Shorewall users - Apr 2011 - Problem default routes, Shorewall and Multi ISPs

Problem default routes, Shorewall and Multi ISPs
	
I am testing a Firewall configuration with multi ISPs and two routers 
behind the firewall,
routing between firewall and routers will be handled by ospf later.

After "shorewall start" the default route is totally messed up.

I am running Shorewall 4.4.11.6-3 on Debian squeeze (should happen on 
later Versions too).

The configuration looks like this:

    ISP1-----\        /---- R1 (10.100.0/30)
              \__FW__/
              /      \
    ISP2-----/        \---- R2 (10.100.8/30)

     FW$> ip route
     10.0.0.1 dev ppp0  proto kernel  scope link  src 10.67.15.1
     10.0.1.1 dev eth3  scope link
     10.100.100.0/30 dev eth0  proto kernel  scope link  src 10.100.100.1
     10.100.100.8/30 dev eth0  proto kernel  scope link  src 10.100.100.10
     10.168.0.0/16  metric 100
             nexthop via 10.100.100.2  dev eth0 weight 1
             nexthop via 10.100.100.9  dev eth0 weight 1
     default via 10.0.1.1 dev eth3
     default dev ppp0  scope link
	
The shorewall configuration is as following:

     FW$> cat zones
     fw	   firewall
     net    ipv4
     trust  ipv4
	
     FW$> cat interfaces
     net    ppp0
     net    eth3
     trust  eth0

     FW$> cat providers
     ISP1   1   1   -   ppp0   -   track
     ISP1   1   1   -   ppp0   -   track
	
The important point in this configuration is the multipath route from 
10.168.0.0/16 with two netxhops and the default routes from the two ISPs 
and that I am using the providers file.

After "shorewall start" the routing in table main looks as following:

     FW$> ip route
     10.0.0.1 dev ppp0  proto kernel  scope link  src 10.67.15.1
     10.0.1.1 dev eth3  scope link
     10.100.100.0/30 dev eth0  proto kernel  scope link  src 10.100.100.1
     10.100.100.8/30 dev eth0  proto kernel  scope link  src 10.100.100.10
     10.168.0.0/16  metric 100
             nexthop via 10.100.100.2  dev eth0 weight 1
             nexthop via 10.100.100.9  dev eth0 weight 1
     default
             nexthop via 10.100.100.2  dev eth0 weight 1
             nexthop via 10.100.100.9  dev eth0 weight 1
     default dev ppp0  scope link
	
So what happened here? During "shorewall start" shorewall tells me
after
"Adding Providers..." that it does the following:

     ...
     Adding Providers...
        Provider ISP1 (1) Added
        Provider ISP2 (2) Added
     Default Route (nexthop via 10.100.100.2  dev eth0 weight 1 nexthop 
via 10.100.100.9
	dev eth0 weight 1) restored
     ...

There was no default route with nexthops in my routing table! So where 
did it screw up? The problem is in restore_default_route() and the 
parsing of default_route file generated in 
setup_routing_and_traffic_shaping().

     ... $IP -4 route list | grep -E ''^\s*(default |nexthop )''
>
${VARDIR}/default_route
	
This generates following default_route file:

     FW$> cat default_route
             nexthop via 10.100.100.2  dev eth0 weight 1
             nexthop via 10.100.100.9  dev eth0 weight 1
     default via 10.0.1.1 dev eth3
     default dev ppp0  scope link

So here are the nexthops wich really do not belong here. Consequently 
the parsing in restore_default_route() screws up.

How about following changes:

  * Add option "-o" (one-line output), to the $IP and grep only for 
"default":

     ... $IP -o -4 route list | grep -E ''^default '' > 
${VARDIR}/default_route
	
    This would generate following default_route file:

     FW$> cat default_route
     default via 10.0.1.1 dev eth3
     default dev ppp0  scope link
	
    We don''t accidently catch nexthops from other multipath routes with
this anymore.

  * the parsing in restore_default_route() can be simpler, we don''t
need
to parse multiline routes anymore.

     ...
	while read route ; do
	    case $route in
		    *metric*)
			    # Don''t restore a route with a metric -- we only replace the one
with metric == 0
				qt $IP -4 route delete default metric 0 &&\
				    progress_message "Default Route with metric 0 deleted"
				;;
			*)
				qt $IP -4 route replace $route && \
				    result=0 && \
				    progress_message "Default Route with (${route# }) restored"
				;;
		esac
	done < ${VARDIR}/default_route
	
	${VARDIR}/default_route
	...
					
    BTW I don''t know if this is the right solution. What should the 
restore_default_route() function do precisely? The "$IP -4 route delete 
default metric 0" deletes even routes with metric <> 0 if
it''s the only
default route. There was a "break" before in the "if [ -n 
"$default_route" ]; then" statement, what should it do?

Any help with this problem would be appreciated.

Greetings Jörg Kleuver
-- 
CISS TDI GmbH

Jörg Kleuver                               CISS TDI GmbH
Tel. +49 2642 97 80 28                     Barbarossastraße 36
Fax. +49 2642 97 80 10                     53489 Sinzig, Germany
Sitz der Gesellschaft: Sinzig              AG Koblenz, HR-Nummer 13357
Geschäftsführer: Dipl.-Math. Joachim Figura, Dipl.-Inform. Berthold Bärk


------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo

On 04/13/2011 03:45 AM, Jörg Kleuver wrote:
> 
>      FW$> cat providers
>      ISP1   1   1   -   ppp0   -   track
>      ISP1   1   1   -   ppp0   -   track
> 	
I don''t believe that. The compiler would certainly generate an error
with that configuration.

Please:

a)  shorewall show -f capabilities > /etc/shorewall/caps
b)  tar -zcf shorewall.tgz /etc/shorewall
c)  Send me the shorewall.tgz tarball along with the output of
''shorewall dump'' with the firewall started.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo

Am 13.04.2011 16:25, schrieb Tom Eastep:
> On 04/13/2011 03:45 AM, Jörg Kleuver wrote:
>
>>
>>       FW$>  cat providers
>>       ISP1   1   1   -   ppp0   -   track
>>       ISP1   1   1   -   ppp0   -   track
>> 	
>
> I don''t believe that. The compiler would certainly generate an
error
> with that configuration.
>
> Please:
>
> a)  shorewall show -f capabilities>  /etc/shorewall/caps
> b)  tar -zcf shorewall.tgz /etc/shorewall
> c)  Send me the shorewall.tgz tarball along with the output of
> ''shorewall dump'' with the firewall started.
>
> -Tom
Hi Tom,

you are right this wouldn''t start, i copied this from the screen and 
miss typed it. Sorry for this. the tarball will take some time since i 
have no direct access to the test environment set up yet.

The providers file should look like this:
ISP1    1    1    -    ppp0    -    track
ISP2    2    2    -    eth3    -    track

The tarball will come later.

Regards Jörg Kleuver
-- 
CISS TDI GmbH

Jörg Kleuver                               CISS TDI GmbH
Tel. +49 2642 97 80 28                     Barbarossastraße 36
Fax. +49 2642 97 80 10                     53489 Sinzig, Germany
Sitz der Gesellschaft: Sinzig              AG Koblenz, HR-Nummer 13357
Geschäftsführer: Dipl.-Math. Joachim Figura, Dipl.-Inform. Berthold Bärk


------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo

Am 13.04.2011 16:25, schrieb Tom Eastep:
> On 04/13/2011 03:45 AM, Jörg Kleuver wrote:
>
>>
>>       FW$>  cat providers
>>       ISP1   1   1   -   ppp0   -   track
>>       ISP1   1   1   -   ppp0   -   track
>> 	
>
> I don''t believe that. The compiler would certainly generate an
error
> with that configuration.
>
> Please:
>
> a)  shorewall show -f capabilities>  /etc/shorewall/caps
> b)  tar -zcf shorewall.tgz /etc/shorewall
> c)  Send me the shorewall.tgz tarball along with the output of
> ''shorewall dump'' with the firewall started.
>
> -Tom
Hi Tom,

attached are the tarball and the output from ''shorewall dump''.

Regards Jörg Kleuver
-- 
CISS TDI GmbH

Jörg Kleuver                               CISS TDI GmbH
Tel. +49 2642 97 80 28                     Barbarossastraße 36
Fax. +49 2642 97 80 10                     53489 Sinzig, Germany
Sitz der Gesellschaft: Sinzig              AG Koblenz, HR-Nummer 13357
Geschäftsführer: Dipl.-Math. Joachim Figura, Dipl.-Inform. Berthold Bärk




------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo

Hi Jörg,

Please try the attached patch. It applies with offsets to 4.4.11.6.

	cd /usr/share/shorewall/
	patch -p3 < .../DEFAULTRT.diff

Thanks,
-Tom




On Apr 13, 2011, at 8:12 AM, Jörg Kleuver wrote:
> Am 13.04.2011 16:25, schrieb Tom Eastep:
>> On 04/13/2011 03:45 AM, Jörg Kleuver wrote:
>> 
>>> 
>>>      FW$>  cat providers
>>>      ISP1   1   1   -   ppp0   -   track
>>>      ISP1   1   1   -   ppp0   -   track
>>> 	
>> 
>> I don''t believe that. The compiler would certainly generate an
error
>> with that configuration.
>> 
>> Please:
>> 
>> a)  shorewall show -f capabilities>  /etc/shorewall/caps
>> b)  tar -zcf shorewall.tgz /etc/shorewall
>> c)  Send me the shorewall.tgz tarball along with the output of
>> ''shorewall dump'' with the firewall started.
>> 
>> -Tom
> 
> Hi Tom,
> 
> attached are the tarball and the output from ''shorewall
dump''.
> 
> Regards Jörg Kleuver
> -- 
> CISS TDI GmbH
> 
> Jörg Kleuver                               CISS TDI GmbH
> Tel. +49 2642 97 80 28                     Barbarossastraße 36
> Fax. +49 2642 97 80 10                     53489 Sinzig, Germany
> Sitz der Gesellschaft: Sinzig              AG Koblenz, HR-Nummer 13357
> Geschäftsführer: Dipl.-Math. Joachim Figura, Dipl.-Inform. Berthold Bärk
> 
>
<shorewall.tgz><dump.log>------------------------------------------------------------------------------
> Forrester Wave Report - Recovery time is now measured in hours and minutes
> not days. Key insights are discussed in the 2010 Forrester Wave Report as
> part of an in-depth evaluation of disaster recovery service providers.
> Forrester found the best-in-class provider in terms of services and vision.
> Read this report now! 
http://p.sf.net/sfu/ibm-webcastpromo_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo

Am 13.04.2011 19:19, schrieb Tom Eastep:
> Hi Jörg,
>
> Please try the attached patch. It applies with offsets to 4.4.11.6.
>
> 	cd /usr/share/shorewall/
> 	patch -p3<  .../DEFAULTRT.diff
>
> Thanks,
> -Tom
>
Hi Tom,

the patch works for the problem with nexthops from routes other than 
default. The strange default route is gone. Thanks for this.

In my later setup I have no problem with default routes in the main 
table anyways, since I''ll be using USE_DEFAULT_RT=Yes anyways, since 
ospf will change the main routing table.

Regardless of this, i''d like to know what the restore_default_route 
function is supposed to do?

I played with other default routes which have a metric of 10 and 20:

      FW$> ip route
      10.0.0.1 dev ppp0  proto kernel  scope link  src 10.67.15.1
      10.0.1.1 dev eth3  scope link
      10.100.100.0/30 dev eth0  proto kernel  scope link  src 10.100.100.1
      10.100.100.8/30 dev eth0  proto kernel  scope link  src 10.100.100.10
      10.168.0.0/16  metric 100
              nexthop via 10.100.100.2  dev eth0 weight 1
              nexthop via 10.100.100.9  dev eth0 weight 1
      default dev ppp0  scope link metric 10
      default via 10.0.1.1 dev eth3 metric 20

After shorewall start the routing looks like this:

      FW$> ip route
      10.0.0.1 dev ppp0  proto kernel  scope link  src 10.67.15.1
      10.0.1.1 dev eth3  scope link
      10.100.100.0/30 dev eth0  proto kernel  scope link  src 10.100.100.1
      10.100.100.8/30 dev eth0  proto kernel  scope link  src 10.100.100.10
      10.168.0.0/16  metric 100
              nexthop via 10.100.100.2  dev eth0 weight 1
              nexthop via 10.100.100.9  dev eth0 weight 1
      default via 10.0.1.1 dev eth3 metric 20

After shorewall stop the routing still looks like this:

      FW$> ip route
      10.0.0.1 dev ppp0  proto kernel  scope link  src 10.67.15.1
      10.0.1.1 dev eth3  scope link
      10.100.100.0/30 dev eth0  proto kernel  scope link  src 10.100.100.1
      10.100.100.8/30 dev eth0  proto kernel  scope link  src 10.100.100.10
      10.168.0.0/16  metric 100
              nexthop via 10.100.100.2  dev eth0 weight 1
              nexthop via 10.100.100.9  dev eth0 weight 1
      default via 10.0.1.1 dev eth3 metric 20

What''s the problem with this? Is there still one?

Greetings Jörg
-- 
CISS TDI GmbH

Jörg Kleuver                               CISS TDI GmbH
Tel. +49 2642 97 80 28                     Barbarossastraße 36
Fax. +49 2642 97 80 10                     53489 Sinzig, Germany
Sitz der Gesellschaft: Sinzig              AG Koblenz, HR-Nummer 13357
Geschäftsführer: Dipl.-Math. Joachim Figura, Dipl.-Inform. Berthold Bärk


------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev

On 04/14/2011 02:50 AM, Jörg Kleuver wrote:
> 
> What''s the problem with this? Is there still one?
Yes -- the code supporting USE_DEFAULT_RT=Yes is not prepared to handle
multiple default routes in the main table.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev

Am 14.04.2011 15:56, schrieb Tom Eastep:
> On 04/14/2011 02:50 AM, Jörg Kleuver wrote:
>
>>
>> What''s the problem with this? Is there still one?
>
> Yes -- the code supporting USE_DEFAULT_RT=Yes is not prepared to handle
> multiple default routes in the main table.
>
> -Tom
Hi Tom,

I wasn''t using USE_DEFAULT_RT=Yes in any of the configurations yet and 
this happened all with USE_DEFAULT_RT=No

-Jörg

------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev

On 04/14/2011 07:03 AM, Jörg Kleuver wrote:
> Am 14.04.2011 15:56, schrieb Tom Eastep:
>> On 04/14/2011 02:50 AM, Jörg Kleuver wrote:
>>
>>>
>>> What''s the problem with this? Is there still one?
>>
>> Yes -- the code supporting USE_DEFAULT_RT=Yes is not prepared to handle
>> multiple default routes in the main table.
>>
>> -Tom
> 
> Hi Tom,
> 
> I wasn''t using USE_DEFAULT_RT=Yes in any of the configurations yet
and
> this happened all with USE_DEFAULT_RT=No
Yes -- I see that. I''ll try to get a fix out today but I have a busy
work schedule so it may be this evening.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev

On 04/14/2011 07:18 AM, Tom Eastep wrote:
> On 04/14/2011 07:03 AM, Jörg Kleuver wrote:
>> Am 14.04.2011 15:56, schrieb Tom Eastep:
>>> On 04/14/2011 02:50 AM, Jörg Kleuver wrote:
>>>
>>>>
>>>> What''s the problem with this? Is there still one?
>>>
>>> Yes -- the code supporting USE_DEFAULT_RT=Yes is not prepared to
handle
>>> multiple default routes in the main table.
>>>
>>> -Tom
>>
>> Hi Tom,
>>
>> I wasn''t using USE_DEFAULT_RT=Yes in any of the configurations
yet and
>> this happened all with USE_DEFAULT_RT=No
> 
> Yes -- I see that. I''ll try to get a fix out today but I have a
busy
> work schedule so it may be this evening.
Hi Jörg,

The attached patch should fix the USE_DEFAULT_RT=No case for IPv4. I''ll
work on the other cases as time permits.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev

On 04/14/2011 07:52 AM, Tom Eastep wrote:
> On 04/14/2011 07:18 AM, Tom Eastep wrote:
>> On 04/14/2011 07:03 AM, Jörg Kleuver wrote:
>>> Am 14.04.2011 15:56, schrieb Tom Eastep:
>>>> On 04/14/2011 02:50 AM, Jörg Kleuver wrote:
>>>>
>>>>>
>>>>> What''s the problem with this? Is there still one?
>>>>
>>>> Yes -- the code supporting USE_DEFAULT_RT=Yes is not prepared
to handle
>>>> multiple default routes in the main table.
>>>>
>>>> -Tom
>>>
>>> Hi Tom,
>>>
>>> I wasn''t using USE_DEFAULT_RT=Yes in any of the
configurations yet and
>>> this happened all with USE_DEFAULT_RT=No
>>
>> Yes -- I see that. I''ll try to get a fix out today but I have
a busy
>> work schedule so it may be this evening.
> 
> Hi Jörg,
> 
> The attached patch should fix the USE_DEFAULT_RT=No case for IPv4.
I''ll
> work on the other cases as time permits.
If you have applied the previous patch, please reverse it and apply this
one instead. I believe that it corrects default route save/restore in
all cases.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev

Am 14.04.2011 18:38, schrieb Tom Eastep:
>
> If you have applied the previous patch, please reverse it and apply this
> one instead. I believe that it corrects default route save/restore in
> all cases.
>
> Thanks,
> -Tom
>
Hi Tom,

thanks for the patches, some hunks failed but i fixed that up. I''m
still
testing some cases, so far it looks good for the configuration I had.

If I add balance to the providers file for both ISPs, i guess there''s 
still something wrong in the case i have default routes with metric <> 0 
and no default route with metric 0. shorewall start works and the 
balanced route is added, but not removed when doing shorewall stop.

I''ll test some cases tomorrow with USE_DEFAULT_RT=Yes.

Regards Jörg Kleuver
-- 
CISS TDI GmbH

Jörg Kleuver                               CISS TDI GmbH
Tel. +49 2642 97 80 28                     Barbarossastraße 36
Fax. +49 2642 97 80 10                     53489 Sinzig, Germany
Sitz der Gesellschaft: Sinzig              AG Koblenz, HR-Nummer 13357
Geschäftsführer: Dipl.-Math. Joachim Figura, Dipl.-Inform. Berthold Bärk


------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev

Hi Jörg,

On 04/14/2011 10:25 AM, Jörg Kleuver wrote:
> If I add balance to the providers file for both ISPs, i guess
there''s
> still something wrong in the case i have default routes with metric
<> 0
> and no default route with metric 0. shorewall start works and the 
> balanced route is added, but not removed when doing shorewall stop.
That''s a case that I didn''t test. Attached patch should
correct it.
> 
> I''ll test some cases tomorrow with USE_DEFAULT_RT=Yes.
> 
I did test that so hopefully your testing tomorrow will go smoother.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev

Hi Tom,

Am 14.04.2011 21:07, schrieb Tom Eastep:
> Hi Jörg,
>
> On 04/14/2011 10:25 AM, Jörg Kleuver wrote:
>
>> If I add balance to the providers file for both ISPs, i guess
there''s
>> still something wrong in the case i have default routes with
metric<>  0
>> and no default route with metric 0. shorewall start works and the
>> balanced route is added, but not removed when doing shorewall stop.
>
> That''s a case that I didn''t test. Attached patch should
correct it.
>
>>
>> I''ll test some cases tomorrow with USE_DEFAULT_RT=Yes.
>>
>
> I did test that so hopefully your testing tomorrow will go smoother.
>
> -Tom
I found the reason for the balanced route not to be removed. There was a 
typo in DEFROUTE3.diff:

@@ -557,6 +561,15 @@ restore_default_route() {
  	    esac
  	done < ${VARDIR}/default_route

+	if [ -n "$default_route" ]; then
+	    replace_default_route
+	elif [ $result = 1 ]; then
+	    #
+	    # We added a default route with metric 0 but there wasn''t one 
previously
+	    #
+	    qt -4 ip route del default metric 0 && progress_message 
"Default
route with metric 0 deleted"
             ^^^^^^^^^^^^^^
+	fi
+

With that fixed this case is working properly. I''ll test some more
later.

Greetings Jörg
-- 
CISS TDI GmbH

Jörg Kleuver                               CISS TDI GmbH
Tel. +49 2642 97 80 28                     Barbarossastraße 36
Fax. +49 2642 97 80 10                     53489 Sinzig, Germany
Sitz der Gesellschaft: Sinzig              AG Koblenz, HR-Nummer 13357
Geschäftsführer: Dipl.-Math. Joachim Figura, Dipl.-Inform. Berthold Bärk


------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev

Am 15.04.2011 10:54, schrieb Jörg Kleuver:
>
> With that fixed this case is working properly. I''ll test some more
later.
>
Hi Tom,

I was too hasty, there''s still something wrong, after I fixed the typo,
same type in prog.header6 too, routes with a metric disappear again.

The reason for this is at the end of restore_default_route().

	if [ $result = 1 ]; then
  	    #

$result is set to 1 unconditionally at the beginning and never updated, 
even when no default route was replaced or added.

	ip -4 route del default metric 0

When no default route with metric 0 exists, this deletes the next 
default route with the lowest metric ...

Greetings Jörg
-- 
CISS TDI GmbH

Jörg Kleuver                               CISS TDI GmbH
Tel. +49 2642 97 80 28                     Barbarossastraße 36
Fax. +49 2642 97 80 10                     53489 Sinzig, Germany
Sitz der Gesellschaft: Sinzig              AG Koblenz, HR-Nummer 13357
Geschäftsführer: Dipl.-Math. Joachim Figura, Dipl.-Inform. Berthold Bärk


------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev

Hi Jörg,

On 04/15/2011 02:27 AM, Jörg Kleuver wrote:
> I was too hasty, there''s still something wrong, after I fixed the
typo,
> same type in prog.header6 too, routes with a metric disappear again.
> 
> The reason for this is at the end of restore_default_route().
> 
> 	if [ $result = 1 ]; then
>   	    #
> 
> $result is set to 1 unconditionally at the beginning and never updated, 
> even when no default route was replaced or added.
> 
> 	ip -4 route del default metric 0
> 
> When no default route with metric 0 exists, this deletes the next 
> default route with the lowest metric ...
Please reverse the changes that you made to correct the typo and apply
this patch. "It works for me" :-)

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev

Hi Tom

Am 15.04.2011 16:07, schrieb Tom Eastep:
>
> Please reverse the changes that you made to correct the typo and apply
> this patch. "It works for me" :-)
>
Reversed and up to DEFROUTE5.diff. "This works for me too" ;-)

Havn''t found any problems. BTW Why restore a default route in the
simple
case when no balance is set in providers file? The routing in the main 
table doesn''t change either way when shorewall is running or not if you
pretend the user is responsible for providing the default route in this 
case.

I see you used ip -o route ls now ;-) that makes parsing of routes much 
simpler ...

Weekend for me the tests with USE_DEFAULT_RT=Yes are for next week.

Greetings Jörg
-- 
CISS TDI GmbH

Jörg Kleuver                               CISS TDI GmbH
Tel. +49 2642 97 80 28                     Barbarossastraße 36
Fax. +49 2642 97 80 10                     53489 Sinzig, Germany
Sitz der Gesellschaft: Sinzig              AG Koblenz, HR-Nummer 13357
Geschäftsführer: Dipl.-Math. Joachim Figura, Dipl.-Inform. Berthold Bärk


------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev

On 04/15/2011 09:16 AM, Jörg Kleuver wrote:
> Hi Tom
> 
> Am 15.04.2011 16:07, schrieb Tom Eastep:
>>
>> Please reverse the changes that you made to correct the typo and apply
>> this patch. "It works for me" :-)
>>
> 
> Reversed and up to DEFROUTE5.diff. "This works for me too" ;-)
> 
> Havn''t found any problems. BTW Why restore a default route in the
simple
> case when no balance is set in providers file? The routing in the main 
> table doesn''t change either way when shorewall is running or not
if you
> pretend the user is responsible for providing the default route in this 
> case.
The default route is saved during ''shorewall start'' and it is
restored
during ''shorewall stop''. To make ''shorewall
restart'' as seamless as
possible, that command doesn''t restore/save the default route(s). As a
consequence, the configuration can have changed completely since the
''start'' was done so no assumptions can be made about what has
happened
in the interim.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev