On Mon, 2007-12-03 at 15:11 -0800, Tom Eastep wrote: > > For OUTPUT, you are mistakenly trying to set traffic control marks in > the tcout chain. This is actually a bug in Shorewall-shell (all versions > including 4.0.6). The tcout chain should have the same restriction as > the PREROUTING chain -- namely that with HIGH_ROUTE_MARKS=Yes, only high > mark values can be assigned in that chain. Shorewall-shell doesn't > enforce that.
I should add that you might find that a lot more OUTPUT traffic matches
your rules, once you move them to POSTROUTING. Here's the mangle OUTPUT
chain:
Chain OUTPUT (policy ACCEPT 342K packets, 34M bytes)
pkts bytes target prot opt in out source destination
143K 9243K CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK match !0x0/0xff00 CONNMARK restore mask 0xff00
192K 20M tcout 0 -- * * 0.0.0.0/0 0.0.0.0/0
MARK match 0x0/0xff00
Note that only traffic whose connection isn't marked in the upper byte
goes through the tcout chain. So no traffic associated with external
connections is going through that chain.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
