On Mon, Jan 30, 2012 at 12:19 PM, Tom Eastep <[email protected]> wrote:
> On Mon, 2012-01-30 at 11:22 -0600, David Koscinski wrote:
>
> > Do I misunderstand the capabilities of the MARK column in the
> > accounting table? Or have I misconfigured something?
>
> It's not possible to say, given what you have told us.
>
> 1. Which chain(s) are you doing your TC marking in?
> 2. It appears that you are doing your accounting in the filter table, is
> that correct? (Shorewall also allows you to do accounting in the
> mangle).
>
> I suspect that you are marking packets after they have been through
> accounting; that would explain what you are seeing. You may wish to
> refer to the diagram at http://www.shorewall.net/NetfilterOverview.html.
>
> -Tom
> --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
Sorry for the top post last time.
I've been thinking some more about your reply and I've been studying the
netfilter diagram you referenced and the shorewall-accounting documentation.
>From that I can definitely say that I am doing accounting in the netfilter
table.
According to the diagram the last chain that /etc/shorewall/accounting
would see is FORWARD. So my tcrules that apply mark 3 cannot be accounted
for because they have not been applied yet.
3:T 0.0.0.0/0 0.0.0.0/0 udp 1194 # openvpn
So then to mark the openvpn traffic that is generated on the firewall
(since it hosts openvpn) I would need a tcrule like this:
3 fw 0.0.0.0/0 udp 1194 #openvpn
As I understand it, this would mark in the OUTPUT chain, which is part of
the filter table.
Is that reasoning correct?
Thanks again.
david.
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
