Tom Eastep wrote: > On Sun, 2007-08-19 at 15:49 +1000, James Gray wrote: > >> So in order to use classification marks (eg, 1:150) I need to say "Yes" >> to HIGH_ROUTE_MARKS *and* specify a mark > 255 in the providers file for >> that ISP. What if I wanted to specify ISP outbound as follows: >> >> providers: >> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY >> $ISP1 1 1 main $NET_IF1 $NET_IF1_GW $PROVOPTS $COPY >> $ISP2 2 2 main $NET_IF2 $NET_IF2_GW $PROVOPTS $COPY >> >> tcrules (abridged): >> (assuming the same tcclasses I posted earlier) >> #MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS >> # PORT PORT >> # Route default traffic to ISP2 >> 2:P $ANY_IP >> >> # Route traffic to ISP1 >> 1:P $LAN_NETWORK $ANY_IP tcp 22 >> 1:P $LAN_NETWORK $ANY_IP tcp 80,443 >> >> # Shape ISP2 Traffic >> 50 $ANY_IP $ANY_IP udp $GAMES >> >> # Shape ISP1 Traffic >> 20 $LAN_NETWORK $ANY_IP tcp 80,443 >> 10 $LAN_NETWORK $ANY_IP tcp 22 > > You can do that with two restrictions. > > a) Shorewall won't generate rules to clear packet marks at the beginning > of the FILTER chains. So you would have to supply two additional rules: > > 0 0.0.0.0/0 0.0.0.0/0 > 0 $FW 0.0.0.0/0 > > b) You won't be able to use connection marks.
Ok, that makes sense - and explains why you separated the routing/filtering with the HIGH_ROUTE_MARKS options. Now, suppose I replace my provider marks with 0x100 and 0x200, instead of 1 and 2 respectively (and set HIGH_ROUTE_MARKS=Yes), the tcrules file would look the same except for the first 3 PREROUTING rules right? Like this: #MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS # PORT PORT # Route default traffic to ISP2 0x200:P $ANY_IP # Route traffic to ISP1 0x100:P $LAN_NETWORK $ANY_IP tcp 22 0x100:P $LAN_NETWORK $ANY_IP tcp 80,443 >> The confusion arose from the documentation seeming to suggest routing >> and shaping could be done on the same line in the tcrules file for any >> given traffic type and tc class. The reality is, as I suspected, you >> need to specify route marks in PREROUTING, then shape packets with other >> marks, BUT they are both done in the tcrules file. Gotcha. Maybe it's >> worth explicitly stating this somewhere (MultiISP docs perhaps)? Just a >> thought - I'm happy to contribute if you like. > > Please do -- the XML source is in the SVN repository (trunk/docs). No problem. Once I have this in and working, I'll put some "put flange 'A' into slot 'B' type instructions" ;) Thanks, James ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
