On May 4, 2011, at 9:03 AM, Mr Dash Four wrote: > >>> I am not sure I understand this - what range of values for the hex are >>> accepted then? >>> >> >> Thinking about this some more, Shorewall assumes a maximum of 255 devices >> with the similar assumption that device numbers will have a (decimal) value >> of 255 or less. So the maximum acceptable size is two hex digits. I will add >> enforcement of that limit before I release 4.4.19.2. >> > Fair enough I think. So, "0ff:eth0" should be an acceptable value then, right?
Correct.
>
>>> I know this is quite ugly, but I cannot see a better solution at present.
>>>
>>
>> Nor can I. Note that the 'compile' script must be written in Perl since it
>> is executed directly in the compiler.
>>
> Ah, that's me out of this then - I don't know much perl, so I can't really
> get this "compile" script constructed! Although perl may have better
> substituting capabilities than a shell (or awk even) script I am totally
> hopeless with it. If I include my (shell) script in init would that work?
No. Again, init is executed by the compiled script. What you want to do is to
create your own tcfilters file from ipset contents; that must be done when the
script is being compiled. But your compile script can be as simple as this:
system '/etc/shorewall/myscript';
where /etc/shorewall/myscript is your shell program that builds tcfilters.
>
>> You are on your own there.
> Well, no guts - no glory right?
Indeed.
>
>> I haven't experimented with trying to shape traffic exiting on 'lo'. One
>> thing I can tell you is that TCO and GCO are enabled on 'lo' in recent
>> kernels. So you need to use the "minburst" setting when specifying the
>> OUT-BANDWIDTH. See http://www.shorewall.net/LennyToSqueeze.html#SimpleTC.
>> Don't be mislead by the fact that only simple TC is mentioned at that URL;
>> the same applies to Complex TC.
>>
> Right! I am not sure I understand what "miniburst" is, but if I turn TSO and
> GCO off (via shorewall init) would that be OK? What should I specify in the
> bandwidth limit of lo though (I have no idea how much the loopback can
> handle)?
No idea.
-Tom
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
PGP.sig
Description: This is a digitally signed message part
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
