> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 03/09/2017 08:20 AM, Simon Matter wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>>
>>> On 03/08/2017 10:15 PM, Simon Matter wrote:
>>>
>>>>
>>>> After doing countless reloads I found a way to prevent those
>>>> connections from being killed. Removing "routefilter" from
>>>> eth2 seems to change the behavior.
>>>>
>>>> Does it make any sense? Any suggestion what to do instead?
>>>> Using "sfilter" instead or using "routeback,routefilter"
>>>> (didn't test as my testing time is over)?
>>>>
>>>
>>> It only makes sense if you are adding and deleting routes as part
>>> of reload, either from /etc/shorewall/routes or in an extension
>>> script. Adding 'routeback' will prevent the packets from being
>>> rejected in the FORWARD chain -- they will simply time out and be
>>> retransmitted.
>>
>> I have nothing in "routes" and also no extension scripts. Doesn't
>> shorewall modify the routing table during reload as part of the
>> "proxyarp" handling?
>>
>> I've now observed the routing table during "shorewall reload" and
>> saw that the host routes for the proxyarped IP adresses disappear
>> and later are generated again. Isn't it a problem if a TCP
>> connection is active during the period when no host route exists? I
>> guess that's why only certain connections get killed because I
>> expect it's only when there is activity during the reload period
>> when no route exists.
>>
>
> There are a couple of ways to avoid this behavior:
>
> a) Add the routes outside of Shorewall using your distro's network
> configuration tool, then enter 'yes' in the HAVEROUTE column.
>
> b) In /etc/shorewall/init, add the following:
>
> if [ $COMMAND = reload ]; then
> rm -f ${VARDIR}/proxyarp
> fi
>
> That will delete the file that records the routes that were added
> during the last start/reload. The generated script uses 'ip route
> replace' to add/update the routes, so if they already exist, there
> will be no harm.
>
> For the next release, I'll make PERSISTENT=Yes avoid deleting the
> routes on reload. I'll also add the -n option to the reload command,
> which will avoid updating routes altogether.
Hi Tom, thanks a lot! I'll try the workaround b) tomorrow morning, eagerly
waiting for the next release.
Regards,
Simon
------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
