Hi,
I recently upgraded both the Linux kernel and Shorewall, and my setup
started to have issues I wasn't seeing before.
I am routing between networks, and I would like to "port mirror"
traffic from some VLANs to one ethernet device, ie. from lan.13,
lan.14 and lan.15 to soc.50.
As you can see in the shorewall dump I posted below, I run something
like this in /etc/shorewall/started:
for lan_vid in 13 14 15
do
run_tc qdisc add dev ${IF_LAN}.${lan_vid} ingress
run_tc filter add dev ${IF_LAN}.${lan_vid} parent ffff:
protocol all u32 match u8 0 0 action mirred egress mirror dev
$IF_SOC_VLAN
run_tc qdisc add dev ${IF_LAN}.${lan_vid} handle 1: root prio
run_tc filter add dev ${IF_LAN}.${lan_vid} parent 1:
protocol all u32 match u8 0 0 action mirred egress mirror dev
$IF_SOC_VLAN
done
This seemed to work fine before, but now I'm seeing a lot of rejected traffic.
For instance, just to list one example as there are many more in the
dump, traffic from host with IP address 10.215.144.80 in lan.1 ('lan1'
zone) to host with IP address_10.215.237.254 in 'ibs' zone on tcp port
20000 should be allowed "from lan1 to ibs".
However, I'm seeing this:
kernel: Shorewall:FORWARD:REJECT:IN=soc OUT=ibs
MAC=ac:1f:6b:f5:b7:1a:00:50:56:b6:28:b2:08:00 SRC=10.215.144.80
DST=10.215.237.254 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10326 DF
PROTO=TCP SPT=54218 DPT=20000 WINDOW=5840 RES=0x00 SYN URGP=0
Why? And why is it affecting traffic from lan1 to ibs?
If I physically disconnect the ethernet cable on the 'soc' network
interface then the above mentioned traffic goes through with no
issues.
This is the SW dump:
https://drive.google.com/file/d/1_pdrU-3Ogds8XfSAtmwAr-qsj19635TK/view?usp=sharing
Regards,
Vieri
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
