OSPF (Quagga), Shorewall and Policy Routing: inactive route problem
If someone uses quagga (OSPF) and plans to do balancing of channels through which OSPF works, using Shorewall, I ask under kat.
We have a normally working OSPF, which perfectly exchanges routes, and everything is fine. But you decided that you need a second provider, and to improve the QoS situation, you applied something like LXC to the QoS service (replacing ifb with veth) (started balancing on interfaces with OSPF). Here you will have a problem: with quite normal and live channels, routes, etc. quagga does not put routes in the routing table. What is even more confusing, the command in vtysh: show ip osfp route shows all the routes, and in show ip route these routes are in the inactive route status.
It turned out that “Shorewall” is to blame, which on interfaces with balancing adds extra routes like:
Having met such a quagga is lost, and does not set the routes going through such.
')
A small script that we will execute when running shorewall:
And write it in:
The clue to the solution was not found immediately, but here is a link to the appropriate source .
So the problem itself
We have a normally working OSPF, which perfectly exchanges routes, and everything is fine. But you decided that you need a second provider, and to improve the QoS situation, you applied something like LXC to the QoS service (replacing ifb with veth) (started balancing on interfaces with OSPF). Here you will have a problem: with quite normal and live channels, routes, etc. quagga does not put routes in the routing table. What is even more confusing, the command in vtysh: show ip osfp route shows all the routes, and in show ip route these routes are in the inactive route status.
Cause
It turned out that “Shorewall” is to blame, which on interfaces with balancing adds extra routes like:
10.0.11.0/24 dev eth1 proto kernel scope link src 10.0.11.2 10.0.11.1 dev eth1 scope link src 10.0.11.2 <============= 10.0.12.0/24 dev eth2 proto kernel scope link src 10.0.12.2 10.0.12.1 dev eth2 scope link src 10.0.12.2 <============= Having met such a quagga is lost, and does not set the routes going through such.
')
Decision
A small script that we will execute when running shorewall:
/usr/local/bin/shorewall-prov-fix.sh
#!/bin/bash IF=$(grep -v -e '^#' -e '^?' /etc/shorewall/providers | sort -u -t $'\t' -k1,1 | cut -d$'\t' -f 5 | eval $(for i in $(grep -v -e '^#' -e '^\[' /etc/shorewall/params);do echo -e "$i \c";done;echo '') envsubst) for IF_ in $IF; do IP=$(ip as $IF_ | grep 'inet ' | cut -d ' ' -f 6 |sed -e 's/\/.*$//') SRC=$(ip route show dev $IF_ scope link src $IP |grep -v kernel) eval "ip route del dev $IF_ $SRC scope link src $IP" done And write it in:
/ etc / shorewall / started
/usr/local/bin/shorewall-prov-fix.sh > /dev/null 2>&1 PS
The clue to the solution was not found immediately, but here is a link to the appropriate source .
Source: https://habr.com/ru/post/309386/
All Articles