From 44a738842ae9bb0ac938675e15a4623bb93793ff Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 1 May 2006 21:40:05 +0000 Subject: [PATCH] Add route_rules section to Multi-ISP doc git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3830 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/MultiISP.xml | 120 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 119 insertions(+), 1 deletion(-) diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index 52841b65f..3868f1d94 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -15,7 +15,7 @@ - 2006-04-24 + 2006-05-01 2005 @@ -545,5 +545,123 @@ eth1 eth2 130.252.99.27 # PORT(S) 2:P <local network> 0.0.0.0/0 tcp 25 + +
+ /etc/shorewall/route_rules + + The /etc/shorewall/route_rules file was added + in Shorewall version 3.2.0. The route_rules file + allows assigning certain traffic to a particular provider just as + entries in the tcrules file. The difference between + the two files is that entries in route_rules are + independent of Netfilter. + +
+ Routing Rules + + Routing rules are maintained by the Linux kernel and can be + displayed using the ip rule ls command. When + routing a packet, the rules are processed in turn until the packet is + successfully routed. + + gateway:~ # ip rule ls +0: from all lookup local +10001: from all fwmark 0x1 lookup Blarg +10002: from all fwmark 0x2 lookup Comcast +20000: from 206.124.146.176 lookup Blarg +20256: from 24.12.22.33 lookup Comcast +32766: from all lookup main +32767: from all lookup default +gateway:~ # + + In the above example, there are two providers: Blarg and Comcast + with MARK 1 going to Blarg and mark 2 going to Comcast. +
+ +
+ Columns in the route_rules file + + Columns in the file are: + + + + SOURCE(Optional) + + + An ip address (network or host) that matches the source IP + address in a packet. May also be specified as an interface name + optionally followed by ":" and an address. If the device 'lo' is + specified, the packet must originate from the firewall + itself. + + + + + DEST(optional) + + + An ip address (network or host) that matches the + destination IP address in a packet. + + If you choose to omit either SOURCE or DEST, place "-" in + that column. Note that you may not omit both SOURCE and + DEST. + + + + + PROVIDER + + + The provider to route the traffic through. May be + expressed either as the provider name or the provider + number. + + + + + PRIORITY + + + The rule's priority which determines the order in which + the rules are processed. + + 1000-1999 Before Shorewall-generated 'MARK' rules + + 11000- 11999 After 'MARK' rules but before + Shorewall-generated rules for ISP interfaces. + + 26000-26999 After ISP interface rules but before 'default' + rule. + + Rules with equal priority are applied in the order in + which they appear in the file. + + + + + Example: You want all traffic entering the firewall on eth1 to + be routed through Comcast. + + #SOURCE DEST PROVIDER PRIORITY +eth1 - Comcast 1000 + + With this entry, the output of ip rule ls + would be as follows. + + gateway:~ # ip rule ls +0: from all lookup local +1000: from all iif eth1 lookup Comcast +10001: from all fwmark 0x1 lookup Blarg +10002: from all fwmark 0x2 lookup Comcast +20000: from 206.124.146.176 lookup Blarg +20256: from 24.12.22.33 lookup Comcast +32766: from all lookup main +32767: from all lookup default +gateway:~ #Note that because we used a priority of 1000, the + test for eth1 is inserted + before the fwmark tests. +
+
\ No newline at end of file