On 3/8/13 9:23 AM, "Matt Joyce" <[email protected]> wrote:
>I believe this may be caused by the command being generated with the src
><addr> argument I'm not certain this is supported for IPv6 as I have in
>the past tried to manually add a route and found it would not work
>unless that argument was eliminated. It could have something to do with
>the address selection algorithms in IPv6 which are I think different as
>IPv6 was written from the beginning with multiple addresses per
>interface in mind plus the added factors introduced by address scoping.
>I just checked the iproute2 manual though and there is nothing in man
>ip-route's description of the src attribute to suggest that it's IPv4
>only so it's possible that iproute2 has a bug, then a lot of things I
>guess are possible here given iproute2 is itself more of a frontend
>could be an issue with the underlying netlink or kernel routing code
>too. Something doesn't like src for ip6 routes anyway.
>
>Either shorewall shouldn't be generating IPv6 routes with src or
>iproute2 should be accepting them but I am really not sure which is the
>case, likely shorewall may have to work around it for a while even if it
>is an iproute2 issue as I can see it being a while before one can bank
>on the support being operational.
root@gateway:~# fgrep 'route add' /var/lib/shorewall6/firewall
run_ip route add default scope global table $2 $1
run_ip route add default dev sit2 table 4
run_ip route add default dev sit1 table 5
run_ip route add default table 253 dev sit1 metric 5
qt $IP -6 route add ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3
run_ip route add ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3 table 6
run_ip route add default via ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3
table 6
run_ip route add default via ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3
table 253 metric 6
run_ip route add default scope global table 250 $DEFAULT_ROUTE
error_message "WARNING: No Default route added (all 'balance'
providers are down)"
root@gateway:~# ip -V
ip utility, iproute2-ss100519
root@gateway:~# uname -a
Linux gateway 2.6.32-5-amd64 #1 SMP Mon Feb 25 00:26:11 UTC 2013 x86_64
GNU/Linux
root@gateway:~#
-Tom
>
>On 08/03/13 11:50, Prachachart Stapornnanon wrote:
>> Good Afternoon
>>
>> I use shorewall to do multi ISP both IPv4 and IPv6
>>
>> About IPv4(shorewall) is no problem
>>
>> but ipv6(shorewall6) has problem can¹t start when i write config in
>> /etc/shorewall6/providers
>>
>> Spite of is really close config
>>
>> I use centos 6.3 kernel 2.6.32-279.el6.i686 - iptables 1.4.7-5.1
>>-
>> shorewall & shorewall6 version 4.5.11.2
>>
>> Thank you for your help ^_^
>>
>> At Iast i attach some involved config file below
>>
>>
>>
>> /etc/shorewall6/interfaces
>>
>>>> #ZONE INTERFACE OPTIONS
>>>> net eth0 tcpflags,forward=1,sourceroute=0
>>>> net eth2 tcpflags,forward=1,sourceroute=0
>>>> loc eth1 tcpflags,forward=1
>>
>>
>> /etc/shorewall6/providers
>>
>>>> #NAME NUMBER MARK DUPLICATE
>> INTERFACE GATEWAY OPTIONS
>> COPY
>>>> ISP1 1 1 main eth0
>>>>
>> 1:1:1:1::1 track none
>>
>>
>> Some trace about shorewall6 can¹t start
>>
>>>> Compiling...
>>>> Processing /etc/shorewall6/params ...
>>>> Processing /etc/shorewall6/shorewall6.conf...
>>>> Loading Modules...
>>>> Compiling /etc/shorewall6/zones...
>>>> Compiling /etc/shorewall6/interfaces...
>>>> Determining Hosts in Zones...
>>>> Locating Action Files...
>>>> Compiling /usr/share/shorewall6/action.Drop for chain Drop...
>>>> Compiling /usr/share/shorewall6/action.AllowICMPs for chain
>>>>AllowICMPs...
>>>> Compiling /usr/share/shorewall6/action.Broadcast for chain
>>>>Broadcast...
>>>> Compiling /usr/share/shorewall/action.Invalid for chain Invalid...
>>>> Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn...
>>>> Compiling /usr/share/shorewall6/action.Reject for chain Reject...
>>>> Compiling /etc/shorewall6/policy...
>>>> Compiling TCP Flags filtering...
>>>> Compiling Accept Source Routing...
>>>> Compiling /etc/shorewall6/providers...
>>>> Compiling MAC Filtration -- Phase 1...
>>>> Compiling /etc/shorewall6/rules...
>>>> Compiling MAC Filtration -- Phase 2...
>>>> Applying Policies...
>>>> Generating Rule Matrix...
>>>> Optimizing Ruleset...
>>>> Creating ip6tables-restore input...
>>>> Compiling Interface forwarding...
>>>> Shorewall configuration compiled to /var/lib/shorewall6/.start
>>>> Starting Shorewall6....
>>>> Initializing...
>>>> Processing /etc/shorewall6/init ...
>>>> Processing /etc/shorewall6/tcclear ...
>>>> Setting up Accept Source Routing...
>>>> Setting up Proxy NDP...
>>>> Adding Providers...
>>>> RTNETLINK answers: Invalid argument
>>>> ERROR: Command "ip -6 route add default via 1:1:1:1::1 src
>>>>1:1:1:1::2
>> dev eth0 table 1" Failed
>>>> Processing /etc/shorewall6/stop ...
>>>> Processing /etc/shorewall6/tcclear ...
>>>> Running /sbin/ip6tables-restore...
>>>> IPv6 Forwarding Enabled
>>>> Processing /etc/shorewall6/stopped ...
>>>> /usr/share/shorewall/lib.common: line 112: 5876 Terminated
>>>>
>> $SHOREWALL_SHELL $script $options $@
>>
>>
>>
>>
>>
>>
>>-------------------------------------------------------------------------
>>-----
>> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
>>
>> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
>>
>> endpoint security space. For insight on selecting the right partner to
>> tackle endpoint security challenges, access the full report.
>> http://p.sf.net/sfu/symantec-dev2dev
>> _______________________________________________
>> Shorewall-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>--------------------------------------------------------------------------
>----
>Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
>Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
>endpoint security space. For insight on selecting the right partner to
>tackle endpoint security challenges, access the full report.
>http://p.sf.net/sfu/symantec-dev2dev______________________________________
>_________
>Shorewall-users mailing list
>[email protected]
>https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
