Re: [Shorewall-users] Classify versus Mark in tcrules

Sun, 19 Aug 2007 08:07:50 -0700 

On Sun, 2007-08-19 at 15:49 +1000, James Gray wrote:

> 
> So in order to use classification marks (eg, 1:150) I need to say "Yes" 
> to HIGH_ROUTE_MARKS *and* specify a mark > 255 in the providers file for 
> that ISP.  What if I wanted to specify ISP outbound as follows:
> 
> providers:
> #NAME  NUMBER MARK  DUPLICATE INTERFACE GATEWAY     OPTIONS   COPY
> $ISP1  1      1     main      $NET_IF1  $NET_IF1_GW $PROVOPTS $COPY
> $ISP2  2      2     main      $NET_IF2  $NET_IF2_GW $PROVOPTS $COPY
> 
> tcrules (abridged):
> (assuming the same tcclasses I posted earlier)
> #MARK SOURCE       DEST     PROTO DEST  SOURCE USER  TEST  LENGTH  TOS
> #                                 PORT  PORT
> # Route default traffic to ISP2
> 2:P   $ANY_IP
> 
> # Route traffic to ISP1
> 1:P   $LAN_NETWORK $ANY_IP  tcp   22
> 1:P   $LAN_NETWORK $ANY_IP  tcp   80,443
> 
> # Shape ISP2 Traffic
> 50    $ANY_IP      $ANY_IP  udp   $GAMES
> 
> # Shape ISP1 Traffic
> 20    $LAN_NETWORK $ANY_IP  tcp   80,443
> 10    $LAN_NETWORK $ANY_IP  tcp   22

You can do that with two restrictions.

a) Shorewall won't generate rules to clear packet marks at the beginning
of the FILTER chains. So you would have to supply two additional rules:

0       0.0.0.0/0       0.0.0.0/0
0       $FW             0.0.0.0/0

b) You won't be able to use connection marks.

> 
> The confusion arose from the documentation seeming to suggest routing 
> and shaping could be done on the same line in the tcrules file for any 
> given traffic type and tc class.  The reality is, as I suspected, you 
> need to specify route marks in PREROUTING, then shape packets with other 
> marks, BUT they are both done in the tcrules file.  Gotcha.  Maybe it's 
> worth explicitly stating this somewhere (MultiISP docs perhaps)?  Just a 
> thought - I'm happy to contribute if you like.

Please do -- the XML source is in the SVN repository (trunk/docs).

Cheers,
-Tom
--
> 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ [EMAIL PROTECTED]
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Attachment: signature.asc
Description: This is a digitally signed message part

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to