Tom Eastep schrieb:
>>
>>> Why shouldn't we use the high marks for routing and connection-tracking
>>> if multiple providers are involved and the low marks for traffic
>>> shaping ?
>>>
>> Ralf,
>>
>> You can, but you have to follow the rules.
>>
>> a) You set PACKET marks in PREROUTING for selecting which provider to use:
>>
>> 0x0200:P  +PPPROUTING     0.0.0.0/0
>> 0x0200:P  0.0.0.0/0       +PPPROUTING
>>
>> b) You use low marks in the FORWARD chains for traffic shaping:
>>
>> 1:F  0.0.0.0/0       0.0.0.0/0       tcp     22
>>
> 
> The reason that I don't allow setting low marks in PREROUTING or OUTPUT (with
> HIGH_ROUTE_MARKS) is because fwmark routing rules do not allow specification 
> of
> a mask!
> 
> So if you had 4 non-zero tc mark values and 2 connection mark values, you 
> would
> need (4 +1) * 2 = 10 routing rules to perform routing based on your 2 
> connection
> mark values.
> 

Thanks a lot for your help. I modified my tcrules according to your
suggestions. These rules work fine.

I have one last problems that stops me dumping completely my complex
handcrafted years old script for policyrouting.

I wanted to set marks for traffic originating on the firewall so that
i.e. packets from the local squid deamon are routed through my dsl line.
Unfortunately I can't use a rule like this.

0x0200    $FW             0.0.0.0/0       tcp     http,https,8080
0x0200    $FW            +PPPROUTING

Shorewall stops with
"  ERROR: Invalid mark value (0x0200) in rule "0x0200:F fw 0.0.0.0/0 tcp
http,https,8080     "
/sbin/shorewall: line 774: 24884 Terminated
$SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock compile
${VARDIR}/.restart"

I checked, that it is possible to (re)route packages originating on the
firewall by mangling in the OUTPUT chains according to your image
http://www1.shorewall.net/images/Netfilter.png. Packets sould be
rerouted if they changed in the OUPTPUT chain.

-- 
__________________________________________________

Ralf Schenk
fon (02 41) 9 91 21-0
fax (02 41) 9 91 21-59
[EMAIL PROTECTED]

Databay AG
Hüttenstraße 7
D-52068 Aachen
www.databay.de

Databay - einfach machen.

_________________________________________________

Diese E-Mail und etwa angehängte Dateien enthalten vertrauliche
Informationen und sind ausschließlich für den Adressaten bestimmt.
Sollten Sie irrtümlich diese E-Mail erhalten haben, bitten wir Sie,
uns darüber unter [EMAIL PROTECTED] zu informieren und die E-Mail
ungelesen an uns zurückzusenden und aus Ihrem System zu löschen.

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
[EMAIL PROTECTED] If you are not the named recipient, you should return
this message without reading further and delete it from your system.

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to