Re: [Shorewall-users] Is this TC configuration correct

Thu, 02 Apr 2009 10:31:27 -0700 

Hello again!

I looked up the

Packet Marking using /etc/shorewall/tcrules

section on the website, to understand the

RESTORE CONTINUE SAVE part that you
mentioned , so i try to correct my tcrules config.

> rule 1 - RESTORE connection mark
> rule 2 - CONTINUE if mark is non-zero
> rule 3 - for default
> rule 4-33 - for local
> rule 34 for sales net
> rule 35 SAVE
>
> >
> > tcdevices
> > #INTERFACE IN-BANDWITH OUT-BANDWIDTH
> > eth0 40mbps 40mbps
> > eth2 100mbps 100mbps
> >
> > tcclasses
> > #INTERFACE MARK RATE CEIL PRIORITY OPTIONS
> > eth0 1 10mbps full 1 default
> > eth2 1 10mbps full 1 default
> > eth0 2 100kbps 1mbps 2
> > eth2 2 100kbps 1mbps 2
> > eth0 3 100kbps 1mbps 2
> > eth2 3 100kbps 1mbps 2
> > eth0 4 100kbps 1mbps 2
> > eth2 4 100kbps 1mbps 2
> > ...
> > eth0 31 100kbps 1mbps 2
> > eth2 31 100kbps 1mbps 2
> > eth0 32 1mbps 5mbps 3
> > eth0 32 1mbps 5mbps 3
> >
> > tcrules
> > #MARK SOURCE DESTINATION PROTIOCOL PORT(s)
> > 2:F 192.168.101.11 eth0 all
> > 2:F eth0 192.168.101.11 all
> > 3:F 192.168.101.12 eth0 all
> > 3:F eth0 192.168.101.12 all
> > 4:F 192.168.101.13 eth0 all
> > 4:F eth0 192.168.101.13 all
> > ...
> > 31:F 192.168.101.40 eth0 all
> > 31:F eth0 192.168.101.40 all
> > 32:F 192.168.102.0/24 eth0 all
> > 32:F eth0 192.168.102.0/24 all
> >


So I corrected it to the following:

#MARK    SOURCE          DEST            PROTO   PORT(S) CLIENT  USER
  TEST    LENGTH  TOS
#
RESTORE 0.0.0.0/0 0.0.0.0/0 all
CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0
2:F 192.168.101.11 eth0 all
2:F eth0 192.168.101.11 all
3:F 192.168.101.12 eth0 all
3:F eth0 192.168.101.12 all
4:F 192.168.101.13 eth0 all
4:F eth0 192.168.101.13 all
...
31:F 192.168.101.40 eth0 all
31:F eth0 192.168.101.40 all
32:F 192.168.102.0/24 eth0 all
32:F eth0 192.168.102.0/24 all
SAVE 0.0.0.0/0 0.0.0.0/0 all

Although... I don't know if I surely understand what I have done here....
Does it mean that the first rule (restore)resets the mark to zero so that the
bandwidth management rules can process it, and the last rule (SAVE) hardwires
this mark into the remaining packets of the connection, so that those packets
don't get processed by the by the bandwidth control rules anymore,
couse of the second (continue) rule?

Or is it that the rest of the packets get their mark reseted to zero every time
they arrive on the $FW? Why use Save then?

I hope I am getting closer.

Laszlo Balogh

------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to