Due to the complexity of our network architecture, and the added complexity of consolidating into vserver hosts running 4 or more ethernet ports to 4 or more dedicated unique networks, I have discovered that we have no choice but to use iproute2. The net config file supports all of the ip route options that I have needed, but I cannot find a way to place ip rules into the net file. I have had to create a startup script that runs after 'net' and before applications are loaded just to support the rules required. It would be nice to have an additional configuration option "rules_ethx" so all the network configuration can be in one spot. An example of what I have to do is below: within /etc/conf.d/net: config_eth3=( "172.30.0.50 netmask 255.255.255.0 broadcast 172.30.0.255" ) routes_eth3=( "172.30.0.0/24 src 172.30.0.50 table pvtnet" ) routes_eth3=( "default via 172.30.0.1 table pvtnet" ) then within my script: #!/sbin/runscript depend() { need net before svscan } start() { ebegin "Setting iproute2 rules." # set up rules /sbin/ip rule add from 172.30.0.0/24 table pvtnet eend 0 } This list is actually a bit longer, but this is just to keep this one ip block example intact. It appears that routes_ethx does a call to ip route so I cannot add rules there. Is there an undocumented feature or somewhere hidden in some document that shows the net file already supports something like rules_ethx? If not, it would be a definitely welcomed addition.
why cant you use the postup() function ?
Created attachment 69267 [details] /etc/conf.nd/net.multihomed conf.d/net with extensible rules
I've just attached a quick implementation that I did some months ago. The ip_rule_runner interface stuff to get rules_ethX is clunky, and I'm sure it could be improved upon, but the basic concept and everything is there. Note that the flush_route_cache is required, else you get up to 2 minutes of network weirdness where packets aren't following the ip rules.
(In reply to comment #3) > I've just attached a quick implementation that I did some months ago. > The ip_rule_runner interface stuff to get rules_ethX is clunky, and I'm sure it > could be improved upon, but the basic concept and everything is there. > > Note that the flush_route_cache is required, else you get up to 2 minutes of > network weirdness where packets aren't following the ip rules. Thank you and SpanKY for that. It never occurred to me! And thanks for the example. I will put this in and try it. Regardless I see now it can be done so I'll resolve this to done. Thanks again!
Wouldn't it be nice to have that rule-management functions provided by the /lib/rescripts/net.modules.d/iproute2 net-module? more concret we have to add ----------------->8------------------- flush_route_cache() { ebegin "Flushing route cache for ${IFACE}" ip route flush cache dev ${IFACE} ret=$? eend $ret return $ret } ip_rule_runner() { cmd="$1" eval rules=( \"\$\{rules_${ifvar}\[@\]\}\" ) eindent for x in "${rules[@]}"; do einfo "${x}" e=$( ip rule ${cmd} dev ${IFACE} ${x} 2>&1 ) einfo "${e}" done # eoutdent return 0 } ----------------->8------------- as functions and ----------------->8------------ einfo "Adding rules" ip_rule_runner add flush_route_cache ----------------->8------------ at iproute2_post_start() after creation of routes. The thing I do not know is where to put the predown-things, exactly the removing of rules during the iface-shutdown. ----------------->8------------ predown() { einfo "Removing rules" ip_rule_runner del flush_route_cache } ----------------->8------------ Maybe soeone else has an idea. some data of my system: ----------------->8------------ balu conf.d # emerge info Portage 2.0.54 (default-linux/x86/2005.0, gcc-3.3.6, glibc-2.3.5-r2, 2.6.15-gentoo-r1 i686) ================================================================= System uname: 2.6.15-gentoo-r1 i686 Intel(R) Pentium(R) 4 CPU 1300MHz Gentoo Base System version 1.6.14 dev-lang/python: 2.3.5, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium4 -O2 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=pentium4 -O2 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ " LANG="de_DE@euro" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="x86 apache2 apm bash-completion berkdb bzip2 crypt cups curl doc expat fbcon firebird foomaticdb gdbm gif gmp idn imagemagick imap jpeg kerberos krb4 ldap libedit libg++ libwww mhash mime mmx mpm-prefork ncurses nls no-old-linux nocardbus odbc pam pcre pdflib perl pg-intdatetime png postgres python readline reiserfs samba sasl sdl sharedmem slp spell sse ssl svg tcpd tetex tiff tools truetype truetype-fonts type1 type1-fonts udev underscores unicode usb vhosts wmf xml xml2 zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTDIR_OVERLAY balu conf.d # emerge -pv baselayout These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild R ] sys-apps/baselayout-1.11.14-r3 -bootstrap -build -static +unicode 0 kB ----------------->8------------
Is there an equivalent for net-tools? (ifconfig, route, etc)
Does that matter? In fact it is not, there is a reason why iproute2 exists. if you'd prefer ifconfig over iproute2 you have to use routes instead of routes_$iface and so on. You have to define module-specific variables in conf.d/net The modules work as wrapper for underlaying tools, so it would be very nice if other options are configrurable via conf_d/net variables to. Am I wrong? ervin
(In reply to comment #7) > Does that matter? Well yes it does. If the same thing can be done with net-tools stuff then rules_eth1 needs to do the same magic to eth1 using net-tools as with using iproute2 with the same syntax. I have no issue with making it part of our iproute2 module, but if net-tools can do something similar then even better :) At present, iproute2 is an optional module whereas net-tools isn't going away, so if we can get net-tools to support this rule thing then even better. I'm re-opening this bug to remind me to put rule_eth0=( ... ) support in to the iproute2 module.
Created attachment 78806 [details, diff] enables rules_eth0=( .. ) in conf.d/net OK, this is a patch against baselayout-1.12.0_pre15 that enables rules_eth0=( .. ) for iproute2. Anyone care to test it for me?
*** Bug 118056 has been marked as a duplicate of this bug. ***
There are conzeptual problems in handling routes and rules: - The results depend on the execution-position, that means the routing systems differs if I change the order of starting interfaces. - The other thing is for local connections there must be some rules which cannot depent on an intervace, because the kernel decides at the 'where to route' the outgiong interface. Having only an rules_$if is not really sufficent, on idea is to have something like: rules_all= ( "192.168.0.0/24 lookup main" "from 192.168.100.0/24 dev eth1 lookup 100" "from 192.168.200.0/24 dev eth2 lookup 150" ".." ) and so on. That means if one interfacs $if goes down all $if related rules and routes should be deletet, but when it comes up all rules must be flushed and than rebuild. But I'm not at the end yet. First I'll explore more of routing. By that I'll test your changes. Fortunatily lartc.org is back in DNS, but are there any useful advanced routing documents available? Does anyone use advanced routing with gentoo? I use a gentoo-box as nat-router with to external lines. - The first thing is a failover from the main line (wlan) to backupline (isdn) - the second thing is to be able to log in via ssh through both of those external Interfaces For the second thing it is important that connections are handled on one interface, means the answers left on that if where the questions came in. BTW: Is this the right place to discuss the net.xxxx things, concepts or is there another? ervin
In my original example, I didn't specify the content of /etc/iproute2/rt_tables: 255 local 254 main 253 default 0 unspec 1 shaw 2 primus 3 localnet Ervin: I think my original attachment here supplies some of what you are interested in. It's a NAT box (internal is eth0) with both Cable (eth1) and ADSL (eth2). Both external interfaces are always up, and outside of the net.* scripts, I have imq devices that shuffle traffic around - Email & BitTorrent goes in/out on the Cable connection (they don't complain about the traffic), SSH/Web goes on the ADSL connection. If one connection is down, then all traffic goes through the other.
(In reply to comment #9) > OK, this is a patch against baselayout-1.12.0_pre15 that enables rules_eth0=( > .. ) for iproute2. I prepared my test computer today, with 3 nics and updated to ~x86 baselayout-1.12.0_pre1-r1, the things I played with were working fine. Then I applied your patch and it brakes the route configuration by treaten the two entries in routes_eth1=( "192.168.150.200 via 192.168.2.3" "default via 192.168.2.3 table rt1" ) as one: postbote ~ # /etc/init.d/net.eth1 restart * Stopping eth1 * Bringing down eth1 * Shutting down eth1 ... [ ok ] * Starting eth1 * Bringing up eth1 * 192.168.2.100/24 [ ok ] * Adding routes * (192.168.150.200 via 192.168.2.3 default via 192.168.2.3 table rt1) ... Error: an inet prefix is expected rather than "(192.168.150.200". * ip route append (192.168.150.200 via 192.168.2.3 default via 192.168.2.3 table rt1) metric 0 dev eth1 [ ok ] * Adding IP policy routing rules * from ... Error: an inet prefix is expected rather than "dev". [ !! ] * 192.168.2.100/24 ... Error: argument "192.168.2.100/24" is wrong: Failed to parse rule type [ !! ] * lookup ... Error: argument "dev" is wrong: invalid table ID [ !! ] * rt1 ... Error: argument "rt1" is wrong: Failed to parse rule type [ !! ] It seems that after patching multiple routes are concatened in one string. But the only differences I recognised were the use of 'local' for variables: @308: local x="routes_${ifvar}[@]" local routes=( "${!x}" ) local metric ... I removed the local and the routes start without errors. Again in rules section later on I got some errors which could be worked around by removing the local -a statement on line 353: local -a rules=( "${!x}" ) After that changes it seems to work fine at the first look, i'll check on. I looked for 'local' and it should do what I expect it to do: postbote ~ # help local local: local name[=value] ... Create a local variable called NAME, and give it VALUE. LOCAL can only be used within a function; it makes the variable NAME have a visible scope restricted to that function and its children. ??? ervin
Sounds like you have encountered a bash-3.0 bug which I was discussing last week - try bash-3.1_p7
(In reply to comment #14) > Sounds like you have encountered a bash-3.0 bug which I was discussing last > week - try bash-3.1_p7 That's it, updating bash fixed it. But after some investigations and testing I removed the automatic 'dev ${iface}' in rule creation. Routes are obviously bound to interfaces, rules are not, in fact local generated packets do not know where they will go out. So there must be a way to specify rules without binding the rule to packets using that interface. My suggestion ist to manage rules coresponding to an interface, but no bound to that interface. I made this change in iproute2:iproute2_post_start and also changed the rule deletion in iproute2:iproute_post_stop. I'll attach modified iproute2 and net.example originating from baslayout-1.12.0_pre15-r1, as I haven't figured out yet how to use diff for preparing patches here. ervin
Created attachment 79691 [details] iproute2 with rules not bound to dev As mentioned above the modified iproute2 from baselayout-1.12.0_pre15-r1, patched. ervin
Created attachment 79692 [details] net.example with multihomed, rules example As mentioned above I appended some lines for use with rules/iproute2. ervin
After much discussion with various other developers in IRC we've decided not to support ip rules directly and instead document how to use them in post{up,down} function in net.example This is for several reasons 1) Only a very small subset of people need this 2) It's setup is very system specific 3) Only works with iproute2 - our standard install currently works 100% with ifconfig too 4) As you pointed out, rules don't have to be bound to specific interfaces
Created attachment 79774 [details] example /etc/conf.d/net with postup, predown I attached my last working testconfig with postup() and predown() functions, maybe it is useful for net.example. Thanks to all, ervin
Fixed in baselayout-1.12.0_pre16
*** Bug 152522 has been marked as a duplicate of this bug. ***
