Tom Eastep wrote:
> Cristian Mammoli wrote:
>
>> I used "traceproto $VARIOUS_INTERNET_HOSTS -p tcp -d 25" from the dmz
>> host and some requests went out through provider smrt1, some through
>> fweb1
>
> Please try the attached patch.
My belief is that the problem stems from the fact that the compilers use
--or-mark for setting MARK values > 255. This means that if a packet
matches more than one PREROUTING/OUTPUT rule with HIGH_ROUTE_MARKS=Yes,
then the resulting mark value will be the logical product of the mark
values in the matching rules.
Example:
0x100 192.168.1.44 0.0.0.0/0
0x200 0.0.0.0/0 0.0.0.0/0 tcp 25
A TCP packet from 192.168.1.44 with destination port 25 would end
up with a mark value of 0x300 whereas the expected value is 0x200.
In Cristian's case, 0x300 is not associated with any provider so packets
with that mark value are routed by the main table; the result is that
these packets' connections are balanced between the two providers.
This problem is present in Shorewall versions 3.2, 3.4 and 4.0 (both
Shorewall-shell and Shorewall-perl). Errata patches are available; see:
http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.11/known_problems.txt
http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.7/known_problems.txt
http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/known_problems.txt
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
