On 12/22/11 3:20 PM, Tom Eastep wrote:
> On 12/22/11 1:04 PM, Tom Eastep wrote:
>> On Thu, 2011-12-22 at 17:36 -0200, fabiano stocco2 wrote:
>>
>>>
>>> I have two internet link. The first has 2Mbit the other has 4Mbit ,
>>> so I'm riding with a download control which handles input to the
>>> network based on the origin of the WAN links, this just right for min
>>> control the amount of data traveling on each link. The problem that
>>> shorewall can not make this rule below to min:
>>>
>>> # iptables-t mangle-A FORWARD-i eth1-o ETH3-p tcp - sport 80-j
>>> Classify - set-class 3:21
>>>
>>> The Shorewall is trying to rule as tcpos and not tcfor as expected,
>>> does not work with it.
>>
>> Shorewall currently doesn't allow CLASSIFY rules to be placed in the
>> FORWARD chain.
>>
>
> Here's a patch.
>
> patch /usr/share/shorewall/Shorewall/Tc.pm < CLASSIFY1.patch
>
> To specify the FORWARD chain (tcfor), follow the classification with
> ':F'. Example: 3:21:F
>
With the patch this time.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 430d765..a43d2c4 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -104,6 +104,10 @@ my %flow_keys = ( 'src' => 1,
'sk-gid' => 1,
'vlan-tag' => 1 );
+my %designator = ( P => 'tcpre' ,
+ F => 'tcfor' ,
+ T => 'tcpost' );
+
my %tosoptions = ( 'tos-minimize-delay' => '0x10/0x10' ,
'tos-maximize-throughput' => '0x08/0x08' ,
'tos-maximize-reliability' => '0x04/0x04' ,
@@ -207,15 +211,20 @@ sub process_tc_rule( ) {
fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
+ my $chain = $globals{MARKING_CHAIN};
+
if ( $remainder ) {
if ( $originalmark =~ /^\w+\(?.*\)$/ ) {
$mark = $originalmark; # Most likely, an IPv6 address is included
in the parameter list
} else {
- fatal_error "Invalid MARK ($originalmark)";
+ fatal_error "Invalid MARK ($originalmark)"
+ unless ( $mark =~ /^([0-9a-fA-F]+)$/ &&
+ $designator =~ /^([0-9a-fA-F]+)$/ &&
+ ( $chain = $designator{$remainder} ) );
+ $mark = join( ':', $mark, $designator );
}
}
- my $chain = $globals{MARKING_CHAIN};
my $target = 'MARK --set-mark';
my $tcsref;
my $connmark = 0;
@@ -259,7 +268,8 @@ sub process_tc_rule( ) {
require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if
$connmark;
} else {
- fatal_error "Invalid MARK ($originalmark)" unless $mark =~
/^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
+ fatal_error "Invalid MARK ($originalmark)"
+ unless $remainder || ( $mark =~ /^([0-9a-fA-F]+)$/ and
$designator =~ /^([0-9a-fA-F]+)$/ );
if ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq
'Shared' ) {
$originalmark = join( ':', normalize_hex( $mark ),
normalize_hex( $designator ) );
@@ -278,9 +288,12 @@ sub process_tc_rule( ) {
}
}
- $chain = 'tcpost';
+ unless ( $remainder ) {
+ $chain = 'tcpost';
+ $mark = $originalmark;
+ }
+
$classid = 1;
- $mark = $originalmark;
$target = 'CLASSIFY --set-class';
}
}
------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create
new or port existing apps to sell to consumers worldwide. Explore the
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
