Tom Eastep schrieb: >> >>> Why shouldn't we use the high marks for routing and connection-tracking >>> if multiple providers are involved and the low marks for traffic >>> shaping ? >>> >> Ralf, >> >> You can, but you have to follow the rules. >> >> a) You set PACKET marks in PREROUTING for selecting which provider to use: >> >> 0x0200:P +PPPROUTING 0.0.0.0/0 >> 0x0200:P 0.0.0.0/0 +PPPROUTING >> >> b) You use low marks in the FORWARD chains for traffic shaping: >> >> 1:F 0.0.0.0/0 0.0.0.0/0 tcp 22 >> > > The reason that I don't allow setting low marks in PREROUTING or OUTPUT (with > HIGH_ROUTE_MARKS) is because fwmark routing rules do not allow specification > of > a mask! > > So if you had 4 non-zero tc mark values and 2 connection mark values, you > would > need (4 +1) * 2 = 10 routing rules to perform routing based on your 2 > connection > mark values. >
Thanks a lot for your help. I modified my tcrules according to your suggestions. These rules work fine. I have one last problems that stops me dumping completely my complex handcrafted years old script for policyrouting. I wanted to set marks for traffic originating on the firewall so that i.e. packets from the local squid deamon are routed through my dsl line. Unfortunately I can't use a rule like this. 0x0200 $FW 0.0.0.0/0 tcp http,https,8080 0x0200 $FW +PPPROUTING Shorewall stops with " ERROR: Invalid mark value (0x0200) in rule "0x0200:F fw 0.0.0.0/0 tcp http,https,8080 " /sbin/shorewall: line 774: 24884 Terminated $SHOREWALL_SHELL ${SHAREDIR}/compiler $debugging $nolock compile ${VARDIR}/.restart" I checked, that it is possible to (re)route packages originating on the firewall by mangling in the OUTPUT chains according to your image http://www1.shorewall.net/images/Netfilter.png. Packets sould be rerouted if they changed in the OUPTPUT chain. -- __________________________________________________ Ralf Schenk fon (02 41) 9 91 21-0 fax (02 41) 9 91 21-59 [EMAIL PROTECTED] Databay AG Hüttenstraße 7 D-52068 Aachen www.databay.de Databay - einfach machen. _________________________________________________ Diese E-Mail und etwa angehängte Dateien enthalten vertrauliche Informationen und sind ausschließlich für den Adressaten bestimmt. Sollten Sie irrtümlich diese E-Mail erhalten haben, bitten wir Sie, uns darüber unter [EMAIL PROTECTED] zu informieren und die E-Mail ungelesen an uns zurückzusenden und aus Ihrem System zu löschen. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify [EMAIL PROTECTED] If you are not the named recipient, you should return this message without reading further and delete it from your system. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users