Hi,
I just updated my Nethserver CentOS system to 7.5, which did NOT update
the version of Shorewall I'm using. After the update, I noticed that
the ip rule table "main" is now duplicated, and I think in the wrong
position after starting an OpenVPN client. I will add that I haven't
seen any problems with the rules/routes (so far), other that it looking
wrong.
Here's what I see immediately after boot:
[root@Nethserver ~]# shorewall show routing
Shorewall 5.1.10.2 Routing at Nethserver.BogoLinux.net - Wed Jun 27
18:12:39 PDT 2018
Routing Rules
0: from all lookup local
32766: from all lookup main
32766: from all lookup main
32767: from all lookup default
Table default:
Table local:
local 76.91.194.242 dev eno1 proto kernel scope host src 76.91.194.242
local 192.168.150.1 dev wg0 proto kernel scope host src 192.168.150.1
local 192.168.0.254 dev br0 proto kernel scope host src 192.168.0.254
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 76.91.207.255 dev eno1 proto kernel scope link src 76.91.194.242
broadcast 76.91.192.0 dev eno1 proto kernel scope link src 76.91.194.242
broadcast 192.168.150.255 dev wg0 proto kernel scope link src 192.168.150.1
broadcast 192.168.150.0 dev wg0 proto kernel scope link src 192.168.150.1
broadcast 192.168.0.255 dev br0 proto kernel scope link src 192.168.0.254
broadcast 192.168.0.0 dev br0 proto kernel scope link src 192.168.0.254
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
192.168.150.0/24 dev wg0 proto kernel scope link src 192.168.150.1
192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.254
76.91.192.0/20 dev eno1 proto kernel scope link src 76.91.194.242
default via 76.91.192.1 dev eno1
[root@Nethserver ~]#
At this point, there obviously won't be any issues with the table being
duplicated. But after then starting an OpenVPN client session:
[root@Nethserver ~]# shorewall show routing
Shorewall 5.1.10.2 Routing at Nethserver.BogoLinux.net - Wed Jun 27
18:14:06 PDT 2018
Routing Rules
0: from all lookup local
999: from all lookup main
5000: from all lookup spectrum
10000: from all fwmark 0x10000/0xf0000 lookup net
10001: from all fwmark 0x20000/0xf0000 lookup vpn
20000: from 76.91.194.242 lookup net
20000: from 10.18.2.170 lookup vpn
32765: from all lookup balance
32766: from all lookup main
32767: from all lookup default
Table balance:
default via 76.91.192.1 dev eno1
Table default:
10.18.2.169 dev tun0 scope link
default via 10.18.2.169 dev tun0 src 10.18.2.170 metric 2
Table local:
local 76.91.194.242 dev eno1 proto kernel scope host src 76.91.194.242
local 192.168.150.1 dev wg0 proto kernel scope host src 192.168.150.1
local 192.168.0.254 dev br0 proto kernel scope host src 192.168.0.254
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 10.18.2.170 dev tun0 proto kernel scope host src 10.18.2.170
broadcast 76.91.207.255 dev eno1 proto kernel scope link src 76.91.194.242
broadcast 76.91.192.0 dev eno1 proto kernel scope link src 76.91.194.242
broadcast 192.168.150.255 dev wg0 proto kernel scope link src 192.168.150.1
broadcast 192.168.150.0 dev wg0 proto kernel scope link src 192.168.150.1
broadcast 192.168.0.255 dev br0 proto kernel scope link src 192.168.0.254
broadcast 192.168.0.0 dev br0 proto kernel scope link src 192.168.0.254
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
76.91.192.1 dev eno1 scope link src 76.91.194.242
104.238.32.102 via 76.91.192.1 dev eno1
10.18.2.169 dev tun0 scope link src 10.18.2.170
192.168.150.0/24 dev wg0 proto kernel scope link src 192.168.150.1
192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.254
76.91.192.0/20 dev eno1 proto kernel scope link src 76.91.194.242
Table net:
76.91.192.1 dev eno1 scope link src 76.91.194.242
default via 76.91.192.1 dev eno1 src 76.91.194.242
Table spectrum:
216.55.149.49 via 10.18.2.169 dev tun0
214.3.118.39 via 10.18.2.169 dev tun0
214.16.193.213 via 10.18.2.169 dev tun0
214.16.193.199 via 10.18.2.169 dev tun0
205.73.236.4 via 10.18.2.169 dev tun0
195.201.14.99 via 10.18.2.169 dev tun0
155.22.160.15 via 10.18.2.169 dev tun0
155.22.160.12 via 10.18.2.169 dev tun0
131.78.212.84 via 10.18.2.169 dev tun0
131.78.211.149 via 10.18.2.169 dev tun0
131.78.204.149 via 10.18.2.169 dev tun0
131.78.200.85 via 10.18.2.169 dev tun0
131.78.200.62 via 10.18.2.169 dev tun0
104.25.36.116 via 10.18.2.169 dev tun0
104.25.35.116 via 10.18.2.169 dev tun0
Table vpn:
10.18.2.169 dev tun0 scope link src 10.18.2.170
default via 10.18.2.169 dev tun0 src 10.18.2.170
[root@Nethserver ~]#
Notice now, that one of the "main" entries is one of the first tables
referenced, before any of the rules introduced by the VPN.
Also, I thought (from memory), that previously the second "main" table
was ahead of "balance", because that table is used to force out all the
packets that made it that far through the routing out via my ethernet
card and not via the (split routed) VPN.
Is this an issue just with the updates between CentOS 7 -> 7.5 or are
they influencing how Shorewall is constructing the rules/routes.
Cheers.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
