Shorewall users - Apr 2008 - Squid Transparent Proxy in loc zone "RTNETLINK answers: File exists"

Hello,
    I am using Shorewall on a Linksys NSLU2 and am having a hard time 
getting Squid Transparent proxy to redirect to a local host on my home 
network.   I followed the instructions on 
http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall.

I''ve gone over the configuration multiple times, but shorewall refuses 
to start as long as the provider file has the Squid line in it.   Any 
thoughts to what I do wrong?   I''ve included various relative bits of 
info below.

When I run shorewall -vv restart after making the configuration edits 
(actual file snippets are below).  I get this error on the provider section:

    Setting up Proxy ARP...
    Adding Providers...
    RTNETLINK answers: File exists
       ERROR: Command "ip route add default via 90.0.0.14 dev eth0 table
    1" Failed
    Processing /etc/shorewall/stop ...
    IP Forwarding Enabled
    Processing /etc/shorewall/stopped ...
    /sbin/shorewall: line 783: 23909 Terminated             
    $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart

My setup is as follows:

Cable-Modem --> Vonage Device --> (ext_eth1) Shorewall Firewall (eth0, 
90.0.0.1) --> Home Network (90.0.0.0/24)  

      |

     |
                                                                              
       Squid Server (90.0.0.14)

The linksys device is running Debian Etch with the 2.6.18-6 kernel.  
Other appropriate bits:
shorewall 3.2.6-2
iptables 1.3.6.0debian1-5
iproute 20061002-3

My Providers file:

#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         
OPTIONS         COPY
Squid   1       202     -               eth0            90.0.0.14     loose
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

My Start file:

#
iptables -t mangle -A PREROUTING -i eth0 -s ! 90.0.0.14 -p tcp --dport 
80 -j MARK --set-mark 202        
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

My Interfaces file, I commented out my original loc line just to rule 
out the options as causing the problem:

#ZONE   INTERFACE       BROADCAST       OPTIONS
net     ext_eth1        detect          
dhcp,tcpflags,routefilter,nosmurfs,logmartians,blacklist
#loc    eth0            detect          tcpflags,detectnets,nosmurfs
loc     eth0            detect          routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Lastly, if this is helpful, here is the full output of shorewall -vv restart
Wed Apr 23 09:30:03 2008
root@sauvignon /etc/shorewall
# shorewall -vv restart
Compiling...
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Available
   Physdev Match: Available
   Packet length Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   CONNMARK Target: Available
   Extended CONNMARK Target: Available
   Connmark Match: Available
   Extended Connmark Match: Available
   Raw Table: Available
   IPP2P Match: Not available
   CLASSIFY Target: Available
   Extended REJECT: Available
   Repeat match: Available
   MARK Target: Available
   Extended MARK Target: Available
   Mangle FORWARD Chain: Available
Determining Zones...
   IPv4 Zones: net loc
   Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Validating Policy file...
   Policy for loc to net is ACCEPT using chain loc2all
   Policy for loc to fw is ACCEPT using chain loc2all
   Policy for net to loc is DROP using chain net2all
   Policy for net to fw is DROP using chain net2all
   Policy for fw to net is ACCEPT using chain fw2net
   Policy for fw to loc is ACCEPT using chain fw2loc
Determining Hosts in Zones...
   net Zone: ext_eth1:0.0.0.0/0
   loc Zone: eth0:0.0.0.0/0
Pre-processing Actions...
   Pre-processing /usr/share/shorewall/action.Drop...
   ..Expanding Macro /usr/share/shorewall/macro.Auth...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.SMB...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
   ..End Macro
   Pre-processing /usr/share/shorewall/action.Reject...
   Pre-processing /usr/share/shorewall/action.Limit...
Deleting user chains...
Compiling /etc/shorewall/routestopped ...
Compiling Accounting...
Creating Interface Chains...
Compiling Proxy ARP
Compiling /etc/shorewall/providers...
Provider Squid 1 202 - eth0 90.0.0.14 loose  compiled
Compiling NAT...
Compiling NETMAP...
Compiling Common Rules
Compiling Blacklisting...
   Blacklisting enabled on ext_eth1:0.0.0.0/0
Adding Anti-smurf Rules
Adding rules for DHCP
Compiling TCP Flags checking...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling IP Forwarding...
Compiling IPSEC...
Compiling /etc/shorewall/rules...
   Rule "DNAT net loc:90.0.0.3 tcp smtp,imaps -   " compiled.
   Rule "DNAT net loc:90.0.0.2 tcp http,https,ssh -   " compiled.
Compiling /etc/shorewall/tunnels...
Compiling Actions...
   Generating Transitive Closure of Used-action List...
Compiling /usr/share/shorewall/action.Drop for Chain Drop...
..Expanding Macro /usr/share/shorewall/macro.Auth...
   Rule "REJECT - - tcp 113 -  -" compiled.
..End Macro
   Rule "dropBcast       " compiled.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
   Rule "ACCEPT - - icmp fragmentation-needed -  -" compiled.
   Rule "ACCEPT - - icmp time-exceeded -  -" compiled.
..End Macro
   Rule "dropInvalid       " compiled.
..Expanding Macro /usr/share/shorewall/macro.SMB...
   Rule "DROP - - udp 135,445 -  -" compiled.
   Rule "DROP - - udp 137:139 -  -" compiled.
   Rule "DROP - - udp 1024: 137  -" compiled.
   Rule "DROP - - tcp 135,139,445 -  -" compiled.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
   Rule "DROP - - udp 1900 -  -" compiled.
..End Macro
   Rule "dropNotSyn - - tcp    " compiled.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
   Rule "DROP - - udp - 53  -" compiled.
..End Macro
Compiling /usr/share/shorewall/action.Reject for Chain Reject...
..Expanding Macro /usr/share/shorewall/macro.Auth...
   Rule "REJECT - - tcp 113 -  -" compiled.
..End Macro
   Rule "dropBcast       " compiled.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
   Rule "ACCEPT - - icmp fragmentation-needed -  -" compiled.
   Rule "ACCEPT - - icmp time-exceeded -  -" compiled.
..End Macro
   Rule "dropInvalid       " compiled.
..Expanding Macro /usr/share/shorewall/macro.SMB...
   Rule "REJECT - - udp 135,445 -  -" compiled.
   Rule "REJECT - - udp 137:139 -  -" compiled.
   Rule "REJECT - - udp 1024: 137  -" compiled.
   Rule "REJECT - - tcp 135,139,445 -  -" compiled.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
   Rule "DROP - - udp 1900 -  -" compiled.
..End Macro
   Rule "dropNotSyn - - tcp    " compiled.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
   Rule "DROP - - udp - 53  -" compiled.
..End Macro
Compiling /etc/shorewall/policy...
   Policy ACCEPT for fw to net using chain fw2net
   Policy ACCEPT for fw to loc using chain fw2loc
   Policy DROP for net to loc using chain net2all
Compiling Masquerading/SNAT
Compiling /etc/shorewall/tos...
Compiling /etc/shorewall/ecn...
Compiling Traffic Control Rules...
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Compiling Rule Activation...
Compiling Black List...
   24.1.63.172 added to Black List
   71.192.145.218 added to Black List
   71.195.90.124 added to Black List
   71.195.92.84 added to Black List
   71.196.26.40 added to Black List
   71.197.231.36 added to Black List
   71.224.121.223 added to Black List
   71.235.146.220 added to Black List
   71.61.144.116 added to Black List
   76.123.73.60 added to Black List
   76.31.64.247 added to Black List
Compiling Refresh of Black List...
   24.1.63.172 added to Black List
   71.192.145.218 added to Black List
   71.195.90.124 added to Black List
   71.195.92.84 added to Black List
   71.196.26.40 added to Black List
   71.197.231.36 added to Black List
   71.224.121.223 added to Black List
   71.235.146.220 added to Black List
   71.61.144.116 added to Black List
   76.123.73.60 added to Black List
   76.31.64.247 added to Black List
Compiling Refresh of /etc/shorewall/ecn...
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Shorewall configuration compiled to /var/lib/shorewall/.restart
Processing /etc/shorewall/params ...
   Shorewall is not running
Starting Shorewall....
Loading Modules...
Initializing...
Processing /etc/shorewall/init ...
Clearing Traffic Control/QOS
Deleting user chains...
Processing /etc/shorewall/continue ...
Enabling Loopback and DNS Lookups
Setting up Accounting...
Creating Interface Chains...
Setting up Proxy ARP...
Adding Providers...
RTNETLINK answers: File exists
   ERROR: Command "ip route add default via 90.0.0.14 dev eth0 table
1"
Failed
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 783: 23909 Terminated              
$SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart


Here is the snippet of code in the .restart file that relates to my 
SQUID box (90.0.0.14)
    progress_message2 "Setting up Proxy ARP..."


    if [ -z "$NOROUTES" ]; then

        progress_message2 "Adding Providers..."

        DEFAULT_ROUTE        #
        # Add Provider Squid (1)
        #
        if interface_is_up eth0 && [ 
"$(find_first_interface_address_if_any eth0)" != 0.0.0.0 ]; then
            eth0_up=Yes
            qt ip route flush table 1
            run_ip route replace 90.0.0.14 src 
$(find_first_interface_address eth0) dev eth0 table 1
            run_ip route add default via 90.0.0.14 dev eth0 table 1
            qt ip rule del fwmark 202
            run_ip rule add fwmark 202 pref 10202 table 1

            find_interface_addresses eth0 | while read address; do
                qt ip rule del from $address
            done

            progress_message "   Provider Squid (1) Added"

        else
            fatal_error "ERROR: Interface eth0 is not configured -- 
Provider Squid (1) Cannot be Added"
        fi

        cat > /etc/iproute2/rt_tables <<EOF




-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

David Snider wrote:
> I''ve gone over the configuration multiple times, but shorewall
refuses
> to start as long as the provider file has the Squid line in it.   Any 
> thoughts to what I do wrong? 
Nothing that I can see. Looks to me like your kit is badly broken.

	    qt ip route flush table 1
             run_ip route replace 90.0.0.14 src
$(find_first_interface_address eth0) dev eth0 table 1
             run_ip route add default via 90.0.0.14 dev eth0 table 1

That says:

a) ''flush routing table 1'' (it now should be empty).
b) Replace the host route to 90.0.0.14 in table 1 (or add it if it
doesn''t
exist) with one that specifies ''src <primary IP address on
eth0>''.
c) Add a default route to table 1 via 90.0.0.14.

On any sane system, the third command couldn''t possibly fail as a
duplicate.

At a root shell prompt, try this:

ip route flush table 1
ip route ls table 1
ip route replace 90.0.0.14 src <ip address of eth0> dev eth0 table 1
ip route add default via 90.0.0.14 dev eth0 table 1

What happens?

Here''s what happens here (with br0 substituted for eth0).

ursa:~ # ip route flush table 1
ursa:~ # ip route ls table 1
ursa:~ # ip route replace 90.0.0.14 src 192.168.0.254 dev br0 table 1
ursa:~ # ip route add default via 90.0.0.14 table 1
ursa:~ #

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Tom Eastep wrote:
> David Snider wrote:
>
>> I''ve gone over the configuration multiple times, but shorewall
>> refuses to start as long as the provider file has the Squid line in 
>> it.   Any thoughts to what I do wrong? 
>
> Nothing that I can see. Looks to me like your kit is badly broken.
>
>         qt ip route flush table 1
>             run_ip route replace 90.0.0.14 src
> $(find_first_interface_address eth0) dev eth0 table 1
>             run_ip route add default via 90.0.0.14 dev eth0 table 1
>
> That says:
>
> a) ''flush routing table 1'' (it now should be empty).
> b) Replace the host route to 90.0.0.14 in table 1 (or add it if it 
> doesn''t exist) with one that specifies ''src <primary
IP address on
> eth0>''.
> c) Add a default route to table 1 via 90.0.0.14.
>
> On any sane system, the third command couldn''t possibly fail as a 
> duplicate.
>
> At a root shell prompt, try this:
>
> ip route flush table 1
> ip route ls table 1
> ip route replace 90.0.0.14 src <ip address of eth0> dev eth0 table 1
> ip route add default via 90.0.0.14 dev eth0 table 1
>
> What happens?
>
> Here''s what happens here (with br0 substituted for eth0).
>
> ursa:~ # ip route flush table 1
> ursa:~ # ip route ls table 1
> ursa:~ # ip route replace 90.0.0.14 src 192.168.0.254 dev br0 table 1
> ursa:~ # ip route add default via 90.0.0.14 table 1
> ursa:~ #
>
> -Tom
Hi Tom,
    Here''s the results:
Doesn''t look good..

Wed Apr 23 20:33:57 2008
root@sauvignon ~
# ip route flush table 1
Nothing to flush.

Wed Apr 23 20:34:05 2008
root@sauvignon ~
# ip route ls table 1

Wed Apr 23 20:34:10 2008
root@sauvignon ~
# ip route replace 90.0.0.14 src 90.0.0.1 dev eth0 table 1

Wed Apr 23 20:34:25 2008
root@sauvignon ~
# ip route add default via 90.0.0.14 dev eth0 table 1
RTNETLINK answers: File exists

Wed Apr 23 20:34:35 2008
root@sauvignon ~
#


-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

David Snider wrote:
> Doesn''t look good..
> Wed Apr 23 20:34:25 2008
> root@sauvignon ~
> # ip route add default via 90.0.0.14 dev eth0 table 1
> RTNETLINK answers: File exists
Indeed -- Shorewall cannot turn straw into gold.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone