10001: from all fwmark 0x2/0xff lookup CAIB
The only thing you need to do is add a rule to the mangle file (PREROUTING section) utilizing the SWITCH column to mark all the traffic you want to override to CAIB with MARK(2):P near the top. Then it's just a matter of issuing: echo 1 > /proc/net/nf_condition/override_to_CAIB to enable the bypass Bill On 11/8/2019 7:50 AM, Vieri Di Paola wrote:
Hi, I have a specific routing requirement that I'll try to explain here. I define routes in the main table via the routes file (not with my distro's network manager) such as: main 10.215.198.0/23 $ADDR_GW_IBS $IF_IBS [lots and lots more to 10.215.x.x via $ADDR_GW_IBS dev $IF_IBS] main 10.0.0.0/8 $ADDR_GW_CAIB $IF_CAIB Basically, the idea is "route 10.0.0.0/8 via one provider but route specific 10.y.y.y via another provider". However, I also have other routes to specific interfaces or VLANs such as: main 10.215.144.42 - $IF_VLAN_13 main 10.215.144.43 - $IF_VLAN_15 The problem is that I require a quick way to by-pass the first set (providers IBS and CAIB above), but at the same time keep the second set valid (IF_VLAN_*). This is what shows up in my current Routing Rules: 0: from all lookup local 1: from all fwmark 0x200/0x200 lookup Tproxy 220: from all lookup 220 999: from all lookup main 10000: from all fwmark 0x1/0xff lookup WAN 10001: from all fwmark 0x2/0xff lookup CAIB 10002: from all fwmark 0x3/0xff lookup IBS 20000: from 172.16.0.1 lookup WAN 20000: from 172.20.11.62 lookup CAIB 20000: from 172.28.17.105 lookup IBS 32765: from all lookup balance 32767: from all lookup default Table CAIB: [snip] Table HMAN: [snip] Table IBS: [snip] If I were to quickly by-pass the first set (providers IBS and CAIB) without reloading Shorewall and send all the packets via CAIB, I'd insert a rule with priority 998 such as: from all to 10.0.0.0/8 lookup CAIB That's one run on the command line, quick and easy. However, that would also send traffic normally destined for IF_VLAN_* to CAIB. How can I avoid that (too many rules to change them one by one)? So I thought that if I could create a new table containing the IF_VLAN_* routes with a lower priority value than the main table's then I could insert that rule right after it. It would look something like this (HMAN custom table): 0: from all lookup local 1: from all fwmark 0x200/0x200 lookup Tproxy 220: from all lookup 220 990: from all lookup HMAN 999: from all lookup main 10000: from all fwmark 0x1/0xff lookup WAN 10001: from all fwmark 0x2/0xff lookup CAIB 10002: from all fwmark 0x3/0xff lookup IBS 20000: from 172.16.0.1 lookup WAN 20000: from 172.20.11.62 lookup CAIB 20000: from 172.28.17.105 lookup IBS 32765: from all lookup balance 32767: from all lookup default I could then run this from the command line in case I needed it: # ip rule add pref 995 from all to 10.0.0.0/8 lookup CAIB That would keep the IF_VLAN_* routes valid/usable, but at the same time by-pass the IBS/CAIB routes. How can I tell Shorewall to do this for me? I presume it's supposed to be through the providers file. However, I don't understand why the INTERFACE column is required. If I put one like in this example (I picked a random interface for no particular reason): HMAN 5 - - $IF_DMZ none then Shorewall generates these routing rules (added to the previous ones): 10004: from all fwmark 0x4/0xff lookup HMAN 20000: from 192.168.215.1 lookup HMAN Could I delete them or avoid their generation? I would then set something like this in my rtrules file: 0.0.0.0/0 - HMAN 990 and something like this in my routes file: HMAN 10.215.144.42 - $IF_VLAN_13 HMAN 10.215.144.43 - $IF_VLAN_15 Now, my Routing Rules are: 0: from all lookup local 1: from all fwmark 0x200/0x200 lookup Tproxy 220: from all lookup 220 990: from all lookup HMAN 999: from all lookup main 1013: from 10.215.144.92 to 85.119.192.0/21 lookup CAIB 10000: from all fwmark 0x1/0xff lookup WAN 10001: from all fwmark 0x2/0xff lookup CAIB 10002: from all fwmark 0x3/0xff lookup IBS 10004: from all fwmark 0x4/0xff lookup HMAN 20000: from 172.16.0.1 lookup WAN 20000: from 172.20.11.62 lookup CAIB 20000: from 172.28.17.105 lookup IBS 20000: from 192.168.215.1 lookup HMAN 32765: from all lookup balance 32767: from all lookup default Table CAIB: [snip] Table HMAN: 10.215.144.42 dev blan.13 scope link 10.215.144.43 dev blan.15 scope link So I can finally run this command whenever I want to by-pass the IBS/CAIB provider routes: # ip rule add pref 995 from all to 10.0.0.0/8 lookup CAIB Is there a better way to do this? Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
