Shorewall users - Dec 2007 - marking and routing (with multi-isp) not working

[ I hope this isn''t a dupe.  Evolution crashed on my last send and I
see
nothing in my logs that leads me to believe the mail made it out before
the crash ]

Well, it probably is working.  I''m probably just misunderstanding
something.

Given routing rules that look like this:

0:      from all lookup local 
10000:  from all fwmark 0x40 lookup CGCO 
10001:  from all fwmark 0x80 lookup IGS 
20000:  from 67.193.45.68 lookup CGCO 
20256:  from 66.11.173.224 lookup IGS 
32766:  from all lookup main 
32767:  from all lookup default 

and given the CGCO routing table:

10.8.0.2 dev tun0  proto kernel  scope link  src 10.8.0.1 
67.193.45.68 dev eth0.1  scope link 
192.168.200.1 dev ppp0  proto kernel  scope link  src 66.11.173.224 
10.8.0.0/24 via 10.8.0.2 dev tun0 
10.75.22.0/24 dev br-lan  proto kernel  scope link  src 10.75.22.254 
10.75.23.0/24 via 10.8.0.2 dev tun0 
67.193.44.0/23 dev eth0.1  proto kernel  scope link  src 67.193.45.68 
default via 67.193.44.1 dev eth0.1 

and given a routemark chain of (the first two rules I added manually,
but I think this chain is probably irrelevant but thought I''d include
it
anyway):

Chain routemark (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:1194 MARK set 0x40
    6   252 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:1194 MARK set 0x40
  332 46438 MARK       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0   
MARK set 0x80
 4600  737K MARK       all  --  eth0.1 *       0.0.0.0/0            0.0.0.0/0   
MARK set 0x40
 4932  783K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
MARK match !0x0/0xff CONNMARK save mask 0xff

and a tcpre chain of (who''s purpose is to default traffic via the CGCO
table and connection):

Chain tcpre (3 references)
 pkts bytes target     prot opt in     out     source               destination
1310K 1862M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
MARK match !0x0/0xc0
 157K   14M MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
MARK set 0x40
   42  5537 MARK       all  --  *      *       10.75.22.101         0.0.0.0/0   
MARK set 0x80

and given the following entry in the /proc/net/ip_conntrack

udp      17 59 src=99.228.107.5 dst=67.193.45.68 sport=34730 dport=1194
packets=125 bytes=5250 [UNREPLIED] src=67.193.45.68 dst=99.228.107.5 sport=1194
dport=34730 packets=0 bytes=0 mark=64 use=1

Why would I be seeing these:

Dec 28 17:46:07 gw.ilinx kernel: Shorewall:fw2all:REJECT:IN= OUT=ppp0
SRC=66.11.173.224 DST=99.228.107.5 LEN=50 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=1194 DPT=34730 LEN=30
Dec 28 17:46:09 gw.ilinx kernel: Shorewall:fw2all:REJECT:IN= OUT=ppp0
SRC=66.11.173.224 DST=99.228.107.5 LEN=50 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=1194 DPT=34730 LEN=30
Dec 28 17:46:10 gw.ilinx kernel: Shorewall:fw2all:REJECT:IN= OUT=ppp0
SRC=66.11.173.224 DST=99.228.107.5 LEN=42 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=1194 DPT=34730 LEN=22
Dec 28 17:46:11 gw.ilinx kernel: Shorewall:fw2all:REJECT:IN= OUT=ppp0
SRC=66.11.173.224 DST=99.228.107.5 LEN=42 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=1194 DPT=34730 LEN=22

I would have thought that the mark that is on the connection (as per the
ip_conntrack excerpt above) would have shuffled those packets through
the CGCO routing table and on out through eth0.1.  What am I missing?

b.



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/