On 11/5/19 2:55 AM, Vieri Di Paola wrote: > Hi, > > On Mon, Nov 4, 2019 at 5:56 PM Tom Eastep <teas...@shorewall.net> wrote: >> >>> The advantage of using route rules is that I can use "priority blocks" >>> and insert a rule dynamically without the need to reload shorewall. >>> Static routes in the main table don't allow me to "insert" a route on >>> the fly. I would need to reload it. >> >> Two things: >> >> a) You can insert routes on the fly: >> >> ip route add a.b.c.d/e [via w.x.y.z] dev xxx > > Right. However, take this practical approach into consideration. I > have an rtrules file which starts like this: > > #- 10.0.0.0/8 CAIB 11400 > 10.215.247.194 10.215.236.221 IBS 11410 > 10.215.246.39 10.215.241.105 IBS 11411 > 10.215.246.39 10.215.238.220 IBS 11412 > - 10.215.198.0/24 IBS 11413 > - 10.215.199.0/24 IBS 11414 > > Now, if the IBS provider were to fail, and if there were no fallback > mechanism in place then I'd like to manually route all traffic to the > other provider (CAIB) as fast as possible. Instead of uncommenting the > first line referring to the CAIB provider, I would simply run this > from the command line: > > ip rule add pref 11400 from all to 10.0.0.0/8 lookup CAIB > > That's it. > Now, as soon as the IBS provider comes back up, I can quickly run this > from the command line: > > ip rule del pref 11400 > > That's it, too. > > Well, this was only an example, but I could list more. > > Now, with routes in the main table, as they are sequential, I can't do > it like this at all. I'd have to flush the table and repopulate it. > Isn't that right?
No -- you can simply use 'ip route replace....'. > >> b) For persistent routes in the main table, I would use my >> distribution's network configuration tools rather than Shorewall. You >> can still add routes on the fly, so long as you update the network >> config file at the same time. At least on Debian-based systems, you can >> always check the validity of your configuration without actually >> reloading it (ifup -an). > > Why wouldn't you use the "routes" file in Shorewall? The entries will > still end up in the same place anyway... Because you are complaining about how slow and disruptive 'shorewall reload' is on this system. I would think that you would want to strip out as much as possible from the Shorewall config and have it installed once (at boot time). > Also, the routing config would be distribution-independent. Of course, > one would depend on the Shorewall init script, but that doesn't bother > me at least. > Any other reason besides the "ifup -an" config check? > See above. Regarding rtrules, remember that there is no longer a route cache in the Linux IPv4 stack, so each packet must run the routing rules/tables gauntlet. So you want to make that gauntlet as short as possible for the vast majority of packets. Given that lookup in the main table occurs very early in the routing rules, that table should be used wherever possible. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
