Shorewall users - Sep 2007 - MultiISP: minor(?) problem with route_rules processing

In case of the following exemplary route_rules entries the _first_  
rule is always lost after (re)starting shorewall:

#SOURCE     DEST      PROVIDER     PRIORITY
$SRC_A     $DESTIP1  ISP1         1000
$SRC_A     $DESTIP2  SOMEISP      1000
$SRC_A     -         ISP2         1000

It happens, because shorewall deletes (or tries to delete) a rule  
directly before adding it again, and when DEST is empty "ip" utility  
deletes the first rule with matching source and priority (regardless  
destination address and routing table).
The workaround is to specify priority explicitly instead of relying on  
lines order.

I have several suggestions:
1. the patches in the attachment (add provider match requirement),  
they are for shorewall 4.0.3

2. Maybe the procedure should be split up in two stages (two loops) -  
the first would delete rules and the second would add them ?

3. Is that delete-before-add behaviour really needed ? Rule list seems  
to be cleaned up during shorewall start/restart/refresh anyway (by  
generated undo_routing script) ...

4. print a warning during (re)start when "-" is detected in DEST  
column ("Your routing rules may work improperly!") ;)

NOTE: the report applies also to older versions of shorewall.

Greetings.
-- 
Artur





-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Artur Uszyński wrote:
> 
> I have several suggestions:
> 1. the patches in the attachment (add provider match requirement), they
> are for shorewall 4.0.3
I prefer the attached patch that expands a missing destination (
''-'' ) to
0.0.0.0/0.
> 
> 2. Maybe the procedure should be split up in two stages (two loops) -
> the first would delete rules and the second would add them ?
I don''t think that''s necessary with the attached patch.
> 
> 3. Is that delete-before-add behaviour really needed ? Rule list seems
> to be cleaned up during shorewall start/restart/refresh anyway (by
> generated undo_routing script) ...
It''s entirely possible that we can remove the
''delete-before-add'' stuff now
that Shorewall tries to undo previous routing changes. But I don''t want
to
risk making such a change in a patch release.  I''ll do that in 4.2
however.
> 
> 4. print a warning during (re)start when "-" is detected in DEST
column
> ("Your routing rules may work improperly!") ;)
> 
Again, I prefer the attached patch.

Thanks!
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

The previous patch I sent was broken. Here''s a corrected version.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On nie, 16 wrz 2007 Tom Eastep wrote:
> Artur Uszyński wrote:
>
>>
>> I have several suggestions:
>> 1. the patches in the attachment (add provider match requirement), they
>> are for shorewall 4.0.3
>
> I prefer the attached patch that expands a missing destination (
''-'' ) to
> 0.0.0.0/0.
I''m sorry, but it does not help at all. 0.0.0.0/0 is simply ignored by
ip utility. It is easy to verify:

ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5
ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main
ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000

And you finish with the following (ip rule ls):

1000:   from 1.1.1.1 lookup main

So, it looks like You will have to use other solution...

Thanks for quick reaction anyway :).

Regards.
--
Artur




-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Artur Uszyński wrote:
> On nie, 16 wrz 2007 Tom Eastep wrote:
> 
>> Artur Uszyński wrote:
>>
>>> I have several suggestions:
>>> 1. the patches in the attachment (add provider match requirement),
they
>>> are for shorewall 4.0.3
>> I prefer the attached patch that expands a missing destination (
''-'' ) to
>> 0.0.0.0/0.
> 
> I''m sorry, but it does not help at all. 0.0.0.0/0 is simply
ignored by
> ip utility. It is easy to verify:
> 
> ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5
> ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main
> ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000
> 
> And you finish with the following (ip rule ls):
> 
> 1000:   from 1.1.1.1 lookup main
Maybe that''s what you get but see this:

root@tipper:~# ip rule ls
0:      from all lookup 255
32766:  from all lookup main
32767:  from all lookup default
root@tipper:~# ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5
root@tipper:~# ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table
main
root@tipper:~# ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000
root@tipper:~# ip rule ls
0:      from all lookup 255
1000:   from 1.1.1.1 to 10.0.0.0/8 lookup 5
32766:  from all lookup main
32767:  from all lookup default
root@tipper:~#

Looks like something is broken with your kit...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Tom Eastep wrote:
> Maybe that''s what you get but see this:
> 
> root@tipper:~# ip rule ls
> 0:      from all lookup 255
> 32766:  from all lookup main
> 32767:  from all lookup default
> root@tipper:~# ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5
> root@tipper:~# ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table
> main
> root@tipper:~# ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000
> root@tipper:~# ip rule ls
> 0:      from all lookup 255
> 1000:   from 1.1.1.1 to 10.0.0.0/8 lookup 5
> 32766:  from all lookup main
> 32767:  from all lookup default
> root@tipper:~#
> 
> Looks like something is broken with your kit...
For 4.0.4, I''ve added a ''DELETE_THEN_ADD'' option in
shorewall.conf --
setting that option to ''No'' will work around this brokenness.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Tom Eastep pisze:
>> root@tipper:~# ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000
table 5
>> root@tipper:~# ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000
table
>> main
>> root@tipper:~# ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000
>> root@tipper:~# ip rule ls
>> 0:      from all lookup 255
>> 1000:   from 1.1.1.1 to 10.0.0.0/8 lookup 5
>> 32766:  from all lookup main
>> 32767:  from all lookup default
>> root@tipper:~#
>>
>> Looks like something is broken with your kit...
Crap! You are right. On older systems it works like in Your example, on newer
Fedoras (6,7) it works in a way I presented. And it is not a matter of iproute2,
but kernel or other system components or configuration...
It looks like the patch adding transformation from ''-'' to
''0.0.0.0/0'' is not needed...
Thanks for Your help and sorry for wasting Your time.
> 
> For 4.0.4, I''ve added a ''DELETE_THEN_ADD'' option
in shorewall.conf --
> setting that option to ''No'' will work around this
brokenness.
Thank You very much :).

Regards.
--
Artur

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Artur Uszyński wrote:
> Tom Eastep pisze:
>>> Looks like something is broken with your kit...
> It looks like the patch adding transformation from ''-'' to
''0.0.0.0/0'' is not needed...
I think it''s still needed -- both the current Ubuntu and OpenSuSE
releases
demonstrate the original problem you reported.
> Thanks for Your help and sorry for wasting Your time.
Not a waste of time at all.
> 
>> For 4.0.4, I''ve added a ''DELETE_THEN_ADD''
option in shorewall.conf --
>> setting that option to ''No'' will work around this
brokenness.
> 
> Thank You very much :).
You are welcome.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/