On 08/03/13 22:40, Tom Eastep wrote: > On 03/08/2013 09:47 AM, Tom Eastep wrote: >> On 3/8/13 9:23 AM, "Matt Joyce" <[email protected]> wrote: >> >>> I believe this may be caused by the command being generated with the src >>> <addr> argument I'm not certain this is supported for IPv6 as I have in >>> the past tried to manually add a route and found it would not work >>> unless that argument was eliminated. It could have something to do with >>> the address selection algorithms in IPv6 which are I think different as >>> IPv6 was written from the beginning with multiple addresses per >>> interface in mind plus the added factors introduced by address scoping. >>> I just checked the iproute2 manual though and there is nothing in man >>> ip-route's description of the src attribute to suggest that it's IPv4 >>> only so it's possible that iproute2 has a bug, then a lot of things I >>> guess are possible here given iproute2 is itself more of a frontend >>> could be an issue with the underlying netlink or kernel routing code >>> too. Something doesn't like src for ip6 routes anyway. >>> >>> Either shorewall shouldn't be generating IPv6 routes with src or >>> iproute2 should be accepting them but I am really not sure which is the >>> case, likely shorewall may have to work around it for a while even if it >>> is an iproute2 issue as I can see it being a while before one can bank >>> on the support being operational. >> root@gateway:~# fgrep 'route add' /var/lib/shorewall6/firewall >> run_ip route add default scope global table $2 $1 >> run_ip route add default dev sit2 table 4 >> run_ip route add default dev sit1 table 5 >> run_ip route add default table 253 dev sit1 metric 5 >> qt $IP -6 route add ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3 >> run_ip route add ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3 table 6 >> run_ip route add default via ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3 >> table 6 >> run_ip route add default via ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3 >> table 253 metric 6 >> run_ip route add default scope global table 250 $DEFAULT_ROUTE >> error_message "WARNING: No Default route added (all 'balance' >> providers are down)" >> root@gateway:~# ip -V >> ip utility, iproute2-ss100519 >> root@gateway:~# uname -a >> Linux gateway 2.6.32-5-amd64 #1 SMP Mon Feb 25 00:26:11 UTC 2013 x86_64 >> GNU/Linux >> root@gateway:~# > I should have mentioned that Shorewall expects iproute2 to handle 'src' > which it is in my case. > > -Tom > > > ------------------------------------------------------------------------------ > Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the > endpoint security space. For insight on selecting the right partner to > tackle endpoint security challenges, access the full report. > http://p.sf.net/sfu/symantec-dev2dev > > > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users I found an alternate solution to select source addresses in my case so hadn't tried in a while (some months I think) but can confirm that ss121211 also works not sure which it would have been when it wasn't working but perhaps an update of iproute might fix the problem for you Prachachart. If you do try it maybe make a note of your current version also would be interesting to get an idea where it might have changed.
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
