On Wed, Nov 14, 2018 at 6:14 PM Tom Eastep <[email protected]> wrote: > > No -- I was apparently confusing enp8s5 with enp5s0 (I hate this new NIC > naming convention). > > It appears that *no* traffic entered via enp5s0 during the period of > time covered by the dump:
hmm,,, you mean enp8s5, right? ;-) > Or, at least, none made it as far as the filter table. So I suggest > analyzing the packet flow with 'shorewall iptrace -s 192.168.215.201 -d > 192.168.215.1' so we can see how netfilter is processing the echo > request packets'. I'll do an iptrace asap. In the meantime, I've noticed something really weird. After a "while" (not quantifiable yet), the traffic seems to flow "as expected", and the Shorewall rules/policies are being "applied", finally. However, I've also noticed the following *after everything seemed to be working OK*: 1) one host was connected to Switch Port with VLAN 11 Untagged (host1) 2) another host to Switch Port VLAN 12 Untagged (host2) 3) the Shorewall br0 config now includes vlans 1, 11, 12 and is working "fine", apparently. For instance, according to my new rules, vlan 11 hosts can only ping dst_host1, vlan 12 hosts can only ping dst_host2. So, host1 can ping dst_host1, host2 can ping dst_host2. All's fine until I switch the cables of both host1 and host2, ie. I connect host1 to Switch Port with VLAN 12 Untagged, and host2 to Switch Port VLAN 11 Untagged. I was expecting to see DROPped packets on both hosts. Instead, they were pinging just fine. 4) tcpdump -i enp8s5 -n -e vlan showed that the ICMP packets from host1 were marked with "vlan 12", packets from host2 were marked with "vlan 11" (it was the other way around before switching the cables on the Switch). So everything "seems" to be OK, but the SW rules/policies are not honored. 5) finally, if I wait a "while", the packets are suddenly "DROPped", according to my SW rules. I do not do anything at all on the Shorewall system -- not even a reload. 6) it also seems that restarting the Switch fixes these issues... Again, I have NOT touched the switch's configuration. Also, the above tcpdump (-e vlan) seems to reflect the right VLAN IDs each time. In any case, I haven't done this so often as to confirm that restarting the switch actually "fixes things". So at this point it could be anything. I'll perform an iptrace and post the results asap. Thanks, Vieri _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
