Re: [Shorewall-users] tc problem on new GENTOO kernel
On 11/8/18 7:39 AM, Alexander Stoll wrote: > Hi Tom, > > posting to the list because until know I am not shure what is to blame... > > - working config with kernel 4.18.14 (gentoo-sources-4.18.14) > > - introduced with gentoo-sources-4.18.15 tc rules are not loading > anymore on startup, gentoo-sources-4.19.x also affected > > - set up a testenv on spare with simple config > > log output > > Setting up Traffic Control... > RTNETLINK answers: Numerical result out of range > ERROR: Command "tc qdisc add dev enp8s0 root handle 1: hfsc default > 12" Failed > > > seems tc is no longer working with these parameters... > > My first guess: regression in patchset (gentoo-sources), needs > verification and further digging. > > Is anyone aware of some known bug? > This is the first that I have heard of this issue... -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] shorewall VLANs and network ranges
On 11/8/18 4:56 AM, Vieri Di Paola wrote: > Hi, > > I'd like to describe my goal here to see if someone can guide me to > the "best solution". > > A Shorewall server has several ethernet interfaces, and one of them > (say, eth0) is configured with VLAN IDs 1, 11, 12 (eth0.1, eth0.11, > eth0.12). > > So eth0 is then connected to a "trunk" port on a managed switch > (untagged VLAN 1, tagged VLAN 11, tagged VLAN 12). > > The eth0 IP addr. configuration on the Shorewall system is something > like 192.168.210.1/24, and the hosts in this LAN segment are within > this IP addr. range with static IP addresses. > It is REQUIRED that all hosts in this network have IP addresses within > this range, and that the Shorewall server use the least IP addresses > as possible (ie. 1). > > As a simplified practical example, suppose I have the following: > > - 1 host in VLAN 11 with IP address 192.168.210.10/24, default gw > 192.168.210.1 > - 2 hosts in VLAN 1 with IP addresses 192.168.210.20-21/24, default gw > 192.168.210.1 > - 1 host in VLAN 12 with IP address 192.168.210.30/24, default gw > 192.168.210.1 > > I need Shorewall to manage traffic between these VLANs > (allow/drop/reject...). eg. I want only $FW to access VLAN 1 hosts, > VLAN 11 hosts can access specific ports on $FW only, VLAN 12 hosts can > access selected ports on VLAN 1 hosts. > > The usual way to configure VLANs is to use non-overlapping IP ranges > for each virtual interface. > However, I cannot do that here. > > I was thinking of using "parallel zones", but I'm not sure that would > work (I cannot specify eth0.1, eth0.11 or eth0.12 in the Shorewall > Interfaces file). Of course you can!!! > > I was also trying to configure a bridge, but I don't know if and how I > can bridge a VLAN with the interface, and then set Shorewall > BPORT-based rules. > Something like bridging eth0.1, eth0.11 and eth0.12, setting a > management IP address 192.168.210.1/24, and then defining bridge zones > and BPORT rules. > > Can anyone please give me some hints and pointers? > There is *nothing* unique about VLAN interfaces, as far as Shorewall is concerned. Treat them just as you would non-VLAN ethernet devices. -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] tc problem on new GENTOO kernel
Hi Tom, posting to the list because until know I am not shure what is to blame... - working config with kernel 4.18.14 (gentoo-sources-4.18.14) - introduced with gentoo-sources-4.18.15 tc rules are not loading anymore on startup, gentoo-sources-4.19.x also affected - set up a testenv on spare with simple config log output Setting up Traffic Control... RTNETLINK answers: Numerical result out of range ERROR: Command "tc qdisc add dev enp8s0 root handle 1: hfsc default 12" Failed seems tc is no longer working with these parameters... My first guess: regression in patchset (gentoo-sources), needs verification and further digging. Is anyone aware of some known bug? Best regards smime.p7s Description: S/MIME Cryptographic Signature ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] shorewall VLANs and network ranges
Hi, I'd like to describe my goal here to see if someone can guide me to the "best solution". A Shorewall server has several ethernet interfaces, and one of them (say, eth0) is configured with VLAN IDs 1, 11, 12 (eth0.1, eth0.11, eth0.12). So eth0 is then connected to a "trunk" port on a managed switch (untagged VLAN 1, tagged VLAN 11, tagged VLAN 12). The eth0 IP addr. configuration on the Shorewall system is something like 192.168.210.1/24, and the hosts in this LAN segment are within this IP addr. range with static IP addresses. It is REQUIRED that all hosts in this network have IP addresses within this range, and that the Shorewall server use the least IP addresses as possible (ie. 1). As a simplified practical example, suppose I have the following: - 1 host in VLAN 11 with IP address 192.168.210.10/24, default gw 192.168.210.1 - 2 hosts in VLAN 1 with IP addresses 192.168.210.20-21/24, default gw 192.168.210.1 - 1 host in VLAN 12 with IP address 192.168.210.30/24, default gw 192.168.210.1 I need Shorewall to manage traffic between these VLANs (allow/drop/reject...). eg. I want only $FW to access VLAN 1 hosts, VLAN 11 hosts can access specific ports on $FW only, VLAN 12 hosts can access selected ports on VLAN 1 hosts. The usual way to configure VLANs is to use non-overlapping IP ranges for each virtual interface. However, I cannot do that here. I was thinking of using "parallel zones", but I'm not sure that would work (I cannot specify eth0.1, eth0.11 or eth0.12 in the Shorewall Interfaces file). I was also trying to configure a bridge, but I don't know if and how I can bridge a VLAN with the interface, and then set Shorewall BPORT-based rules. Something like bridging eth0.1, eth0.11 and eth0.12, setting a management IP address 192.168.210.1/24, and then defining bridge zones and BPORT rules. Can anyone please give me some hints and pointers? Thanks, Vieri ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users