FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 05-13-2010, 06:36 PM
Gordon Messmer
 
Default Not firewall, but what?

On 05/11/2010 10:21 PM, Jussi Hirvi wrote:
> On 12.5.2010 3.25, Gordon Messmer wrote:
>> On 05/11/2010 10:21 AM, Jussi Hirvi wrote:
>>>
>>> Interesting commands, and revealing, it seems to me.
>>
>> Well, there you go. Something set up policy routing on the working
>> host. Do you have any files like /etc/sysconfig/network-scripts/route-*
>> or /etc/sysconfig/network-scripts/rule-* ?
>
> None. But I found these (standard CentOS files):
>
> [root@farm1 network-scripts]# grep -rl "ip rule" .
> ./ifdown-routes
> ./ifup-routes

Yes, those scripts will run "ip rule" to process the contents of the
"rule-*" files. The company I work for uses shorewall on all of their
multi-homed systems, so I'm not sure how systems without it behave.
That said, I don't see any magic in the init scripts to handle this
without your input. I'm inclined to believe that something on your
system was manually configured to set up the routing policy that you see.

Find it harder:
find /etc/ -type f -print0 | xargs -0 grep "ip rule"
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-13-2010, 07:47 PM
 
Default Not firewall, but what?

Gordon wrote:
> On 05/11/2010 10:21 PM, Jussi Hirvi wrote:
>> On 12.5.2010 3.25, Gordon Messmer wrote:
>>> On 05/11/2010 10:21 AM, Jussi Hirvi wrote:
>>>>
<snip>
> Find it harder:
> find /etc/ -type f -print0 | xargs -0 grep "ip rule"

Or, since modern find's default to -print, you could do
find /etc -type f -exec grep -l "ip rule" {} ;

mark "of all the ways you *can* do it in *Nix, how
would you *like* to do it?"

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-14-2010, 05:34 AM
Gordon Messmer
 
Default Not firewall, but what?

On 05/13/2010 12:47 PM, m.roth@5-cent.us wrote:
> Gordon wrote:
>> Find it harder:
>> find /etc/ -type f -print0 | xargs -0 grep "ip rule"
>
> Or, since modern find's default to -print,

Yes, they do, but I have no idea what that has to do with your
suggestion to use -exec. If you had suggested eliminating the use of
-print as redundant, your suggestion would be merely inefficient rather
than a non sequitur.

> you could do
> find /etc -type f -exec grep -l "ip rule" {} ;

You could, but that would run "grep" once for each file where xargs will
run grep the minimum number of times. Using xargs is substantially faster.

Having said that, I see that find has an option of which I was
previously unaware. If you use the '+' character instead of the ';', it
will behave more or less the same way that xargs does:

find /etc/ -type f -exec grep "ip rule" {} +

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-14-2010, 07:10 AM
Jussi Hirvi
 
Default Not firewall, but what?

>> [root@farm1 network-scripts]# grep -rl "ip rule" .
>> ./ifdown-routes
>> ./ifup-routes

On 13.5.2010 21.36, Gordon Messmer wrote:
> Yes, those scripts will run "ip rule" to process the contents of the
> "rule-*" files. The company I work for uses shorewall on all of their
> multi-homed systems, so I'm not sure how systems without it behave.
> That said, I don't see any magic in the init scripts to handle this
> without your input. I'm inclined to believe that something on your
> system was manually configured to set up the routing policy that you see.
>
> Find it harder:
> find /etc/ -type f -print0 | xargs -0 grep "ip rule"

Ok, rc.d/routes is probably it (on the "healthy" machine I previously
used as a reference). I will have to study the ip command and routing a
bit, then make a fix on the "non-healthy" (xen) box.

[root@mail ~]# find /etc -type f -exec grep -l "ip rule" {} ;
/etc/udev/rules.d/50-udev.rules.rpmorig
/etc/udev/rules.d/50-udev.rules
/etc/rc.d/routes
/etc/sysconfig/network-scripts/ifdown-routes.rpmorig
/etc/sysconfig/network-scripts/ifdown-routes
/etc/sysconfig/network-scripts/ifup-routes.rpmorig
/etc/sysconfig/network-scripts/ifup-routes

[root@mail rc.d]# cat routes

/sbin/ip address add 62.220.237.110/27 dev eth0
/sbin/ip route add default via 62.220.237.126 tab 1
/sbin/ip route add default via 62.236.221.65 tab 2
/sbin/ip rule add from 62.236.221.70 tab 2 prio 500
/sbin/ip rule add from 62.220.237.110 tab 1 prio 600
/sbin/ip route flush cache


- Jussi

--
Jussi Hirvi * Green Spot
Topeliuksenkatu 15 C * 00250 Helsinki * Finland
Tel. +358 9 493 981 * Mobile +358 40 771 2098 (only sms)
jussi.hirvi@greenspot.fi * http://www.greenspot.fi
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-16-2010, 02:29 AM
Gordon Messmer
 
Default Not firewall, but what?

On 05/14/2010 12:10 AM, Jussi Hirvi wrote:
>
> Ok, rc.d/routes is probably it

Looks that way. I find that relatively reassuring. No "linux magic"
involved. But then, if you didn't set that up, who did?

> (on the "healthy" machine I previously
> used as a reference). I will have to study the ip command and routing a
> bit, then make a fix on the "non-healthy" (xen) box.

I'd recommend either setting the rules up in a "rules-eth0" or such file
in /etc/sysconfig/network-scripts, or using shorewall. Inventing your
own system is workable, but as you've found, they tend not to be
documented well which leads future admins (or even future you) to wonder
how things work. Use the facilities available rather than fighting them.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 04:44 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org