> There is no way to shape incoming traffic using an IFB and ipsets. If this is
> a router, you can shape traffic exiting the router on the local interface
> using ipsets.
>
Right, that settles it then!
I, however, may have another, less-glamorous (a plan B if you like)
solution: the current generation of ipset (6, not sure about 5 and 4)
gives me the ability to list members of a particular set in a specific
format (xml, txt etc), so if I "construct" my tcfilters file at startup
(via a script, which is executed in shorewall's "init" - I take it at
that point nothing has been compiled yet, right?) then I may use a
template and replace the values shown there with the actual values of
the ipset members.
Say, I have a line in my template file like this "1:11 - - tcp -
+{web-ports}", then my script could turn this into "1:11 - - tcp -
80,443,8080-8082,8443" (i.e. substitutes the members of the specified
set - web-ports using my previous example - with their actual values)
and then pass this resulting file to shorewall, would that work?
> There is no way. A Shorewall user requested the ability to mark packets in
> the INPUT chain (I've forgotten the rationale but it was legitimate) and I
> added it a while back.
>
So, I *could* mark in the INPUT chain with tcrules, but I can't use that
for traffic shaping or use ipsets, is that right? If not, could you give
me a simple example (a 1-liner perhaps) where this INPUT chain marking
is used?
>> Following on from this, I see no sense whatsoever in applying that
>> classification to ifb-type devices as there is NEVER going to be a match
>> when these are included in the tcrules file as, to my understanding, ifb
>> operates on the incoming/input chains and traffic.
>>
>> If that is indeed the case, why are ifb-type devices allowed to be used in
>> the tcrules file at all - what possible purpose would that serve (genuine
>> question as I cannot figure out what sort of match could there be if ifb
>> devices are used in tcrules)?
>>
>
> I'll be happy to add an error message if an IFB is mentioned in the tcrules
> file.
>
That makes sense as I can't really see any case when there would
possibly be a match (and I spent about 4-5 hours yesterday rimming
"fantasy" scenarios in that file, using ifb-type devices and shorewall
was silently swallowing it all - and laughing back in my face).
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
