug