On 04/29/2013 07:49 PM, Dash Four wrote: > > > Dash Four wrote: >> 3. Specifying "blackhole" routes for a provider, as well as 'main' >> generates an error: >> >> routes >> ~~~~~~ >> dmz7 62.252.0.0/14 blackhole >> main 62.252.0.0/14 blackhole >> >> during either cold start, or a reload, I get the following error: >> >> shorewall[7294]: Adding Providers... >> shorewall[7294]: RTNETLINK answers: File exists >> shorewall[7294]: ERROR: Command "ip -4 route add blackhole >> 62.252.0.0/14 table dmz7" Failed >> root: ERROR:Shorewall start failed >> >> This error is mystifying me, because in the generated .start file, >> there is only one reference to 62.252.0.0/14 so I have absolutely no >> idea why ip is moaning at me. When I execute this command from the >> shell, all is well - no problem! > I think I found what is causing this - in the generated firewall file, I > have: > > $IP -4 -o route show table main | while read net route; do > case $net in > default) > ;; > blackhole|prohibit|unreachable) > run_ip route add table dmz7 $net $route > ;; > *) > case $(find_device $route) in > eth0) > case $net in > 255.255.255.255*) > ;; > *) > run_ip route add table dmz7 $net $route > ;; > esac > ;; > esac > ;; > esac > done > > The above may explain why adding the blackhole route fails, even though > I have "none" in the COPY column in "providers". It also explains why > the "src" link route is also copied over to the provider table.
That was added at your request -- you wanted the blackhole routes to appear in your provider tables. But I don't understand why it isn't working in your case. > > If the above is indeed the cause for this error, then perhaps you could > add another set of options called "blackhole", "prohibit" and > "unreachable" to the COPY column so that these routes are copied over - > when "none" is specified, shorewall should, by definition, copy only the > routes with regards to the interface specified (personally, I am against > that as well - I think that "none" should really mean nothing is copied > over, but this might break backwards compatibility). I also think that > there should be an option for nothing at all to be copied over - > currently I don't see a way to do this. Leave the DUPLICATE column empty. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
