Shorewall users - Apr 2007 - separating out the routing manipulations into a standalone script/tool

I''m finding that just a simple matter of my ppp session going down and
then back up again is messing up the delicate balance (no pun intended)
of route rules and tables that shorewall sets up to achieve
track/balance/policy routing.  If I simply do a "shorewall[-lite]
restore" things return to normal.

I''m not quite sure what''s happening yet but it''s
probably got to do with
having both a DHCP Internet connection and PPPoE connection and having
them stomping on each other''s default routes (even though I have set
removed the replacedefaultroute option from the ppp configuration), but
it makes me wonder if it wouldn''t be useful to separate out the code
from shorewall[-lite] that restores the routing configuration so that
one can call that without having to reload the whole firewall
configuration.

In the meanwhile I think I probably have to fiddle these connections up
and down a few times and watch what each are doing with the default
route(s).  It sees that at some point the default route through the DHCP
connection gets completely lost so that shorewall fails to reload
because it can''t even figure out what the default route is through that
interface.

Thots?

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian J. Murrell wrote:
> I''m finding that just a simple matter of my ppp session going down
and
> then back up again is messing up the delicate balance (no pun intended)
> of route rules and tables that shorewall sets up to achieve
> track/balance/policy routing.  If I simply do a "shorewall[-lite]
> restore" things return to normal.
> 
> I''m not quite sure what''s happening yet but it''s
probably got to do with
> having both a DHCP Internet connection and PPPoE connection and having
> them stomping on each other''s default routes (even though I have
set
> removed the replacedefaultroute option from the ppp configuration), but
> it makes me wonder if it wouldn''t be useful to separate out the
code
> from shorewall[-lite] that restores the routing configuration so that
> one can call that without having to reload the whole firewall
> configuration.
I''ve always believed that Linux needs a good routing configuration
package. I put the routing/multi-ISP in Shorewall because I have neither
the time nor the energy to support two totally different packages. But I
think that there is an opportunity there to make a significant contribution.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFGJ6ujO/MAbZfjDLIRAoG9AKCo7JCaHHcxo/HG1smExfyJo5X4gQCfSdCN
RcdMIg0zcZCpNatsk90jSW8=dZj7
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Thu, Apr 19, 2007 at 10:49:23AM -0700, Tom Eastep
wrote:
> I''ve always believed that Linux needs a good routing configuration
> package. I put the routing/multi-ISP in Shorewall because I have neither
> the time nor the energy to support two totally different packages. But I
> think that there is an opportunity there to make a significant
contribution.
It''s not quite there as it currently stands, but I''d say that
quagga
is fairly close to being it. So long as the code isn''t too awful
(I''ve
never looked), any such development efforts might be best applied
there. It should not be overly difficult to enhance quagga to handle
more than the basic routing configuration it currently does. It has
all the necessary infrastructure for doing the interesting things,
like responding to changes in the availability of network interfaces.

(Plus, it would be better to have *one* good routing configuration
package, rather than a different package for static and automatic
routing mechanisms)

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Thu, 2007-19-04 at 19:53 +0100, Andrew Suffield
wrote:
> 
> It''s not quite there as it currently stands, but I''d say
that quagga
> is fairly close to being it. So long as the code isn''t too awful
(I''ve
> never looked), any such development efforts might be best applied
> there. It should not be overly difficult to enhance quagga to handle
> more than the basic routing configuration it currently does. It has
> all the necessary infrastructure for doing the interesting things,
> like responding to changes in the availability of network interfaces.
What I am finding troublesome is having two interfaces that want to set
default routes, a DHCP assigned interface and a PPPoE interface.  Both
get their default routes their the configuration protocols.  Both want
to do thinks like "ip route add default ..." and while they should
both
be able to add to existing default routes, when the rubber hits the
road, it turns out to be quite problematic.  Take currently for example:

# ip route ls table main
...
169.254.0.0/16 via 10.75.22.251 dev br0  proto zebra  metric 20 equalize 
default 
        nexthop via 72.38.136.1  dev vlan2 weight 1
        nexthop via 192.168.200.1  dev ppp0 weight 1
default via 192.168.200.1 dev ppp0 

Other times, after say the ppp interface has gone down and up I will
have only a default route through ppp0 and the vlan2 default route will
have completely disappeared.

Unfortunately the DHCP client is not dhclient with it''s really nifty
dhclient-script for doing the real config work.  There is a script, and
pppd has the ifup-local script of course, so I might be able to hack
around these two wanting to clobber each other.
> (Plus, it would be better to have *one* good routing configuration
> package, rather than a different package for static and automatic
> routing mechanisms)
Sure.

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Thu, 2007-19-04 at 13:43 -0400, Brian J. Murrell
wrote:
> I''m finding that just a simple matter of my ppp session going down
and
> then back up again is messing up the delicate balance (no pun intended)
> of route rules and tables that shorewall sets up to achieve
> track/balance/policy routing.  If I simply do a "shorewall[-lite]
> restore" things return to normal.
OK.  FWIW here is what is happening.  Assume all providers are up and
shorewall has set up the track/balance routing so that the main routing
table has:

# ip route ls table main
...
default 
        nexthop via 72.38.136.1  dev vlan2 weight 1
        nexthop via 192.168.200.1  dev ppp0 weight 1

Now pppd goes down (i.e. loses link, whatever) and see what it does to
the main routing table:

# ip route ls table main
...
[ no default route at all ]

Then when pppd comes back up:

# ip route ls table main
...
default via 192.168.200.1 dev ppp0 

So pppd is taking out that equal-weighted route.  Not really surprising
when you think about it.  Not very nice either though.  :-(

I''m really not sure what to do about that.  AFAIK you can prevent pppd
from creating a default route, but not prevent it from removing one.

I''m probably going to have to do some bad hackery to save the default
route that is in place when pppd starts and have pppd''s ip-down replace
it when it''s done.  If that''s even possible which it might not
depending
on when ip-down scripts are called in the shutdown process.

None of this is really all that shorewall related, but I just thought I
would close the loop on what is going on here for the benefit of anyone
following along.

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/