Re: [Shorewall-users] connecting from one provider to another

Mon, 04 Nov 2019 08:57:06 -0800 

On 11/4/19 3:14 AM, Vieri Di Paola wrote:
> Hi,
> 
> On Thu, Oct 31, 2019 at 9:47 PM Tom Eastep <teas...@shorewall.net> wrote:
>>
>> You have a large number of routing rules with priorities >= 11000;
>> trying to route to any of the networks referenced in those rules is is
>> not possible for packets that originate from the another provider,
>> because the fwmark rules with priorities in the 10000-10999 range will
>> override those rules for such traffic.
>>
>> Those rules should really be replaced with routes in your main routing
>> table. It would make routing to those networks faster and would allow
>> inter-provider traffic.
> 
> The advantage of using route rules is that I can use "priority blocks"
> and insert a rule dynamically without the need to reload shorewall.
> Static routes in the main table don't allow me to "insert" a route on
> the fly. I would need to reload it.

Two things:

a) You can insert routes on the fly:

        ip route add a.b.c.d/e [via w.x.y.z] dev xxx

b) For persistent routes in the main table, I would use my
distribution's network configuration tools rather than Shorewall. You
can still add routes on the fly, so long as you update the network
config file at the same time. At least on Debian-based systems, you can
always check the validity of your configuration without actually
reloading it (ifup -an).

> 
> I understand I can use the priority range 1000-1999 for "Before
> Shorewall-generated 'MARK' rules".
> 
> So I used this rule successfully for inter-provider traffic:
> 1000:    from 10.215.144.92 to TARGET_IP_ADDR_OR_NETWORK lookup IBS
> 
> In any case, I'm curious to see how much faster is routing via the
> main table vs. routing rules and if it's worth it.
> I'll do some testing.
> 

By their nature, routing rules are sequential. IPv4 routes in a routing
table result in the creation of a balanced Trie which is very efficient
for finding the correct route.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to