Hi, On Mon, Nov 4, 2019 at 5:56 PM Tom Eastep <teas...@shorewall.net> wrote: > > > The advantage of using route rules is that I can use "priority blocks" > > and insert a rule dynamically without the need to reload shorewall. > > Static routes in the main table don't allow me to "insert" a route on > > the fly. I would need to reload it. > > Two things: > > a) You can insert routes on the fly: > > ip route add a.b.c.d/e [via w.x.y.z] dev xxx
Right. However, take this practical approach into consideration. I have an rtrules file which starts like this: #- 10.0.0.0/8 CAIB 11400 10.215.247.194 10.215.236.221 IBS 11410 10.215.246.39 10.215.241.105 IBS 11411 10.215.246.39 10.215.238.220 IBS 11412 - 10.215.198.0/24 IBS 11413 - 10.215.199.0/24 IBS 11414 Now, if the IBS provider were to fail, and if there were no fallback mechanism in place then I'd like to manually route all traffic to the other provider (CAIB) as fast as possible. Instead of uncommenting the first line referring to the CAIB provider, I would simply run this from the command line: ip rule add pref 11400 from all to 10.0.0.0/8 lookup CAIB That's it. Now, as soon as the IBS provider comes back up, I can quickly run this from the command line: ip rule del pref 11400 That's it, too. Well, this was only an example, but I could list more. Now, with routes in the main table, as they are sequential, I can't do it like this at all. I'd have to flush the table and repopulate it. Isn't that right? > b) For persistent routes in the main table, I would use my > distribution's network configuration tools rather than Shorewall. You > can still add routes on the fly, so long as you update the network > config file at the same time. At least on Debian-based systems, you can > always check the validity of your configuration without actually > reloading it (ifup -an). Why wouldn't you use the "routes" file in Shorewall? The entries will still end up in the same place anyway... Also, the routing config would be distribution-independent. Of course, one would depend on the Shorewall init script, but that doesn't bother me at least. Any other reason besides the "ifup -an" config check? Thanks, Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
