[LARTC] Advanced Policy Routing not working properly
Hi list, I'm trying to setup a Linux box with a complicated source routing and could use a hand from you. The box has 4 NICs and lots of VLANs attached. It is a firewall and router in the following scenario: (obs: IP addresses have being changed for security purposes) - eth0 holds the default route (GW: 200.1.0.1, Firewall: 200.1.0.2); - The box is routing and sometimes source routing, with no problems; - We got our own ASN with a IP range assigned: 101.30.0.0/20; - We have a Cisco router responsible for BGP sessions of our ASN. This router is already talking to our neighbors and connects to the Firewall on eth2.887 (Router: 101.30.15.249, Firewall: 101.30.15.250); - We have old ISP's IP addresses used on lots of VLAN interfaces, ex: 200.1.2.0/26, 200.1.3.0/24, etc; - The default route is still pointing to our old ISP and cannot be changed by now; So far so good, but: - We created a testing VLAN, eth2.6, and assigned the address 101.30.0.1/28 to the Firewall and 101.30.0.2 to a testing machine (machine-X); - if we create a source routing like this: ip route add default via 101.30.15.249 table MyASN # IP of BGP router ip rule add from 101.30.0.0/28 table MyASN we can see the Internet and the Internet see us through our BGP router and neighbors, BUT we cannot see hosts at IP addresses of our old ISP (those directly connected to the Firewall). The reason is simple, table MyASN has no entry to these old addresses. The easy way to go is to insert static routes on MyASN, but it is a bad solution when you have lots of subnets in use and changes occur frequently. The old and new addresses (from my old ISP and from my ASN) must communicate but I cannot keep updating MyASN table. I tried some workarounds with no good results and here is where I need a hand. All the workarounds I tried expect that in the above scenario if a host on old ISP's IP address, lets say 200.1.2.2, pings my testing server: machine-X on 101.30.0.2, packets should show up on the sender host interface and go out on machine-x interface. I expect this as the _main_ table has a route to machine-x (directly connected to the Firewall) so the box should know where to send packets. It doesn't happen like this. The packets goes nowhere. They come on the sender host interface but never go out on machine-x interface. If I insert a route to 200.1.2.2 on table MyASN I start to see traffic coming and going. Why is this happening? Shouldn't the box just forward traffic when there is a route in the _main_ table regardless of existing or not a route of return? Or shouldn't it, at least, send this traffic to its default gateway? Any comments and suggestions are appreciated. Regards. ------------ Andre D. Correa, CISSP | Visite meus projetos pessoais: andre.correa (at) pobox.com | Visit my personal projects: http://andre.hiperlinks.com.br | - http://www.malware.com.br/ Sao Paulo / SP / Brazil | - http://www.linuximq.net/ ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] IMQ and nfcache
Hi, I'm working on the IMQ patch for 2.6.14-rc* and ran in trouble with
nfcache. I have to be honest that I'm not following kernel devel as I
should so I need to ask for a little help here. I know Mr Harald Welte
removed nfcache but I'm not sure about the way to go. I have this at
net/ipv4/netfilter/ipt-IMQ.c:
static unsigned int imq_target(struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
unsigned int hooknum,
const void *targinfo,
void *userdata)
{
struct ipt_imq_info *mr = (struct ipt_imq_info*)targinfo;
(*pskb)->imq_flags = mr->todev | IMQ_F_ENQUEUE;
(*pskb)->nfcache |= NFC_ALTERED;
return IPT_CONTINUE;
}
I found that in places like ip_conntrack_core.c and ip_nat_core.c,
nfcache references have just being removed.
Tk in advance for any help.
Cheers...
--------
Andre D. Correa, CISSP | Visite meus projetos pessoais:
andre.correa (at) pobox.com| Visit my personal projects:
http://andre.hiperlinks.com.br | - http://www.malware.com.br/
Sao Paulo / SP / Brazil| - http://www.linuximq.net/
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] HOWTO unmaintained?
Hi, I got frustrated with it several months ago when I tried to update IMQ information and never got a response. I can host a WiKi too, maybe we can mirror content and share the task. I'm not sure if any WiKi has a mirroring functionality but we can figure this out. Andre D. Correa, CISSP | Visite meus projetos pessoais: andre.correa (at) pobox.com| Visit my personal projects: http://andre.hiperlinks.com.br | -http://malware.hiperlinks.com.br Sao Paulo / SP / Brazil| -http://www.linuximq.net/ Kenneth Kalmer wrote: On 8/17/05, Ed W <[EMAIL PROTECTED]> wrote: I guess the obvious question then is: How do we get it maintained? Does anyone know where the current maintainers have disappeared? Is anyone willing to take over that job? I wonder if someone would host a mediawiki and consider uploading the documentation there. This would make it easier for people to contribute, and I think it shold be fairly easy to convert from it's current format to a wiki Just a thought And a great one I might add. Does anybody know how busy the current site is? If not too busy (i.e.< 10GB a month) I'd gladly put up a wiki on my server for it. If it get's busier I'll just have to move it to another server in due course. I've also gotten very frustrated with some old outdated information, and especially the lack of information regarding the 2.6.x kernel. All in favour...? Regards ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] XML for tc hierarchy representation
In fact I'm just search for an XML representation of tc hierarchy.
Although I could design my own, using a reviewed and "widely accepted"
schema makes more sense to me. I'm not testing or planning to use LTCM.
Tks anyway...
Andre
Shane O'Hanlon wrote:
I just tried to get that code working some of the test programs worked
some did not I could not find a versioning file. Have you had more
success in getting it to work. I would like to get it too work.
Kernel 2.6.11.7
Here is the output of the test programs some failed some succeeded but I
am sure its just my libs are not the correct version
output of e00
created dev_interface for eth0
pfifo qdisc {
limit: 0
}
output of e01
created dev_interface for eth0
failure: netlink failure
output of e02
created dev_interface for eth0
failure: netlink failure
output of e03
created dev_interface for eth0
failure: netlink failure
output of e04
created dev_interface for eth0
qdisc is of type pfifo
output of e05
failure: netlink failure
output of e06
fifo qdisc stars with limit = 100
failure: netlink failure
output of e07
creating root qdisc
failure: netlink failure
output of e08
qdisc 1:0
output of e09
creating root qdisc
failure: netlink failure
output of e10
creating root qdisc
failure: netlink failure
output of e11
output of e12
created dev_interface for eth0
failure: system reply: invalid arguments
On Mon, 2005-08-15 at 15:34 -0300, Andre D. Correa wrote:
Hi list, I would like to know about any proposed XML representation for
tc objects hierarchy. I found something at "LTCM, a Linux QoS API
Library" (http://artemis.av.it.pt/~ltcmmm/) that looks like a start, but
any others are welcome.
I'm starting a project to automatically syncronize traffic shape rules
between servers and thought XML is the best way to represent tc hierarchy.
Tks in advance for any information.
--------
Andre D. Correa, CISSP | Visite meus projetos pessoais:
andre.correa (at) pobox.com| Visit my personal projects:
http://andre.hiperlinks.com.br | -http://malware.hiperlinks.com.br
Sao Paulo / SP / Brazil| -http://www.linuximq.net/
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
--------
Andre D. Correa, CISSP | Visite meus projetos pessoais:
andre.correa (at) pobox.com| Visit my personal projects:
http://andre.hiperlinks.com.br | -http://malware.hiperlinks.com.br
Sao Paulo / SP / Brazil| -http://www.linuximq.net/
___
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] XML for tc hierarchy representation
Hi list, I would like to know about any proposed XML representation for tc objects hierarchy. I found something at "LTCM, a Linux QoS API Library" (http://artemis.av.it.pt/~ltcmmm/) that looks like a start, but any others are welcome. I'm starting a project to automatically syncronize traffic shape rules between servers and thought XML is the best way to represent tc hierarchy. Tks in advance for any information. -------- Andre D. Correa, CISSP | Visite meus projetos pessoais: andre.correa (at) pobox.com| Visit my personal projects: http://andre.hiperlinks.com.br | -http://malware.hiperlinks.com.br Sao Paulo / SP / Brazil| -http://www.linuximq.net/ ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
