Just a resend of this. I would still find this useful.
Any thoughts on it?
--
Len Sorensen
On Thu, May 07, 2009 at 04:40:48PM -0400, Lennart Sorensen wrote:
> On Mon, Apr 27, 2009 at 11:41:19AM -0700, Tom Eastep wrote:
> > I think that the logical approach is to clone the current
> > /etc/shorewall/tos file handling (or modify it to set the entire DSCP
> > field rather than just the TOS).
>
> As part of this, would this addition be useful for shorewall 4.3.x:
>
> Adds support for matching in tcrules on dscp marks using -m dscp target
> of iptables. Against latest git (also fixed a typo from when i sent the
> tos patch for shorewall-perl quite a while ago in the comment of do_tos).
>
> After all tcclasses already supports arbitrary tos byte values, while
> tcrules only supports the 5 fixed tos values. Adding a new column to
> the end of tcrules for dscp target matching should be fully backwards
> compatible with existing configs (even though having it next to TOS
> would have been nice, but not worth it).
>
> dscp can either be the numerical value (0-32 I believe), or a diffserv
> name (CS0-CS7, BE, AF[1-4][1-3], EF).
>
> Does this look acceptable? Adding a mangle target for dscp is going to
> be a bit more work of course.
>
> I did NOT test this patch. I have a variant against 4.0.15 which I
> tested and it nicely creates rules in iptables. It is almost the same
> though just varying due to the differences between 4.0 and the git tree.
>
> diff --git a/Shorewall/Perl/Shorewall/Chains.pm
> b/Shorewall/Perl/Shorewall/Chains.pm
> index 95e4725..8857e71 100644
> --- a/Shorewall/Perl/Shorewall/Chains.pm
> +++ b/Shorewall/Perl/Shorewall/Chains.pm
> @@ -133,6 +133,7 @@ our %EXPORT_TAGS = (
> do_tos
> do_connbytes
> do_helper
> + do_dscp
> match_source_dev
> match_dest_dev
> iprange_match
> @@ -1740,7 +1741,16 @@ sub do_helper( $ ) {
> }
>
> #
> -# Create a "-m length" match for the passed TOS
> +# Create a "-m dscp" match for the passed DSCP
> +#
> +sub do_dscp( $ ) {
> + my $dscp = $_[0];
> +
> + $dscp ne '-' ? ( $dscp =~ /^[ABCE]/ ? "-m dscp --dscp-class $dscp " :
> "-m dscp --dscp $dscp ") : '';
> +}
> +
> +#
> +# Create a "-m length" match for the passed LENGTH
> #
> sub do_length( $ ) {
> my $length = $_[0];
> diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
> index 4923bb2..77c06b5 100644
> --- a/Shorewall/Perl/Shorewall/Tc.pm
> +++ b/Shorewall/Perl/Shorewall/Tc.pm
> @@ -220,7 +220,7 @@ INIT {
> }
>
> sub process_tc_rule( ) {
> - my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user,
> $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules
> file';
> + my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user,
> $testval, $length, $tos, $connbytes, $helper, $dscp ) = split_line1 2, 13,
> 'tcrules file';
>
> if ( $originalmark eq 'COMMENT' ) {
> process_comment;
> @@ -386,7 +386,8 @@ sub process_tc_rule( ) {
> do_length( $length ) .
> do_tos( $tos ) .
> do_connbytes( $connbytes ) .
> - do_helper( $helper ),
> + do_helper( $helper ) .
> + do_dscp( $dscp ),
> $source ,
> $dest ,
> '' ,
>
> --
> Len Sorensen
>
> ------------------------------------------------------------------------------
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
> Series Scanner you'll get full speed at 300 dpi even with all image
> processing features enabled. http://p.sf.net/sfu/kodak-com
> _______________________________________________
> Shorewall-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-devel
------------------------------------------------------------------------------
Are you an open source citizen? Join us for the Open Source Bridge conference!
Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250.
Need another reason to go? 24-hour hacker lounge. Register today!
http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
