fault_tolerant_router 1.0.0 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2c69907fbd38de0ff105840c14d481fe9cacdca4
-  data.tar.gz: 17fb44fca49be4915537d43832aed800a35f8a99
+  metadata.gz: 2c619776dd495528564bc6177a684c7ab5f1da84
+  data.tar.gz: 6b0434ab1d89c616f0e63e22600ffcb6c6f818cd
 SHA512:
-  metadata.gz: 919e67ecec171564be6b4006601a70fc272855a4b2f1c69303f1b1cab598bd4db13f43dbfc19620a32e69371a447bc54fa6d505afe03c18181cca3db2699c571
-  data.tar.gz: 5ade1292b33e980528caac4f81d91cd1f572a8cd358c98b795765dfbb97b6081bf995f843c27f2e15b7ab10eba73afae311bf252ecbef536698a14b93ec5c1d0
+  metadata.gz: 102eb31be1f36deb2a01c195280aebb8d13b371c24c9e538845604be7dc310b54772926abe3c0f2e029983c1bdbd09a383157dbfaf7fcf59c9374d321d73b499
+  data.tar.gz: 713419088384c7486c4994cfb21afa6272a110258cf067cb5ec9d7c441017cf3d2ccf0f6327d04e2f1eef5d738f0dbeb04137a945db60e070644e82fc8e025b3

data/README.md

@@ -1,35 +1,56 @@
 # Fault Tolerant Router
 
+[![Gem Version](https://badge.fury.io/rb/fault_tolerant_router.svg)](http://badge.fury.io/rb/fault_tolerant_router)
+[![Dependency Status](https://gemnasium.com/drsound/fault_tolerant_router.svg)](https://gemnasium.com/drsound/fault_tolerant_router)
+[![Code Climate](https://codeclimate.com/github/drsound/fault_tolerant_router/badges/gpa.svg)](https://codeclimate.com/github/drsound/fault_tolerant_router)
+
+[![Gratipay donate button](https://img.shields.io/gratipay/Alessandro%20Zarrilli.svg)](https://www.gratipay.com/Alessandro%20Zarrilli/ "Donate weekly to this project using Gratipay")
+[![Flattr donate button](https://img.shields.io/badge/flattr-donate-yellow.svg)](https://flattr.com/submit/auto?user_id=alessandro.zarrilli&url=https%3A%2F%2Fgithub.com%2Fdrsound%2Ffault_tolerant_router&title=Fault%20Tolerant%20Router&tags=github&category=software "Donate monthly to this project using Flattr")
+[![PayPayl donate button](https://img.shields.io/badge/paypal-donate-yellow.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=96LFVQRFGRPFW&lc=GB&item_name=Alessandro%20Zarrilli&item_number=fault_tolerant_router&currency_code=EUR&bn=PP%2dDonationsBF%3abtn_donate_SM%2egif%3aNonHosted "Donate once-off to this project using Paypal")
+[![BitCoin donate button](https://img.shields.io/badge/bitcoin-donate-yellow.svg)](https://www.coinbase.com/checkouts/c7e9ea74ce43357eeabb0db81e93f303 "Donate once-off to this project using BitCoin")
+
+## In brief
+
+Do you have multiple internet connections (uplinks) with several providers? Do you want to transparently use all of the available bandwidth? Do you want to remain online even if some of the uplinks goes down? This tool may help you!
+
+## A more formal description
+
 Fault Tolerant Router is a daemon, running in background on a Linux router or firewall, monitoring the state of multiple internet uplinks/providers and changing the routing accordingly. LAN/DMZ internet traffic (outgoing connections) is load balanced between the uplinks using Linux *multipath routing*. The daemon monitors the state of the uplinks by routinely pinging well known IP addresses (Google public DNS servers, etc.) through each outgoing interface: once an uplink goes down, it is excluded from the *multipath routing*, when it comes back up, it is included again. All of the routing changes are notified to the administrator by email.
 
 Fault Tolerant Router is well tested and has been used in production for several years, in several sites.
 
+## Alternatives
+
+Fault Tolerant Router has been featured on Slashdot, see [article](http://linux.slashdot.org/story/15/03/03/1910206/linux-and-multiple-internet-uplinks-a-new-tool) comments for interesting hints and alternatives.
+
 ## Interaction between *multipath routing*, *iptables* and *ip policy routing*
+
 The system is based on the interaction between Linux *multipath routing*, *iptables* and *ip policy routing*. Outgoing (from LAN/DMZ to WAN) and incoming (from WAN to LAN/DMZ) connections have a different behaviour:
 * **Outgoing connections (from LAN/DMZ to WAN)**:
   * **New connections**:  
-The outgoing interface (uplink) is decided by the Linux *multipath routing*, in a round-robin fashion. Then, just before the packet leaves the router (in the *iptables* POSTROUTING chain), *iptables* marks the connection with the outgoing interface id, so that all subsequent connection packets will be sent through the same interface.
-NB: all the packets of the same connection should be originating from the same IP address, otherwise the server you are connecting to would refuse them (unless you are using specific protocols).
+The outgoing interface (uplink) is decided by the Linux *multipath routing*, in a round-robin fashion. Then, just before the packet leaves the router (in the *iptables* POSTROUTING chain), *iptables* marks the connection with the outgoing interface id, so that all subsequent connection packets will be sent through the same interface.  
+NB: all the packets of the same connection should be originating from the same IP address, otherwise the server you are connecting to would refuse them, unless you are using specific protocols.
   * **Established connections**:  
 Before the packet is routed (in the *iptables* PREROUTING chain), *iptables* marks it with the outgoing interface id that was previously assigned to the connection. This way, thanks to *ip policy routing*, the packet will pass through a specific routing table directing it to the connection outgoing interface.
 * **Incoming connections (from WAN to LAN/DMZ)**:  
-The incoming interface is obviously decided by the connecting host, connecting to one of the IP addresses assigned to an uplink interface. Just after the packet enters the router (in the *iptables* PREROUTING chain), *iptables* marks the connection with the incoming interface id. Then the packet reaches the LAN or DMZ, a return packet is generated by the receiving host and sent back to the connecting host. Once this return packet hits the router, before it is actually routed (in the *iptables* PREROUTING chain), *iptables* marks it with the outgoing interface id that was previously assigned to that connection. This way, thanks to *ip policy routing*, the return packet will pass through a specific routing table directing it to the connection outgoing interface.
+The incoming interface is obviously decided by the connecting host, connecting to one of the IP addresses assigned to an uplink interface. Just after the packet enters the router (in the *iptables* PREROUTING chain), *iptables* marks the connection with the incoming interface id. Then, when the packet reaches the LAN or DMZ, a return packet is generated by the receiving host and sent back to the connecting host. Once this return packet hits the router, before it is actually routed (in the *iptables* PREROUTING chain), *iptables* marks it with the outgoing interface id that was previously assigned to that connection. This way, thanks to *ip policy routing*, the return packet will pass through a specific routing table directing it to the connection outgoing interface.
 
 ## The uplink monitor daemon
 
-The daemon monitors the state of the uplinks by pinging well known IP addresses through each uplink: if enough pings are successful the uplink is considered up, if not it's considered down. If an uplink state change is detected, the default *multipath routing* table (used for LAN/DMZ to WAN new connections) is changed accordingly and the administrator is notified by email.
+The daemon monitors the state of the uplinks by routinely pinging well known IP addresses through each uplink: if enough pings are successful the uplink is considered up, if not it's considered down. If an uplink state change is detected, the default *multipath routing* table (used for LAN/DMZ to WAN new connections) is changed accordingly and the administrator is notified by email.
 
-The IP addresses to ping and the number of required successful pings is configurable. In order not to get false positives or negatives here are some things to consider:
-* Some ping packets can randomly get lost along the way, don't require 100% of the pings to be successful!
-* Some of the hosts you are pinging (*tests/ips* configuration parameter) may be temporarily down.
-* It's better not to ping too near hosts (for example your provider routers), because your provider could be temporarily disconnected from the rest of the internet (it happened...), so your uplink would result as up while it's actually unusable.
-* Sometimes an uplink can be not completely up or completely down, it's just "disturbed" and looses a lot of packets, being almost unusable: it's better to consider such uplink as down, so don't require too few successful pings, otherwise it may be considered up, because a few pings may pass through a "disturbed" link.
+The IP addresses to ping and the number of required successful pings are configurable. Here are some things to consider in order not to get false positives or negatives:
+* Some ping packets can randomly get lost along the way: don't require 100% of the pings to be successful!
+* Some of the hosts you are pinging (see *tests/ips* configuration parameter) may be temporarily down.
+* It's better not to ping too near hosts (for example your provider routers), because your provider could be temporarily disconnected from the rest of the internet (it happened...), so the uplink would result as up while it's actually unusable.
+* Sometimes an uplink can be not completely up or down, it can be just "disturbed", losing a high percentage of packets and being almost unusable: it's better to consider such uplink as down, so don't require too few successful pings, otherwise it may be considered up, because a few pings may pass through a "disturbed" link.
 
-The order of IP addresses in *tests/ips* configuration parameter is not important, because the list is shuffled before every uplink check.
+The order of IP addresses listed in *tests/ips* configuration parameter is not important, because the list is shuffled before every uplink check.
 
 If no uplink is up, all of them are added to the default *multipath routing* table, to get some bandwidth as soon as one uplink comes back up.
 
 ## Requirements
+
 * [Ruby](https://www.ruby-lang.org)
 * A Linux kernel with the following compiled in options (they are standard in mainstream Linux distributions):
   * CONFIG_IP_ADVANCED_ROUTER
@@ -37,10 +58,14 @@ If no uplink is up, all of them are added to the default *multipath routing* tab
   * CONFIG_IP_ROUTE_MULTIPATH
 
 ## Installation
+
 `$ gem install fault_tolerant_router`
 
 ## Usage
-1. Configure your router interfaces as usual but **don't** set any default route. An interface may have more than one IP address if needed.
+
+Fault Tolerant Router should be run **as root**, or as an high privileges user, able to modify routing, etc.
+
+1. Configure your router interfaces as usual, with every uplink connected to it's own physical interface. An interface may have more than one IP address if needed (from the same uplink of course). **Don't** set any default route.
 2. Save an example configuration file in /etc/fault_tolerant_router.conf (use the `--config` option to set another location):  
 `$ fault_tolerant_router generate_config`
 3. Edit /etc/fault_tolerant_router.conf
@@ -57,40 +82,42 @@ If you want a quick and dirty way to run the program in background, just add an
 `$ fault_tolerant_router monitor &`
 
 ## Configuration file
+
 The fault_tolerant_router.conf configuration file is in [YAML](http://en.wikipedia.org/wiki/YAML) format. Here is the explanation of the options:
-* **uplinks**: array of uplinks. The example configuration has 3 uplinks, but you can have from 2 to as many as you wish.
-  * **interface**: the network interface where the uplink is attached. Until today Fault Tolerant Router has always been used with each uplink on it's own physical interface, never tried with VLAN interfaces (it's in the to do list).
-  * **ip**: primary IP address of the network interface. You can have more than one IP address assigned to the interface, just specify the primary one.
-  * **gateway**: the gateway on this interface, usually the provider's router IP address.
-  * **description**: used in the alert emails.
-  * **weight**: optional parameter, it's the preference to assign to the uplink when choosing one for a new outgoing connection. Use when you have uplinks with different bandwidths. See http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH05.web.html
-  * **default_route**: optional parameter, default value is *true*. If set to *false* the uplink is excluded from the *multipath routing*, i.e. the uplink will never be used when choosing one for a new outgoing connection. Exception to this is if some kind of outgoing connection is forced to pass through this uplink, see [Iptables rules](#iptables-rules) section. Even if set to *false*, incoming connections are still possible. Use cases to set it to *false*:
-    * Want to reserve an uplink for incoming connections only, excluding it from outgoing LAN internet traffic. Tipically you may want this because you have a mail server, web server, etc. listening on this uplink.
-    * Temporarily force all of the outgoing LAN internet traffic to pass through the other uplinks, to stress test the other uplinks and determine their bandwidth
-    * Temporarily exclude the uplink to do some reconfiguration, for example changing one of the internet providers.
+* **uplinks**: Array of uplinks. The example configuration has 3 uplinks, but you can have from 2 to as many as you wish.
+  * **interface**: The network interface where the uplink is connected. Until today Fault Tolerant Router has always been used with each uplink on it's own physical interface, never tried it with VLAN interfaces (it's in the to do list).
+  * **ip**: Primary IP address of the network interface. You can have more than one IP address assigned to the interface, just specify here the primary one that will be used as standard SNAT source.
+  * **gateway**: The uplink gateway, usually the provider's router IP address.
+  * **description**: Uplink name, used in notifications.
+  * **weight**: Optional parameter, it's the preference to assign to this uplink when choosing one for a new outgoing connection. Use when you have uplinks with different bandwidths. See http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH05.web.html
+  * **default_route**: Optional parameter, default value is *true*. If set to *false* the uplink is excluded from the *multipath routing*, i.e. the uplink will never be selected when choosing one for a new outgoing connection. There's an exception to this if some kind of outgoing connection is forced to pass through this uplink, see [Iptables rules](#iptables-rules) section. Note this parameter only affects outgoing connections, even if set to *false* incoming connections are still possible. Use cases to set it to *false*:
+    * Want to reserve an uplink for incoming connections only, excluding it from outgoing LAN internet traffic. Tipically you may want this because you have a mail server, web server, VPN server, etc. listening on an uplink.
+    * Temporarily force all of the outgoing LAN internet traffic to pass through the other uplinks, to stress test them and determine their bandwidth.
+    * Temporarily exclude an uplink to reconfigure it, for example because of and internet provider change.
 * **downlinks**
   * **lan**: LAN interface
   * **dmz**: DMZ interface, leave blank if you have no DMZ
 * **tests**
-  * **ips**: an array of IPs to ping to verify the uplinks state. You can add as many as you wish. Predefined ones are Google DNS, OpenDNS DNS, other public DNS. Every time an uplink is tested the ips are shuffled, so listing order has no importance.
-  * **required_successful**: number of successfully pinged ips to consider an uplink to be functional
-  * **ping_retries**: number of ping retries before giving up on an ip
-  * **interval**: seconds between a check of the uplinks and the next one
+  * **ips**: An array of IP addresses to ping to verify the uplinks state. You can add as many as you wish. Predefined ones are Google DNS, OpenDNS DNS, other public DNS. Every time an uplink is tested the IP addresses are shuffled, so listing order is not important.
+  * **required_successful**: Number of successfully pinged IP addresses to consider an uplink to be functional
+  * **ping_retries**: Number of ping retries before giving up on an IP
+  * **interval**: Seconds between a check of the uplinks and the next one
 * **log**
-  * **file**: log file path
-  * **max_size**: maximum log file size (in bytes). Once reached this size, the log file will be rotated.
-  * **old_files**: number of old rotated files to keep
+  * **file**: Log file path
+  * **max_size**: Maximum log file size (in bytes). Once reached this size, the log file will be rotated.
+  * **old_files**: Number of old rotated files to keep
 * **email**
-  * **send**: set to *true* or *false* to enable or disable email notification
-  * **sender**: email sender
-  * **recipients**: an array of email recipients
-  * **smtp_parameters**: see http://ruby-doc.org/stdlib-2.2.0/libdoc/net/smtp/rdoc/Net/SMTP.html
-* **base_table**: just need to change if you are already using [multiple routing tables](http://lartc.org/howto/lartc.rpdb.html), to avoid overlapping
-* **base_priority**: just need to change if you are already using [ip rule](http://lartc.org/howto/lartc.rpdb.html), to avoid overlapping
-* **base_fwmark**: just need to change if you are already using packet marking, to avoid overlapping
+  * **send**: Set to *true* or *false* to enable or disable email notification
+  * **sender**: Email sender
+  * **recipients**: An array of email recipients
+  * **smtp_parameters**: See http://ruby-doc.org/stdlib-2.2.0/libdoc/net/smtp/rdoc/Net/SMTP.html
+* **base_table**: Base IP route table number, just need to change if you are already using [multiple routing tables](http://lartc.org/howto/lartc.rpdb.html), to avoid overlapping.
+* **base_priority**: Just need to change if you are already using [ip policy routing](http://lartc.org/howto/lartc.rpdb.html), to avoid overlapping. Must be higher than 32767 (default priority, see `ip rule` command output).
+* **base_fwmark**: Just need to change if you are already using packet marking, to avoid overlapping.
 
 ## *Iptables* rules
-*Iptables* rules are generated with the command:
+
+*Iptables* rules are generated with the command:  
 `$ fault_tolerant_router generate_iptables`  
 Rules are in [iptables-save](http://manned.org/iptables-save.8) format, you should integrate them with your existing ones.
 Documentation is included as comments in the output, here is a dump using the standard example configuration:
@@ -116,11 +143,11 @@ Documentation is included as comments in the output, here is a dump using the st
 #    --sport, etc.
 
 #Example Provider 1
-#[0:0] -A PREROUTING -i eth0 -m state --state NEW -p tcp --dport XXX -j CONNMARK --set-mark 1
+#[0:0] -A PREROUTING -i eth0 -m conntrack --ctstate NEW -p tcp --dport XXX -j CONNMARK --set-mark 1
 #Example Provider 2
-#[0:0] -A PREROUTING -i eth0 -m state --state NEW -p tcp --dport XXX -j CONNMARK --set-mark 2
+#[0:0] -A PREROUTING -i eth0 -m conntrack --ctstate NEW -p tcp --dport XXX -j CONNMARK --set-mark 2
 #Example Provider 3
-#[0:0] -A PREROUTING -i eth0 -m state --state NEW -p tcp --dport XXX -j CONNMARK --set-mark 3
+#[0:0] -A PREROUTING -i eth0 -m conntrack --ctstate NEW -p tcp --dport XXX -j CONNMARK --set-mark 3
 
 #Mark packets with the outgoing interface:
 #
@@ -138,21 +165,21 @@ Documentation is included as comments in the output, here is a dump using the st
 #New inbound connections: mark the connection with the incoming interface.
 
 #Example Provider 1
-[0:0] -A PREROUTING -i eth1 -m state --state NEW -j CONNMARK --set-mark 1
+[0:0] -A PREROUTING -i eth1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 1
 #Example Provider 2
-[0:0] -A PREROUTING -i eth2 -m state --state NEW -j CONNMARK --set-mark 2
+[0:0] -A PREROUTING -i eth2 -m conntrack --ctstate NEW -j CONNMARK --set-mark 2
 #Example Provider 3
-[0:0] -A PREROUTING -i eth3 -m state --state NEW -j CONNMARK --set-mark 3
+[0:0] -A PREROUTING -i eth3 -m conntrack --ctstate NEW -j CONNMARK --set-mark 3
 
 #New outbound connections: mark the connection with the outgoing interface
 #(chosen by the multipath routing).
 
 #Example Provider 1
-[0:0] -A POSTROUTING -o eth1 -m state --state NEW -j CONNMARK --set-mark 1
+[0:0] -A POSTROUTING -o eth1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 1
 #Example Provider 2
-[0:0] -A POSTROUTING -o eth2 -m state --state NEW -j CONNMARK --set-mark 2
+[0:0] -A POSTROUTING -o eth2 -m conntrack --ctstate NEW -j CONNMARK --set-mark 2
 #Example Provider 3
-[0:0] -A POSTROUTING -o eth3 -m state --state NEW -j CONNMARK --set-mark 3
+[0:0] -A POSTROUTING -o eth3 -m conntrack --ctstate NEW -j CONNMARK --set-mark 3
 
 COMMIT
 
@@ -218,9 +245,9 @@ COMMIT
 #This is just a very basic example, add your own rules for the INPUT chain.
 
 [0:0] -A INPUT -i lo -j ACCEPT
-[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
-[0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
 [0:0] -A FORWARD -i eth0 -o eth1 -j LAN_WAN
 [0:0] -A FORWARD -i eth0 -o eth2 -j LAN_WAN
@@ -238,14 +265,14 @@ COMMIT
 ```
 
 ## To do
-* Test using VLAN interfaces: Fault Tolerant Router has always been used with physical interfaces, each uplink on it's own physical interface.
-* Implement routing through [realms](http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH07.web.html): this way we could connect all of the uplinks to a single Linux physical interface through a switch, without using VLANs.
-* i18n
-* If no uplinks are up, set tests/interval configuration option to 0, to get bandwidth as soon as an uplink comes back up
+
+See [issues](https://github.com/drsound/fault_tolerant_router/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement) tagged as *enhancement* on GitHub.
 
 ## License
+
 GNU General Public License v2.0, see LICENSE file
 
 ## Author
+
 Alessandro Zarrilli (Poggibonsi - Italy)  
 alessandro@zarrilli.net

data/fault_tolerant_router.gemspec

@@ -9,7 +9,7 @@ Gem::Specification.new do |spec|
   spec.authors = ['Alessandro Zarrilli']
   spec.email = ['alessandro@zarrilli.net']
   spec.summary = %q{Multiple uplinks Linux routing supervising daemon}
-  spec.description = %q{Fault Tolerant Router is a daemon, running in background on a Linux router or firewall, monitoring the state of multiple internet uplinks/providers and changing the routing accordingly. LAN/DMZ internet traffic (outgoing connections) is load balanced between the uplinks using Linux multipath routing. The daemon monitors the state of the uplinks by routinely pinging well known IP addresses (Google public DNS servers, etc.) through each outgoing interface: once an uplink goes down, it is excluded from the multipath routing, when it comes back up, it is included again. All of the routing changes are notified to the administrator by email. Fault Tolerant Router is well tested and has been used in production for several years, in several sites. See https://github.com/drsound/fault_tolerant_router for full documentation.}
+  spec.description = %q{A daemon, running in background on a Linux router or firewall, monitoring the state of multiple internet uplinks/providers and changing the routing accordingly. LAN/DMZ internet traffic (outgoing connections) is load balanced between the uplinks using Linux multipath routing. The daemon monitors the state of the uplinks by routinely pinging well known IP addresses (Google public DNS servers, etc.) through each outgoing interface: once an uplink goes down, it is excluded from the multipath routing, when it comes back up, it is included again. All of the routing changes are notified to the administrator by email. Fault Tolerant Router is well tested and has been used in production for several years, in several sites. See https://github.com/drsound/fault_tolerant_router for full documentation.}
   spec.homepage = 'https://github.com/drsound/fault_tolerant_router'
   spec.license = 'GPL-2'
 

data/lib/fault_tolerant_router/generate_config.rb

@@ -6,6 +6,9 @@ def generate_config(file_path)
   begin
     open(file_path, 'w') do |file|
       file.puts <<END
+#see https://github.com/drsound/fault_tolerant_router for a complete parameter
+#description
+
 #add as many uplinks as needed
 uplinks:
 - interface: eth1
@@ -39,8 +42,10 @@ downlinks:
   dmz:
 
 tests:
-  #add as many ips as needed, make sure they are reliable ones, these are Google DNS, OpenDNS DNS, public DNS server
-  #list order is not important, because the list is shuffled before every test
+  #an array of IP addresses to ping to verify the uplinks state. You can add as
+  #many as you wish. Predefined ones are Google DNS, OpenDNS DNS, other public
+  #DNS. Every time an uplink is tested the IP addresses are shuffled, so listing
+  #order is not important.
   ips:
   - 8.8.8.8
   - 8.8.4.4
@@ -48,9 +53,10 @@ tests:
   - 208.67.220.220
   - 4.2.2.2
   - 4.2.2.3
-  #number of successful pinged addresses to consider an uplink to be functional
+  #number of successfully pinged IP addresses to consider an uplink to be
+  #functional
   required_successful: 4
-  #ping retries in case of ping error
+  #number of ping retries before giving up on an IP
   ping_retries: 1
   #seconds between a check of the uplinks and the next one
   interval: 60
@@ -58,9 +64,10 @@ tests:
 log:
   #file: "/var/log/fault_tolerant_router.log"
   file: "/tmp/fault_tolerant_router.log"
-  #max log file size (in bytes)
+  #maximum log file size (in bytes). Once reached this size, the log file will
+  #be rotated.
   max_size: 1024000
-  #number of old log files to keep
+  #number of old rotated files to keep
   old_files: 10
 
 email:
@@ -80,13 +87,17 @@ email:
     user_name: user@gmail.com
     password: secret-password
 
-#base ip route table
+#base IP route table number, just need to change if you are already using
+#multiple routing tables
 base_table: 1
 
-#base ip rule priority, must be higher than 32767 (default priority, see "ip rule")
+#just need to change if you are already using ip policy routing, to avoid
+#overlapping, must be higher than 32767 (default priority, see output of
+#"ip rule" command)
 base_priority: 40000
 
-#base fwmark
+#just need to change if you are already using packet marking, to avoid
+#overlapping
 base_fwmark: 1
 END
     end

data/lib/fault_tolerant_router/generate_iptables.rb

@@ -23,8 +23,8 @@ def generate_iptables
 END
   UPLINKS.each_with_index do |uplink, i|
     puts "##{uplink[:description]}"
-    puts "#[0:0] -A PREROUTING -i #{LAN_INTERFACE} -m state --state NEW -p tcp --dport XXX -j CONNMARK --set-mark #{BASE_FWMARK + i}"
-    puts "#[0:0] -A PREROUTING -i #{DMZ_INTERFACE} -m state --state NEW -p tcp --dport XXX -j CONNMARK --set-mark #{BASE_FWMARK + i}" if DMZ_INTERFACE
+    puts "#[0:0] -A PREROUTING -i #{LAN_INTERFACE} -m conntrack --ctstate NEW -p tcp --dport XXX -j CONNMARK --set-mark #{BASE_FWMARK + i}"
+    puts "#[0:0] -A PREROUTING -i #{DMZ_INTERFACE} -m conntrack --ctstate NEW -p tcp --dport XXX -j CONNMARK --set-mark #{BASE_FWMARK + i}" if DMZ_INTERFACE
   end
   puts <<END
 
@@ -49,7 +49,7 @@ END
 END
   UPLINKS.each_with_index do |uplink, i|
     puts "##{uplink[:description]}"
-    puts "[0:0] -A PREROUTING -i #{uplink[:interface]} -m state --state NEW -j CONNMARK --set-mark #{BASE_FWMARK + i}"
+    puts "[0:0] -A PREROUTING -i #{uplink[:interface]} -m conntrack --ctstate NEW -j CONNMARK --set-mark #{BASE_FWMARK + i}"
   end
   puts <<END
 
@@ -59,7 +59,7 @@ END
 END
   UPLINKS.each_with_index do |uplink, i|
     puts "##{uplink[:description]}"
-    puts "[0:0] -A POSTROUTING -o #{uplink[:interface]} -m state --state NEW -j CONNMARK --set-mark #{BASE_FWMARK + i}"
+    puts "[0:0] -A POSTROUTING -o #{uplink[:interface]} -m conntrack --ctstate NEW -j CONNMARK --set-mark #{BASE_FWMARK + i}"
   end
   puts <<END
 
@@ -135,9 +135,9 @@ END
 #This is just a very basic example, add your own rules for the INPUT chain.
 
 [0:0] -A INPUT -i lo -j ACCEPT
-[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
-[0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
 END
   UPLINKS.each do |uplink|

data/lib/fault_tolerant_router/monitor.rb

@@ -62,6 +62,9 @@ def monitor
     command "ip route del table #{BASE_TABLE + i} &> /dev/null"
   end
 
+  #enable IP forwarding
+  command 'echo 1 > /proc/sys/net/ipv4/ip_forward'
+
   #disable "reverse path filtering" on the uplink interfaces
   command 'echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
   UPLINKS.each do |uplink|

data/lib/fault_tolerant_router/version.rb

@@ -1,3 +1,3 @@
 module FaultTolerantRouter
-  VERSION = '1.0.0'
+  VERSION = '1.0.1'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fault_tolerant_router
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.1
 platform: ruby
 authors:
 - Alessandro Zarrilli
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-02-27 00:00:00.000000000 Z
+date: 2015-03-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -52,16 +52,16 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.6'
-description: 'Fault Tolerant Router is a daemon, running in background on a Linux
-  router or firewall, monitoring the state of multiple internet uplinks/providers
-  and changing the routing accordingly. LAN/DMZ internet traffic (outgoing connections)
-  is load balanced between the uplinks using Linux multipath routing. The daemon monitors
-  the state of the uplinks by routinely pinging well known IP addresses (Google public
-  DNS servers, etc.) through each outgoing interface: once an uplink goes down, it
-  is excluded from the multipath routing, when it comes back up, it is included again.
-  All of the routing changes are notified to the administrator by email. Fault Tolerant
-  Router is well tested and has been used in production for several years, in several
-  sites. See https://github.com/drsound/fault_tolerant_router for full documentation.'
+description: 'A daemon, running in background on a Linux router or firewall, monitoring
+  the state of multiple internet uplinks/providers and changing the routing accordingly.
+  LAN/DMZ internet traffic (outgoing connections) is load balanced between the uplinks
+  using Linux multipath routing. The daemon monitors the state of the uplinks by routinely
+  pinging well known IP addresses (Google public DNS servers, etc.) through each outgoing
+  interface: once an uplink goes down, it is excluded from the multipath routing,
+  when it comes back up, it is included again. All of the routing changes are notified
+  to the administrator by email. Fault Tolerant Router is well tested and has been
+  used in production for several years, in several sites. See https://github.com/drsound/fault_tolerant_router
+  for full documentation.'
 email:
 - alessandro@zarrilli.net
 executables: