On Sat, 2007-08-18 at 14:59 +1000, James Gray wrote: > Tom Eastep wrote: > > On Fri, 2007-08-17 at 13:30 +1000, James Gray wrote: > >> Can I force traffic down a specific ISP using classification more > >> reliably than with plain marking? > > > > Classification has absolutely nothing to do with ISP selection. It > > rather selects a class for traffic shaping but the traffic must be going > > to that interface already (as a result of marking/routing). > > Yep - that's what I thought too (classification happens in POSTROUTING > so the route selection has already been made). So I am still stuck with > the original problem: I can't get specific traffic (layer 4) to be > routed down a specific ISP. Marking didn't work (in the FORWARD chain), > and marking a packet with the provider mark in PREROUTING seems to > bypass the traffic shaping. > > So three questions: > > 1. If I mark a packet with the provider's mark, rather than the mark in > tcclasses, what happens (specifically with regard to shaping)?
If the provider mark happens to be the same as one of the tcclass marks on the interface, then the traffic will be shaped by that class. Otherwise, it will fall into the default class. I implemented HIGH_ROUTE_MARKS=Yes to make the two independent. With that setting, marks used for route selection have values > 255 while marks used for tcclass selection have values <= 255. With HIGH_ROUTE_MARKS=Yes, the mark value is cleared before your FILTER rules so the PREROUTING mark has no effect on tcclass selection. > > 2. What is the purpose of having a tcclasses mark associate with an > interface, if you can't guarantee the packets with that mark go out the > specified interface? (Or can you?) You don't seem to be grasping the notion that you must mark the same packet multiple times. You mark it in PREROUTING for interface selection then you re-mark it in FILTER (or use CLASSIFY in POSTROUTING) to specify which tcclass it will be shaped in. > > 3. If I can't force traffic down an particular ISP with a tcrule mark or > a provider mark, should I be doing this in the route_rules? (But > route_rules doesn't provide for layer 4 matching). You force traffic to use a particular ISP with PREROUTING marks. You select which tcclass it falls into with FILTER marks or CLASSIFY rules. > > Maybe I've been looking at this too long :( > Have you read http://www.shorewall.net/PacketMarking.html ? It might help. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
