From: Andrzej O. <an...@ma...> - 2009-12-04 16:01:06
|
Hi, This night I tried to change DL on my main router replacing 13-jul to 1-dec compilation. And after change my addresses in Warsaw was unreachable from south of Poland. After returning to 13-jul image, all functionality returned to previous, correct state and all tunnels from south of Poland (Katowice, Kraków) was restored. The main difference, I think, is Quagga version -- now 0.99.15 patched for realms using diffs for 0.99.12. I will try now to patch it (mainly bgpd) by newest accessible set of Adrian Ban patches based on Calin Velea patches for realms tested for 0.99.14. But mayby anyone know another reason, why simple replacing 0.99.12 to 0.99.15 changed BGPD broadcasting? Maybe this is configuration trick? I don't use realms settings. Regards -- Andrzej Odyniec |
From: Serge L. <fi...@in...> - 2009-12-04 17:26:34
|
On 12/04/2009 07:42 AM, Andrzej Odyniec wrote: > > The main difference, I think, is Quagga version -- now 0.99.15 patched for > realms using diffs for 0.99.12. > I will try now to patch it (mainly bgpd) by newest accessible set of Adrian > Ban patches based on Calin Velea patches for realms tested for 0.99.14. Thanks for pointing to the problem - I've updated the patch in DL sources. Patch for 0.99.14 is completely compatible with 0.99.15, the difference is only the line with version. -- Serge |
From: Andrzej O. <an...@ma...> - 2009-12-08 13:24:37
|
Serge Leschinsky wrote: > On 12/04/2009 07:42 AM, Andrzej Odyniec wrote: >>The main difference, I think, is Quagga version -- now 0.99.15 patched for >>realms using diffs for 0.99.12. >>I will try now to patch it (mainly bgpd) by newest accessible set of Adrian >>Ban patches based on Calin Velea patches for realms tested for 0.99.14. > > Thanks for pointing to the problem - I've updated the patch in DL sources. Patch > for 0.99.14 is completely compatible with 0.99.15, the difference is only the > line with version. Thanks Serge, Yes. I know about this compatibility. BTW. Pointing of incompatibility of Quagga and patches for realms was absolutely side-effect. Real problem is (I think now) in other place. It is hard to test problems with routing on real company network. I can do it only immediately after midnight. But I tested this effect on all accessible version combinations of quagga with and without realms patch set: 13, 14 and 15. All works on DL compilation from july and all is not correct working on last compiled DL. I think, there is no problem with quagga, but with Shorewall. Tom Eastep changed Shorewall functionality in many places. Kernel was changed too. In July was Shorewall 4.2.6 and now is Shorewall 4.4.2. With last DL I see on border interfaces via tcpdump ping packets from my south Branches like from other Divisions, but there is no answers for this from south and is normal echo answer for rest of pings. There is no this effect when I load DL from July. I have open Shorewall for ping from all directions. Shorewall configuration was this same, but probably interpretation has changed. Maybe now is used source route (or other new) criterium? I need read discussion on Shorewall list and look on counters in netfilter rules. BTW. Thanks. Regards Andrzej |
From: Andrzej O. <an...@ma...> - 2009-12-21 01:01:49
|
Hi, I, Andrzej Odyniec wrote: > Shorewall configuration was this same, but probably interpretation has changed. > Maybe now is used source route (or other new) criterium? > > I need read discussion on Shorewall list and look on counters in netfilter rules. So I solved problem. First half was last kernel patch: 31.7. But the second half is changed interpretation of rp_filter interface parameter in kernels starting from 2.6.31. Now interface rp_filter setting has no precedence over /all/rp_filter but is used max of this two values. Shorewall parameter ROUTEFILTER=No is not working with this kernels, but sets /all/rp_filter to 1 up to last Shorewall 4.4.5.2. So there is need to update Shorewall or set .../all/rp_filter manually in /etc/shorewall/start script adding: echo 0 >/proc/sys/net/ipv4/conf/all/rp_filter ofcourse only, if we need not reverse path filtering (as with dual-homed bgp gate). Andrzej Odyniec |