Re: [Shorewall-users] quagga zebra + shorewall Strange Problem

[Tom Eastep]

On 09/14/2013 07:18 AM, Tom Eastep wrote:

> 
> I can't even get this to work when Shorewall is cleared. See attached log:
> 

Okay -- I did another experiment on a Virtual Machine running Foobar 6
(a derivative of RHEL 6). It has two uplinks - one wired (eth0) and one
wireless (eth1).

/etc/shorewall/shorewall.conf:

...
USE_DEFAULT_RT=Yes
...
TRACK_PROVIDERS=Yes
...
TC_BITS=14
PROVIDER_BITS=8
PROVIDER_OFFSET=0
MASK_BITS=16
ZONE_BITS=0

/etc/shorewall/providers:

#NAME   NUMBER  MARK    DUPLICATE INTERFACE GATEWAY OPTIONS COPY
LAN     1       -       -         eth0      detect  balance
WLAN    2       -       -         eth1      detect  fallback

[root@foobar64 quagga]# service zebra start
Starting zebra:                                            [  OK  ]
[root@foobar64 quagga]# vtysh

Hello, this is Quagga (version 0.99.15).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

foobar64.shorewall.net# exit
[root@foobar64 quagga]# vtysh -c "ip show route"
% Unknown command.
[root@foobar64 quagga]# vtysh -c "ip route show"
% Unknown command.
[root@foobar64 quagga]# vtysh -c "show ip route"
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - ISIS, B - BGP, > - selected route, * - FIB route

C>* 10.0.0.0/24 is directly connected, eth1
C>* 127.0.0.0/8 is directly connected, lo
C>* 172.20.1.0/24 is directly connected, eth0
[root@foobar64 quagga]# vtysh

Hello, this is Quagga (version 0.99.15).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

foobar64.shorewall.net# conf t
foobar64.shorewall.net(config)# ip route 8.8.8.8/32 172.20.1.254
foobar64.shorewall.net(config)# quit
% Unknown command.
foobar64.shorewall.net(config)# vtysh -c "show ip route"
% Unknown command.
foobar64.shorewall.net(config)# exit
foobar64.shorewall.net# exit
[root@foobar64 quagga]# vtysh -c "show ip route"
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - ISIS, B - BGP, > - selected route, * - FIB route

S>* 8.8.8.8/32 [1/0] via 172.20.1.254, eth0
C>* 10.0.0.0/24 is directly connected, eth1
C>* 127.0.0.0/8 is directly connected, lo
C>* 172.20.1.0/24 is directly connected, eth0
[root@foobar64 quagga]#

This is how I would have expected it to work. USE_DEFAULT_RT=Yes has the
advantage that the 'main' table is traversed first. So all of the routes
added by Zebra will be seen prior to jumping to the provider-specific
tables; those tables contain only default routes.


-- [root@foobar64 quagga]# shorewall show routing
Shorewall 4.5.20 Routing at foobar64.shorewall.net - Sat Sep 14 08:11:14
PDT 2013


Routing Rules

0:      from all lookup local
999:    from all lookup main
10000:  from all fwmark 0x1/0xff lookup LAN
10001:  from all fwmark 0x2/0xff lookup WLAN
20000:  from 172.20.1.152 lookup LAN
20000:  from 10.0.0.5 lookup WLAN
32765:  from all lookup balance
32767:  from all lookup default

Table balance:

default via 172.20.1.254 dev eth0

Table default:

10.0.0.1 dev eth1 scope link
default via 10.0.0.1 dev eth1 src 10.0.0.5 metric 2

Table LAN:

172.20.1.254 dev eth0 scope link src 172.20.1.152
default via 172.20.1.254 dev eth0 src 172.20.1.152

Table local:

local 172.20.1.152 dev eth0 proto kernel scope host src 172.20.1.152
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 10.0.0.5 dev eth1 proto kernel scope host src 10.0.0.5
broadcast 172.20.1.255 dev eth0 proto kernel scope link src 172.20.1.152
broadcast 172.20.1.0 dev eth0 proto kernel scope link src 172.20.1.152
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 10.0.0.255 dev eth1 proto kernel scope link src 10.0.0.5
broadcast 10.0.0.0 dev eth1 proto kernel scope link src 10.0.0.5
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1

Table main:

8.8.8.8 via 172.20.1.254 dev eth0 proto zebra
172.20.1.254 dev eth0 scope link src 172.20.1.152
10.0.0.1 dev eth1 scope link src 10.0.0.5
172.20.1.0/24 dev eth0 proto kernel scope link src 172.20.1.152
10.0.0.0/24 dev eth1 proto kernel scope link src 10.0.0.5 metric 1

Table WLAN:

10.0.0.1 dev eth1 scope link src 10.0.0.5
default via 10.0.0.1 dev eth1 src 10.0.0.5
[root@foobar64 quagga]# shorewall version -a
shorewall-core: 4.5.20
shorewall: 4.5.20
shorewall6: 4.5.20
[root@foobar64 quagga]#


FWIW, my failed experiments were on my main gateway that runs Debian 7.

I've attached the Shorewall configuration directory.

Regards,
-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

shorewall.tgz
Description: GNU Zip compressed data

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users