Michael Weickel - iQom Business
2008-Jul-26 17:07 UTC
/etc/shorewall/addroutes ''problem with ip rule''
As stolen from the Shorewall squid config, I am trying to automatize some ip rules. It is as simple as it could be, but it is not working for me. I have Shorewall 3.4.8 and 2.6.24-r8 The config is as following. /etc/shorewall/interfaces v662 vlan662 172.31.255.3 /etc/Shorewall/zones v662 ipv4 policy has been configured well. fw v662 ACCEPT The v662 interface has ip address 172.31.255.2/30 The next hop has ip address 172.31255.1/30 There has been placed a route in table 4 as following. ip route show table 4 10.1.250.0/24 via 172.31.255.1 dev vlan662 metric 1 I want to get connected to 10.1.250.101 I have done ip rule add iif vlan662 table 4 (and it doesn´t work) I have done ip rule add from 172.31.255.2 to 10.1.250.101 iif vlan662 table 4 (and it doesn´t work) I have done ip rule add from 172.31.255.2 iif vlan662 table 4 (and it doesn´t work) If I do ip rule add from 172.31.255.2 to 10.1.250.101 table 4 (it works) If I do ip rule add from 172.31.255.2 table 4 (it works) Ok, I know how to make it work, but it isn´t the way I want shorewall (routing) to do. I want to have the interface statement (iif vlan662). So, if there is ever the interface statement, it stops to work, if I omit it, it works?! When I do tcpdump -I vlan662 -vvv I can see (in the cases it does not work), that 172.31.255.2 does not know the way back to 10.1.250.101 even if the route - as mentioned before - is present. I am a litte bit confused about, that "ip rule add iif vlan662 table 4" is not enough to make it work. Is there anyone who has an idea how to fix the problem? Thanks for any support. Cheers Michael ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Michael Weickel - iQom Business wrote:> As stolen from the Shorewall squid config, I am trying to automatize some ip > rules. > > It is as simple as it could be, but it is not working for me. > > I have Shorewall 3.4.8 and 2.6.24-r8But your question/problem has nothing to do with Shorewall that I can see. It seems to be a question about setting up your own policy routing.> > The config is as following. > > /etc/shorewall/interfaces > v662 vlan662 172.31.255.3 > > /etc/Shorewall/zones > v662 ipv4 > > policy has been configured well. > fw v662 ACCEPT > > The v662 interface has ip address 172.31.255.2/30 > > The next hop has ip address 172.31255.1/30 > > There has been placed a route in table 4 as following. > > ip route show table 4 > 10.1.250.0/24 via 172.31.255.1 dev vlan662 metric 1 > > I want to get connected to 10.1.250.101From where? The firewall?> > I have done > > ip rule add iif vlan662 table 4 (and it doesn´t work)Why ''iif''? That is ''Input Interface''. If you are trying to connect from the firewall, there is no input interface.> > I have done > > ip rule add from 172.31.255.2 to 10.1.250.101 iif vlan662 table 4 (and it > doesn´t work)Of course not.> > I have done ip rule add from 172.31.255.2 iif vlan662 table 4 (and it > doesn´t work)Ditto.> > If I do > > ip rule add from 172.31.255.2 to 10.1.250.101 table 4 (it works) > > If I do > > ip rule add from 172.31.255.2 table 4 (it works) > > Ok, I know how to make it work, but it isn´t the way I want shorewall > (routing) to do.THIS HAS NOTHING TO DO WITH SHOREWALL. I want to have the interface statement (iif vlan662).>It won''t work. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep wrote:> Michael Weickel - iQom Business wrote: >> As stolen from the Shorewall squid config, I am trying to automatize >> some ip >> rules.Note also that the description of /etc/shorewall/addroutes in the Squid HOWTO is in a section that describes a workaround for those running Shorewall 2.3.1 or earlier. That file is not part of Shorewall and never has been. Incidentally, Shorewall 4 has support for route rules. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/