On Tue, 2008-02-12 at 08:40 -0800, Tom Eastep wrote: > Brian J. Murrell wrote: > > The feature is implemented in a completely distribution-neutral way (it uses > the same logic to determine when an interface is up as is used in testing if > an optional interface is usable).
Ahh. Yes. Sorry for misreading. I thought you were referring to a feature in /etc/network/interfaces on Debian machines. I could take advantage of that. The pros/cons of waiting vs. just reloading twice within what could wind up being a relative short period of time would be an interesting small study. > And how do you tell iptables-save/iptables-restore what the > interface-agnostic bits are? You can't, so you end up having to write your > own iptables-save -- in Bourne shell. Ahh. Yes. I see what you mean. I guess I was thinking there are 2 or more different bits. The bulk of the rules which are agnostic to what (Internet) interfaces are up and down and those could be loaded with iptables-restore. Then there are the particular bits that need to wait for interfaces and I would propose just adding/changing/removing those on interface change with some iptables rules. > The issue here is that the Shorewall Multi-ISP feature is a hack to work > around the fact that many Shorewall users are cheap "Consumers", yes. > and try to use a pair of > consumer-grade uplinks (often with dynamic IP addresses) to effect a > fault-tolerant solution. Indeed. > The problem of maintaining accurate routing tables > in the face of changing network topology is effectively solved through the > use of interior gateway routing protocols but the consumer-grade services > employed by most Shorewall users don't offer support for such protocols. Indeed, absolutely agreed. > -Tom (who must get to his real job now) NP. As I said, I've floated my idea and really not wanting to beat a dead horse. Apart from that one ugly wart in that a broadcast domain/DHCP service has to be allowed to populate a default route or else shorewall barfs because it can't find the default route -- it mostly works. I have not thought terribly much about how to solve that yet. Ideally, the interface plumbing doesn't touch the routing tables and leaves shorewall to do it. b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
