tcfilters always work with packets as they appear "on the wire". So the
packets seen on ifb1 would be the same with or without DNAT. tcrules
always work with packets before SNAT is applied. Hence, the asymmetry.
Well, the good news is that SNATed traffic shaping works as advertised!
Another bit of good news is that as a result of my new traffic shaping
polic(ies) my network is absolutely flying! Upgrading to the new
iproute2 package as well as iptables (1.4.10), which I compiled all from
source and optimised for my systems, had a massive effect on the speed
of it all!
Now, for the annoying bits:
1.
tcfilters
ba:25 - - all
(ba is on ifb0)
Passes compilation, but then I get this:
RTNETLINK answers: Invalid argument
We have an error talking to the kernel
ERROR: Command "tc filter add dev ifb0 protocol ip parent be:0 prio 10
u32 flowid ba:25" Failed
2.
tcrules
bb:12 $FW +[mickey-mouse,ip-port] tcp
"shorewall check/compile" passes, but it fails when shorewall
reload/restart is executed with "...Set mickey-mouse doesn't exist.". In
other words, shorewall don't capture this error. I am not sure whether
shorewall used to capture this before - i.e. the (non)existence of ipsets.
3.
tcfilters
ba:12 212.... - tcp 17001 1193:2193
The above has absolutely *no* chance on gods green Earth to produce a
match - EVER! Unless the destination IP address is also specified, that
is! I don't know why that is, but if it is some sort of misconfiguration
error then I should at least be given a warning.
In relation to this, I have another query: I found out that this
"requirement" for specifying a destination ip address is only valid when
I have selected the source ip address as well. If I have a tcfilters
statement which matches on just the port part (source and/or destination
ports) then it all seems fine and matches are produced. I have no idea
why that is!
If I have to specify a destination ip address/range when I filter on the
source address what would happen if I use a device which may change its
ip address regularly (dhcp, tunX to name a few possibilities) - do I
have to then reload/restart shorewall every time that happens?
4. dmax values
When I have dmax=375ms the resulting flow (as seen with shorewall show
tc ethX/ifbX) is set as 75ms. In other places where I have dmax=100ms
the actual value is 0 - it looks as though the first digit of what I
specified in tcclasses seems to be "eaten up" by shorewall.
5. Not a bug, just a query: When I have not specified umax shorewall/tc
assumes some spectacularly wrong values - I had anything ranging from
2500b to 20000b! Why is that and how can this be corrected?
Finally, I attach my "bog-standard" shorewall startup script (the one
which sits in /etc/init.d) which I use on all my machines - it is much
better version than the one supplied with the shorewall rpm.
#!/bin/sh
#
# Shorewall init script
#
# chkconfig: - 28 90
# description: Packet filtering firewall
### BEGIN INIT INFO
# Provides: shorewall
# Required-Start: $local_fs $remote_fs $syslog $network
# Should-Start: VMware $time $named
# Required-Stop:
# Default-Start:
# Default-Stop: 0 1 2 3 4 5 6
# Short-Description: Packet filtering firewall
# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
# Netfilter (iptables) based firewall
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
prog="shorewall"
shorewall="/sbin/$prog"
config_file_dir="/etc/shorewall"
logger="logger -i -t $prog"
lockfile="/var/lock/subsys/$prog"
# Get startup options (override default)
OPTIONS="-v0"
if [ -f /etc/sysconfig/$prog ]; then
. /etc/sysconfig/$prog
fi
start() {
echo -n $"Starting Shorewall: "
$shorewall $OPTIONS start $config_file_dir 2>&1 | $logger
retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then
touch $lockfile
success
else
failure
fi
echo
return $retval
}
stop() {
echo -n $"Stopping Shorewall: "
$shorewall $OPTIONS stop 2>&1 | $logger
retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then
rm -f $lockfile
success
else
failure
fi
echo
return $retval
}
restart() {
# Note that we don't simply stop and start since shorewall has a built in
# restart which stops the firewall if running and then starts it.
echo -n $"Restarting Shorewall: "
$shorewall $OPTIONS save 2>&1 | $logger
$shorewall $OPTIONS restart $config_file_dir 2>&1 | $logger
retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then
touch $lockfile
success
else # Failed to start, clean up lock file if present
rm -f $lockfile
failure
fi
echo
return $retval
}
status(){
$shorewall status
return $?
}
status_q() {
status > /dev/null 2>&1
}
case "$1" in
start)
status_q && exit 0
$1
;;
stop)
status_q || exit 0
$1
;;
restart|reload|force-reload)
restart
;;
condrestart|try-restart)
status_q || exit 0
restart
;;
status)
$1
;;
*)
echo "Usage: $0 start|stop|reload|restart|force-reload|status"
exit 1
;;
esac
------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
