On May 1, 2011, at 10:47 AM, Mr Dash Four wrote: > >> There is no way to shape incoming traffic using an IFB and ipsets. If this >> is a router, you can shape traffic exiting the router on the local interface >> using ipsets. >> > Right, that settles it then! > > I, however, may have another, less-glamorous (a plan B if you like) solution: > the current generation of ipset (6, not sure about 5 and 4) gives me the > ability to list members of a particular set in a specific format (xml, txt > etc), so if I "construct" my tcfilters file at startup (via a script, which > is executed in shorewall's "init" - I take it at that point nothing has been > compiled yet, right?) then I may use a template and replace the values shown > there with the actual values of the ipset members.
The 'init' script is executed by the compiled script. You want something that runs during compilation. The 'compile' script is a good candidate for rewriting your tcfilters file the way you want it. >> > So, I *could* mark in the INPUT chain with tcrules, but I can't use that for > traffic shaping or use ipsets, is that right? That is correct. >> >> I'll be happy to add an error message if an IFB is mentioned in the tcrules >> file. >> > That makes sense as I can't really see any case when there would possibly be > a match (and I spent about 4-5 hours yesterday rimming "fantasy" scenarios in > that file, using ifb-type devices and shorewall was silently swallowing it > all - and laughing back in my face). I will attach a patch to my response to your other post. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
PGP.sig
Description: This is a digitally signed message part
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
