Good Afternoon I use shorewall to do multi ISP both IPv4 and IPv6 About IPv4(shorewall) is no problem but ipv6(shorewall6) has problem can''t start when i write config in /etc/shorewall6/providers Spite of is really close config I use centos 6.3 - kernel 2.6.32-279.el6.i686 - iptables 1.4.7-5.1 - shorewall & shorewall6 version 4.5.11.2 Thank you for your help ^_^ At Iast i attach some involved config file below /etc/shorewall6/interfaces>>#ZONE INTERFACE OPTIONS>>net eth0 tcpflags,forward=1,sourceroute=0>>net eth2 tcpflags,forward=1,sourceroute=0>>loc eth1 tcpflags,forward=1/etc/shorewall6/providers>>#NAME NUMBER MARK DUPLICATE INTERFACEGATEWAY OPTIONS COPY>>ISP1 1 1 main eth01:1:1:1::1 track none Some trace about shorewall6 can''t start>>Compiling...>>Processing /etc/shorewall6/params ...>>Processing /etc/shorewall6/shorewall6.conf...>>Loading Modules...>>Compiling /etc/shorewall6/zones...>>Compiling /etc/shorewall6/interfaces...>>Determining Hosts in Zones...>>Locating Action Files...>>Compiling /usr/share/shorewall6/action.Drop for chain Drop...>>Compiling /usr/share/shorewall6/action.AllowICMPs for chain AllowICMPs...>>Compiling /usr/share/shorewall6/action.Broadcast for chain Broadcast...>>Compiling /usr/share/shorewall/action.Invalid for chain Invalid...>>Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn...>>Compiling /usr/share/shorewall6/action.Reject for chain Reject...>>Compiling /etc/shorewall6/policy...>>Compiling TCP Flags filtering...>>Compiling Accept Source Routing...>>Compiling /etc/shorewall6/providers...>>Compiling MAC Filtration -- Phase 1...>>Compiling /etc/shorewall6/rules...>>Compiling MAC Filtration -- Phase 2...>>Applying Policies...>>Generating Rule Matrix...>>Optimizing Ruleset...>>Creating ip6tables-restore input...>>Compiling Interface forwarding...>>Shorewall configuration compiled to /var/lib/shorewall6/.start>>Starting Shorewall6....>>Initializing...>>Processing /etc/shorewall6/init ...>>Processing /etc/shorewall6/tcclear ...>>Setting up Accept Source Routing...>>Setting up Proxy NDP...>>Adding Providers...>>RTNETLINK answers: Invalid argument>> ERROR: Command "ip -6 route add default via 1:1:1:1::1 src 1:1:1:1::2dev eth0 table 1" Failed>>Processing /etc/shorewall6/stop ...>>Processing /etc/shorewall6/tcclear ...>>Running /sbin/ip6tables-restore...>>IPv6 Forwarding Enabled>>Processing /etc/shorewall6/stopped ...>>/usr/share/shorewall/lib.common: line 112: 5876 Terminated$SHOREWALL_SHELL $script $options $@ ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
Good Afternoon I use shorewall to do multi ISP both IPv4 and IPv6 About IPv4(shorewall) is no problem but ipv6(shorewall6) has problem cant start when i write config in /etc/shorewall6/providers Spite of is really close config I use centos 6.3 kernel 2.6.32-279.el6.i686 - iptables 1.4.7-5.1 - shorewall & shorewall6 version 4.5.11.2 Thank you for your help ^_^ At Iast i attach some involved config file below /etc/shorewall6/interfaces>>#ZONE INTERFACE OPTIONS >>net eth0 tcpflags,forward=1,sourceroute=0 >>net eth2 tcpflags,forward=1,sourceroute=0 >>loc eth1 tcpflags,forward=1/etc/shorewall6/providers>>#NAME NUMBER MARK DUPLICATEINTERFACE GATEWAY OPTIONS COPY>>ISP1 1 1 main eth01:1:1:1::1 track none Some trace about shorewall6 cant start>>Compiling... >>Processing /etc/shorewall6/params ... >>Processing /etc/shorewall6/shorewall6.conf... >>Loading Modules... >>Compiling /etc/shorewall6/zones... >>Compiling /etc/shorewall6/interfaces... >>Determining Hosts in Zones... >>Locating Action Files... >>Compiling /usr/share/shorewall6/action.Drop for chain Drop... >>Compiling /usr/share/shorewall6/action.AllowICMPs for chain AllowICMPs... >>Compiling /usr/share/shorewall6/action.Broadcast for chain Broadcast... >>Compiling /usr/share/shorewall/action.Invalid for chain Invalid... >>Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn... >>Compiling /usr/share/shorewall6/action.Reject for chain Reject... >>Compiling /etc/shorewall6/policy... >>Compiling TCP Flags filtering... >>Compiling Accept Source Routing... >>Compiling /etc/shorewall6/providers... >>Compiling MAC Filtration -- Phase 1... >>Compiling /etc/shorewall6/rules... >>Compiling MAC Filtration -- Phase 2... >>Applying Policies... >>Generating Rule Matrix... >>Optimizing Ruleset... >>Creating ip6tables-restore input... >>Compiling Interface forwarding... >>Shorewall configuration compiled to /var/lib/shorewall6/.start >>Starting Shorewall6.... >>Initializing... >>Processing /etc/shorewall6/init ... >>Processing /etc/shorewall6/tcclear ... >>Setting up Accept Source Routing... >>Setting up Proxy NDP... >>Adding Providers... >>RTNETLINK answers: Invalid argument >> ERROR: Command "ip -6 route add default via 1:1:1:1::1 src 1:1:1:1::2dev eth0 table 1" Failed>>Processing /etc/shorewall6/stop ... >>Processing /etc/shorewall6/tcclear ... >>Running /sbin/ip6tables-restore... >>IPv6 Forwarding Enabled >>Processing /etc/shorewall6/stopped ... >>/usr/share/shorewall/lib.common: line 112: 5876 Terminated$SHOREWALL_SHELL $script $options $@ ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
I believe this may be caused by the command being generated with the src <addr> argument I''m not certain this is supported for IPv6 as I have in the past tried to manually add a route and found it would not work unless that argument was eliminated. It could have something to do with the address selection algorithms in IPv6 which are I think different as IPv6 was written from the beginning with multiple addresses per interface in mind plus the added factors introduced by address scoping. I just checked the iproute2 manual though and there is nothing in man ip-route''s description of the src attribute to suggest that it''s IPv4 only so it''s possible that iproute2 has a bug, then a lot of things I guess are possible here given iproute2 is itself more of a frontend could be an issue with the underlying netlink or kernel routing code too. Something doesn''t like src for ip6 routes anyway. Either shorewall shouldn''t be generating IPv6 routes with src or iproute2 should be accepting them but I am really not sure which is the case, likely shorewall may have to work around it for a while even if it is an iproute2 issue as I can see it being a while before one can bank on the support being operational. On 08/03/13 11:50, Prachachart Stapornnanon wrote:> Good Afternoon > > I use shorewall to do multi ISP both IPv4 and IPv6 > > About IPv4(shorewall) is no problem > > but ipv6(shorewall6) has problem can’t start when i write config in > /etc/shorewall6/providers > > Spite of is really close config > > I use centos 6.3 – kernel 2.6.32-279.el6.i686 - iptables 1.4.7-5.1 - > shorewall & shorewall6 version 4.5.11.2 > > Thank you for your help ^_^ > > At Iast i attach some involved config file below > > > > /etc/shorewall6/interfaces > >>> #ZONE INTERFACE OPTIONS >>> net eth0 tcpflags,forward=1,sourceroute=0 >>> net eth2 tcpflags,forward=1,sourceroute=0 >>> loc eth1 tcpflags,forward=1 > > > /etc/shorewall6/providers > >>> #NAME NUMBER MARK DUPLICATE > INTERFACE GATEWAY OPTIONS > COPY >>> ISP1 1 1 main eth0 > 1:1:1:1::1 track none > > > Some trace about shorewall6 can’t start > >>> Compiling... >>> Processing /etc/shorewall6/params ... >>> Processing /etc/shorewall6/shorewall6.conf... >>> Loading Modules... >>> Compiling /etc/shorewall6/zones... >>> Compiling /etc/shorewall6/interfaces... >>> Determining Hosts in Zones... >>> Locating Action Files... >>> Compiling /usr/share/shorewall6/action.Drop for chain Drop... >>> Compiling /usr/share/shorewall6/action.AllowICMPs for chain AllowICMPs... >>> Compiling /usr/share/shorewall6/action.Broadcast for chain Broadcast... >>> Compiling /usr/share/shorewall/action.Invalid for chain Invalid... >>> Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn... >>> Compiling /usr/share/shorewall6/action.Reject for chain Reject... >>> Compiling /etc/shorewall6/policy... >>> Compiling TCP Flags filtering... >>> Compiling Accept Source Routing... >>> Compiling /etc/shorewall6/providers... >>> Compiling MAC Filtration -- Phase 1... >>> Compiling /etc/shorewall6/rules... >>> Compiling MAC Filtration -- Phase 2... >>> Applying Policies... >>> Generating Rule Matrix... >>> Optimizing Ruleset... >>> Creating ip6tables-restore input... >>> Compiling Interface forwarding... >>> Shorewall configuration compiled to /var/lib/shorewall6/.start >>> Starting Shorewall6.... >>> Initializing... >>> Processing /etc/shorewall6/init ... >>> Processing /etc/shorewall6/tcclear ... >>> Setting up Accept Source Routing... >>> Setting up Proxy NDP... >>> Adding Providers... >>> RTNETLINK answers: Invalid argument >>> ERROR: Command "ip -6 route add default via 1:1:1:1::1 src 1:1:1:1::2 > dev eth0 table 1" Failed >>> Processing /etc/shorewall6/stop ... >>> Processing /etc/shorewall6/tcclear ... >>> Running /sbin/ip6tables-restore... >>> IPv6 Forwarding Enabled >>> Processing /etc/shorewall6/stopped ... >>> /usr/share/shorewall/lib.common: line 112: 5876 Terminated > $SHOREWALL_SHELL $script $options $@ > > > > > > ------------------------------------------------------------------------------ > Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the > endpoint security space. For insight on selecting the right partner to > tackle endpoint security challenges, access the full report. > http://p.sf.net/sfu/symantec-dev2dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
On 3/8/13 9:23 AM, "Matt Joyce" <mjoyce@mttjocy.co.uk> wrote:>I believe this may be caused by the command being generated with the src ><addr> argument I''m not certain this is supported for IPv6 as I have in >the past tried to manually add a route and found it would not work >unless that argument was eliminated. It could have something to do with >the address selection algorithms in IPv6 which are I think different as >IPv6 was written from the beginning with multiple addresses per >interface in mind plus the added factors introduced by address scoping. >I just checked the iproute2 manual though and there is nothing in man >ip-route''s description of the src attribute to suggest that it''s IPv4 >only so it''s possible that iproute2 has a bug, then a lot of things I >guess are possible here given iproute2 is itself more of a frontend >could be an issue with the underlying netlink or kernel routing code >too. Something doesn''t like src for ip6 routes anyway. > >Either shorewall shouldn''t be generating IPv6 routes with src or >iproute2 should be accepting them but I am really not sure which is the >case, likely shorewall may have to work around it for a while even if it >is an iproute2 issue as I can see it being a while before one can bank >on the support being operational.root@gateway:~# fgrep ''route add'' /var/lib/shorewall6/firewall run_ip route add default scope global table $2 $1 run_ip route add default dev sit2 table 4 run_ip route add default dev sit1 table 5 run_ip route add default table 253 dev sit1 metric 5 qt $IP -6 route add ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3 run_ip route add ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3 table 6 run_ip route add default via ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3 table 6 run_ip route add default via ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3 table 253 metric 6 run_ip route add default scope global table 250 $DEFAULT_ROUTE error_message "WARNING: No Default route added (all ''balance'' providers are down)" root@gateway:~# ip -V ip utility, iproute2-ss100519 root@gateway:~# uname -a Linux gateway 2.6.32-5-amd64 #1 SMP Mon Feb 25 00:26:11 UTC 2013 x86_64 GNU/Linux root@gateway:~# -Tom> >On 08/03/13 11:50, Prachachart Stapornnanon wrote: >> Good Afternoon >> >> I use shorewall to do multi ISP both IPv4 and IPv6 >> >> About IPv4(shorewall) is no problem >> >> but ipv6(shorewall6) has problem can¹t start when i write config in >> /etc/shorewall6/providers >> >> Spite of is really close config >> >> I use centos 6.3 kernel 2.6.32-279.el6.i686 - iptables 1.4.7-5.1 >>- >> shorewall & shorewall6 version 4.5.11.2 >> >> Thank you for your help ^_^ >> >> At Iast i attach some involved config file below >> >> >> >> /etc/shorewall6/interfaces >> >>>> #ZONE INTERFACE OPTIONS >>>> net eth0 tcpflags,forward=1,sourceroute=0 >>>> net eth2 tcpflags,forward=1,sourceroute=0 >>>> loc eth1 tcpflags,forward=1 >> >> >> /etc/shorewall6/providers >> >>>> #NAME NUMBER MARK DUPLICATE >> INTERFACE GATEWAY OPTIONS >> COPY >>>> ISP1 1 1 main eth0 >>>> >> 1:1:1:1::1 track none >> >> >> Some trace about shorewall6 can¹t start >> >>>> Compiling... >>>> Processing /etc/shorewall6/params ... >>>> Processing /etc/shorewall6/shorewall6.conf... >>>> Loading Modules... >>>> Compiling /etc/shorewall6/zones... >>>> Compiling /etc/shorewall6/interfaces... >>>> Determining Hosts in Zones... >>>> Locating Action Files... >>>> Compiling /usr/share/shorewall6/action.Drop for chain Drop... >>>> Compiling /usr/share/shorewall6/action.AllowICMPs for chain >>>>AllowICMPs... >>>> Compiling /usr/share/shorewall6/action.Broadcast for chain >>>>Broadcast... >>>> Compiling /usr/share/shorewall/action.Invalid for chain Invalid... >>>> Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn... >>>> Compiling /usr/share/shorewall6/action.Reject for chain Reject... >>>> Compiling /etc/shorewall6/policy... >>>> Compiling TCP Flags filtering... >>>> Compiling Accept Source Routing... >>>> Compiling /etc/shorewall6/providers... >>>> Compiling MAC Filtration -- Phase 1... >>>> Compiling /etc/shorewall6/rules... >>>> Compiling MAC Filtration -- Phase 2... >>>> Applying Policies... >>>> Generating Rule Matrix... >>>> Optimizing Ruleset... >>>> Creating ip6tables-restore input... >>>> Compiling Interface forwarding... >>>> Shorewall configuration compiled to /var/lib/shorewall6/.start >>>> Starting Shorewall6.... >>>> Initializing... >>>> Processing /etc/shorewall6/init ... >>>> Processing /etc/shorewall6/tcclear ... >>>> Setting up Accept Source Routing... >>>> Setting up Proxy NDP... >>>> Adding Providers... >>>> RTNETLINK answers: Invalid argument >>>> ERROR: Command "ip -6 route add default via 1:1:1:1::1 src >>>>1:1:1:1::2 >> dev eth0 table 1" Failed >>>> Processing /etc/shorewall6/stop ... >>>> Processing /etc/shorewall6/tcclear ... >>>> Running /sbin/ip6tables-restore... >>>> IPv6 Forwarding Enabled >>>> Processing /etc/shorewall6/stopped ... >>>> /usr/share/shorewall/lib.common: line 112: 5876 Terminated >>>> >> $SHOREWALL_SHELL $script $options $@ >> >> >> >> >> >> >>------------------------------------------------------------------------- >>----- >> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester >> >> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the >> >> endpoint security space. For insight on selecting the right partner to >> tackle endpoint security challenges, access the full report. >> http://p.sf.net/sfu/symantec-dev2dev >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >-------------------------------------------------------------------------- >---- >Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester >Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the >endpoint security space. For insight on selecting the right partner to >tackle endpoint security challenges, access the full report. >http://p.sf.net/sfu/symantec-dev2dev______________________________________ >_________ >Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users >-Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
On 03/08/2013 09:47 AM, Tom Eastep wrote:> On 3/8/13 9:23 AM, "Matt Joyce" <mjoyce@mttjocy.co.uk> wrote: > >> I believe this may be caused by the command being generated with the src >> <addr> argument I''m not certain this is supported for IPv6 as I have in >> the past tried to manually add a route and found it would not work >> unless that argument was eliminated. It could have something to do with >> the address selection algorithms in IPv6 which are I think different as >> IPv6 was written from the beginning with multiple addresses per >> interface in mind plus the added factors introduced by address scoping. >> I just checked the iproute2 manual though and there is nothing in man >> ip-route''s description of the src attribute to suggest that it''s IPv4 >> only so it''s possible that iproute2 has a bug, then a lot of things I >> guess are possible here given iproute2 is itself more of a frontend >> could be an issue with the underlying netlink or kernel routing code >> too. Something doesn''t like src for ip6 routes anyway. >> >> Either shorewall shouldn''t be generating IPv6 routes with src or >> iproute2 should be accepting them but I am really not sure which is the >> case, likely shorewall may have to work around it for a while even if it >> is an iproute2 issue as I can see it being a while before one can bank >> on the support being operational. > > root@gateway:~# fgrep ''route add'' /var/lib/shorewall6/firewall > run_ip route add default scope global table $2 $1 > run_ip route add default dev sit2 table 4 > run_ip route add default dev sit1 table 5 > run_ip route add default table 253 dev sit1 metric 5 > qt $IP -6 route add ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3 > run_ip route add ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3 table 6 > run_ip route add default via ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3 > table 6 > run_ip route add default via ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3 > table 253 metric 6 > run_ip route add default scope global table 250 $DEFAULT_ROUTE > error_message "WARNING: No Default route added (all ''balance'' > providers are down)" > root@gateway:~# ip -V > ip utility, iproute2-ss100519 > root@gateway:~# uname -a > Linux gateway 2.6.32-5-amd64 #1 SMP Mon Feb 25 00:26:11 UTC 2013 x86_64 > GNU/Linux > root@gateway:~#I should have mentioned that Shorewall expects iproute2 to handle ''src'' which it is in my case. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
On 08/03/13 22:40, Tom Eastep wrote:> On 03/08/2013 09:47 AM, Tom Eastep wrote: >> On 3/8/13 9:23 AM, "Matt Joyce" <mjoyce@mttjocy.co.uk> wrote: >> >>> I believe this may be caused by the command being generated with the src >>> <addr> argument I''m not certain this is supported for IPv6 as I have in >>> the past tried to manually add a route and found it would not work >>> unless that argument was eliminated. It could have something to do with >>> the address selection algorithms in IPv6 which are I think different as >>> IPv6 was written from the beginning with multiple addresses per >>> interface in mind plus the added factors introduced by address scoping. >>> I just checked the iproute2 manual though and there is nothing in man >>> ip-route''s description of the src attribute to suggest that it''s IPv4 >>> only so it''s possible that iproute2 has a bug, then a lot of things I >>> guess are possible here given iproute2 is itself more of a frontend >>> could be an issue with the underlying netlink or kernel routing code >>> too. Something doesn''t like src for ip6 routes anyway. >>> >>> Either shorewall shouldn''t be generating IPv6 routes with src or >>> iproute2 should be accepting them but I am really not sure which is the >>> case, likely shorewall may have to work around it for a while even if it >>> is an iproute2 issue as I can see it being a while before one can bank >>> on the support being operational. >> root@gateway:~# fgrep ''route add'' /var/lib/shorewall6/firewall >> run_ip route add default scope global table $2 $1 >> run_ip route add default dev sit2 table 4 >> run_ip route add default dev sit1 table 5 >> run_ip route add default table 253 dev sit1 metric 5 >> qt $IP -6 route add ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3 >> run_ip route add ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3 table 6 >> run_ip route add default via ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3 >> table 6 >> run_ip route add default via ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3 >> table 253 metric 6 >> run_ip route add default scope global table 250 $DEFAULT_ROUTE >> error_message "WARNING: No Default route added (all ''balance'' >> providers are down)" >> root@gateway:~# ip -V >> ip utility, iproute2-ss100519 >> root@gateway:~# uname -a >> Linux gateway 2.6.32-5-amd64 #1 SMP Mon Feb 25 00:26:11 UTC 2013 x86_64 >> GNU/Linux >> root@gateway:~# > I should have mentioned that Shorewall expects iproute2 to handle ''src'' > which it is in my case. > > -Tom > > > ------------------------------------------------------------------------------ > Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the > endpoint security space. For insight on selecting the right partner to > tackle endpoint security challenges, access the full report. > http://p.sf.net/sfu/symantec-dev2dev > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-usersI found an alternate solution to select source addresses in my case so hadn''t tried in a while (some months I think) but can confirm that ss121211 also works not sure which it would have been when it wasn''t working but perhaps an update of iproute might fix the problem for you Prachachart. If you do try it maybe make a note of your current version also would be interesting to get an idea where it might have changed. ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
Thank you Matt & Tom when i command "ip -V" output is "ip utility, iproute2-ss091226" First, i''ll try to update to ss121211 and tell you about result but if it not work how can i do Prachachart On Sat, Mar 9, 2013 at 8:02 AM, Matt Joyce <mjoyce@mttjocy.co.uk> wrote:> On 08/03/13 22:40, Tom Eastep wrote: > > On 03/08/2013 09:47 AM, Tom Eastep wrote: > >> On 3/8/13 9:23 AM, "Matt Joyce" <mjoyce@mttjocy.co.uk> wrote: > >> > >>> I believe this may be caused by the command being generated with the > src > >>> <addr> argument I''m not certain this is supported for IPv6 as I have in > >>> the past tried to manually add a route and found it would not work > >>> unless that argument was eliminated. It could have something to do with > >>> the address selection algorithms in IPv6 which are I think different as > >>> IPv6 was written from the beginning with multiple addresses per > >>> interface in mind plus the added factors introduced by address scoping. > >>> I just checked the iproute2 manual though and there is nothing in man > >>> ip-route''s description of the src attribute to suggest that it''s IPv4 > >>> only so it''s possible that iproute2 has a bug, then a lot of things I > >>> guess are possible here given iproute2 is itself more of a frontend > >>> could be an issue with the underlying netlink or kernel routing code > >>> too. Something doesn''t like src for ip6 routes anyway. > >>> > >>> Either shorewall shouldn''t be generating IPv6 routes with src or > >>> iproute2 should be accepting them but I am really not sure which is the > >>> case, likely shorewall may have to work around it for a while even if > it > >>> is an iproute2 issue as I can see it being a while before one can bank > >>> on the support being operational. > >> root@gateway:~# fgrep ''route add'' /var/lib/shorewall6/firewall > >> run_ip route add default scope global table $2 $1 > >> run_ip route add default dev sit2 table 4 > >> run_ip route add default dev sit1 table 5 > >> run_ip route add default table 253 dev sit1 metric 5 > >> qt $IP -6 route add ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3 > >> run_ip route add ::192.88.99.1 src $SW_SIT3_ADDRESS dev sit3 table > 6 > >> run_ip route add default via ::192.88.99.1 src $SW_SIT3_ADDRESS > dev sit3 > >> table 6 > >> run_ip route add default via ::192.88.99.1 src $SW_SIT3_ADDRESS > dev sit3 > >> table 253 metric 6 > >> run_ip route add default scope global table 250 $DEFAULT_ROUTE > >> error_message "WARNING: No Default route added (all ''balance'' > >> providers are down)" > >> root@gateway:~# ip -V > >> ip utility, iproute2-ss100519 > >> root@gateway:~# uname -a > >> Linux gateway 2.6.32-5-amd64 #1 SMP Mon Feb 25 00:26:11 UTC 2013 x86_64 > >> GNU/Linux > >> root@gateway:~# > > I should have mentioned that Shorewall expects iproute2 to handle ''src'' > > which it is in my case. > > > > -Tom > > > > > > > ------------------------------------------------------------------------------ > > Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester > > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the > > endpoint security space. For insight on selecting the right partner to > > tackle endpoint security challenges, access the full report. > > http://p.sf.net/sfu/symantec-dev2dev > > > > > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > I found an alternate solution to select source addresses in my case so > hadn''t tried in a while (some months I think) but can confirm that > ss121211 also works not sure which it would have been when it wasn''t > working but perhaps an update of iproute might fix the problem for you > Prachachart. If you do try it maybe make a note of your current version > also would be interesting to get an idea where it might have changed. > > > > ------------------------------------------------------------------------------ > Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the > endpoint security space. For insight on selecting the right partner to > tackle endpoint security challenges, access the full report. > http://p.sf.net/sfu/symantec-dev2dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev