Hebbar, I''m copying the Shorewall Development list on my reply so other''s may comment on your request. Srinivasa Hebbar wrote:> I am using shorewall extensively for last 2 years and I like it. > I was using iptables commands directly before I come to know about shorewall. > But now, I forgot all the iptables commands!. > Amazingly good product.Thanks.> > I am requesting you to provide the following feature additions > to shorewall 3.4.4The current stable release is 4.0 and that is the only series that I will consider adding any features to. Furthermore, I''m pretty much restricting new development to Shorewall-perl.> > 1) lib.providers/verify_provider() > Skip the route_rules entry if the specified PROVIDER is not in providers > file. > We can have a "optional" field in PROVIDER entry of route_rules.Why do you believe that it necessary? What is the point of having entries in route_rules that have no corresponding entry in the providers file.> > 2) I am running Ubuntu dapper with /etc read-only. lib.providers fails to > write > /etc/iproute2/rt_table. > Is it possible to add a variable in shorewall.conf to disable writing > rt_tables. > I want to manually write rt_tables.This doesn''t halt the ''shorewall [re]start'' command does it? Are you just concerned about the error messages that it generates?> > 3) shorewall/providers: > when "optional" field is set, is it possible to call a plugin so that > the plugin decides the interface is available or not? > > is_interface_usable should call a plugin. If the plugin returns non-zero > value > the interface should be consider not available. If the plugin returns 0, > the > is_interface_usable can continue with the existing checks to decide > whether interface is available or not. > > The plugin name can be configured in shorewall.conf > plugin requires atleast one command line parameter with interface name. >I would be interested to hear what you would do in your plugin -- it might be useful to extend is_interface_usable() rather than providing a plugin. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
My comments are inline.> Hebbar, > > I''m copying the Shorewall Development list on my reply so other''s may > comment on your request. > > Srinivasa Hebbar wrote: > > I am using shorewall extensively for last 2 years and I like it. > > I was using iptables commands directly before I come to know about > > shorewall. But now, I forgot all the iptables commands!. > > Amazingly good product. > > Thanks. > > > I am requesting you to provide the following feature additions > > to shorewall 3.4.4 > > The current stable release is 4.0 and that is the only series that I will > consider adding any features to. Furthermore, I''m pretty much restricting > new development to Shorewall-perl. > > > 1) lib.providers/verify_provider() > > Skip the route_rules entry if the specified PROVIDER is not in > > providers file. > > We can have a "optional" field in PROVIDER entry of route_rules.> Why do you believe that it necessary? What is the point of having entries > in route_rules that have no corresponding entry in the providers file. >I agree, but if I have a dynamic interface such as PPP with optional field set in providers file, shorewall will not create a routing table entries for the failed/non existing link. But, route rules adds a policy route entry which is pointing to an empty table which is confusing. I would not like to see the the policy routing entry in the kernel to a failed optional empty provider table.> > 2) I am running Ubuntu dapper with /etc read-only. lib.providers fails to > > write > > /etc/iproute2/rt_table. > > Is it possible to add a variable in shorewall.conf to disable writing > > rt_tables. > > I want to manually write rt_tables. > > This doesn''t halt the ''shorewall [re]start'' command does it? Are you just > concerned about the error messages that it generates? >This doesn''t halt the shorewall. But, I am manually adding more table entries in the rt_table, which will be erased by shorewall in case if I start/restart shorewall when /etc in mounted read-write.> > 3) shorewall/providers: > > when "optional" field is set, is it possible to call a plugin so that > > the plugin decides the interface is available or not? > > > > is_interface_usable should call a plugin. If the plugin returns > > non-zero value > > the interface should be consider not available. If the plugin returns > > 0, the > > is_interface_usable can continue with the existing checks to decide > > whether interface is available or not. > > > > The plugin name can be configured in shorewall.conf > > plugin requires atleast one command line parameter with interface > > name. > > I would be interested to hear what you would do in your plugin -- it might > be useful to extend is_interface_usable() rather than providing a plugin. >I have dual link to a particular location with static IP addresses configured. I am detecting link failures by some custom method. I will be starting/restarting shorewall when ever I detect link failures. The plugin will provide information whether a particular link is up or down. I know that LARTC dead gateway detection will help here but this feature in shorewall simplifies complexity without recompiling the kernel.> -Tom------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Srinivasa Hebbar wrote:> >> Why do you believe that it necessary? What is the point of having entries >> in route_rules that have no corresponding entry in the providers file. >> > I agree, but if I have a dynamic interface such as PPP with optional field set > in providers file, shorewall will not create a routing table entries for the > failed/non existing link. But, route rules adds a policy route entry which is > pointing to an empty table which is confusing. I would not like to see the > the policy routing entry in the kernel to a failed optional empty provider > table.Okay -- so what you really want is that the route_rules for a provider should be omitted if the provider is not available. That makes sense (although it is not what you originally asked for).> This doesn''t halt the shorewall. But, I am manually adding more table > entries in the rt_table, which will be erased by shorewall in case if I > start/restart shorewall when /etc in mounted read-write.Okay -- In Shorewall 4.0.3, Shorewall-perl will support a KEEP_RT_TABLES option.> > I have dual link to a particular location with static IP addresses > configured. I am detecting link failures by some custom method. I will be > starting/restarting shorewall when ever I detect link failures. The plugin > will provide information whether a particular link is up or down. > I know that LARTC dead gateway detection will help here but this feature in > shorewall simplifies complexity without recompiling the kernel.Then please simply define your own version of is_interface_usable() in your /etc/shorewall/init file. We don''t need to hack up Shorewall to accommodate this requirement. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
> > Okay -- so what you really want is that the route_rules for a provider > should be omitted if the provider is not available. That makes sense > (although it is not what you originally asked for). >Yes, route_rules for a provider should be omitted if the provider is not available.> > This doesn''t halt the shorewall. But, I am manually adding more table > > entries in the rt_table, which will be erased by shorewall in case if I > > start/restart shorewall when /etc in mounted read-write. > > Okay -- In Shorewall 4.0.3, Shorewall-perl will support a KEEP_RT_TABLES > option.Thanks.> > > I have dual link to a particular location with static IP addresses > > configured. I am detecting link failures by some custom method. I will be > > starting/restarting shorewall when ever I detect link failures. The > > plugin will provide information whether a particular link is up or down. > > I know that LARTC dead gateway detection will help here but this feature > > in shorewall simplifies complexity without recompiling the kernel. > > Then please simply define your own version of is_interface_usable() in your > /etc/shorewall/init file. We don''t need to hack up Shorewall to accommodate > this requirement. >I am using shorewall 3.4.4 at the moment. Will this technique future compatible with shorewall perl (4.0+)? My concern is I may end up in trouble if shorewall started using different function (other than is_interface_usable) to detect interface status in future versions. I tested with my own version of is_interface_usable and which works for the current version of shorewall I am using. (3.4.4). I feel the plugin approach will be very helpful for multiple wan links with static IPs. A simple daemon can ping the gateway and start/restart shorewall when the link goes up/down.> -TomThanks, Hebbar ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Srinivasa Hebbar wrote:>> > I am using shorewall 3.4.4 at the moment. Will this technique future > compatible with shorewall perl (4.0+)? > My concern is I may end up in trouble if shorewall started using different > function (other than is_interface_usable) to detect interface status in > future versions. I tested with my own version of is_interface_usable and > which works for the current version of shorewall I am using. (3.4.4).Not much chance of this changing but for Shorewall-perl 4.0.3, there will be an ''isuasable'' extension script. Here''s an example: # Ping a gateway through the passed interface case $1 in eth0) ping -c 4 -I eth0 206.124.146.254 > /dev/null 2>&1 return ;; eth1) ping -c 4 -I eth1 192.168.12.254 > /dev/null 2>&1 return ;; *) return 1 ;; esac> > I feel the plugin approach will be very helpful for multiple wan links with > static IPs.Of course -- but then you don''t have to document it or answer silly questions about it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On Fri, Aug 10, 2007 at 01:05:55PM -0700, Tom Eastep wrote:> Not much chance of this changing but for Shorewall-perl 4.0.3, there will be > an ''isuasable'' extension script. Here''s an example:^^^^^^^^^ ?> # Ping a gateway through the passed interface > case $1 in > eth0) > ping -c 4 -I eth0 206.124.146.254 > /dev/null 2>&1 > return > ;; > eth1) > ping -c 4 -I eth1 192.168.12.254 > /dev/null 2>&1 > return > ;; > *) > return 1 > ;; > esacThat leads to the obvious question: what states might the firewall be in when this script is invoked? Is it necessary to pair this with something in routestopped? (Worth documenting if you didn''t already) ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Andrew Suffield wrote:> On Fri, Aug 10, 2007 at 01:05:55PM -0700, Tom Eastep wrote: >> Not much chance of this changing but for Shorewall-perl 4.0.3, there will be >> an ''isuasable'' extension script. Here''s an example: > ^^^^^^^^^ > ?s/b ''isusable''> >> # Ping a gateway through the passed interface >> case $1 in >> eth0) >> ping -c 4 -I eth0 206.124.146.254 > /dev/null 2>&1 >> return >> ;; >> eth1) >> ping -c 4 -I eth1 192.168.12.254 > /dev/null 2>&1 >> return >> ;; >> *) >> return 1 >> ;; >> esac > > That leads to the obvious question: what states might the firewall be > in when this script is invoked? Is it necessary to pair this with > something in routestopped? (Worth documenting if you didn''t already)The firewall can be in any state whatsoever when this script is called. So if ADMINISABSENTMINDED=No and output is disallowed by routestopped, the script will have to blow it''s own OUTPUT holes in the firewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Srinivasa Hebbar wrote:> > I feel the plugin approach will be very helpful for multiple wan links with > static IPs. A simple daemon can ping the gateway and start/restart shorewall > when the link goes up/down. >If you are interested in testing the new Shorewall-perl code, there''s an early version of 4.0.3 at http://www1.shorewall.net/pub/shorewall/development/staging/4.0/shorewall-4.0.3/ -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/