On Mon, Jan 30, 2012 at 1:34 PM, David Koscinski <[email protected]>wrote:
>
> On Mon, Jan 30, 2012 at 12:19 PM, Tom Eastep <[email protected]>wrote:
>
>> On Mon, 2012-01-30 at 11:22 -0600, David Koscinski wrote:
>>
>> > Do I misunderstand the capabilities of the MARK column in the
>> > accounting table? Or have I misconfigured something?
>>
>> It's not possible to say, given what you have told us.
>>
>> 1. Which chain(s) are you doing your TC marking in?
>> 2. It appears that you are doing your accounting in the filter table, is
>> that correct? (Shorewall also allows you to do accounting in the
>> mangle).
>>
>> I suspect that you are marking packets after they have been through
>> accounting; that would explain what you are seeing. You may wish to
>> refer to the diagram at http://www.shorewall.net/NetfilterOverview.html.
>>
>> -Tom
>> --
>> Tom Eastep \ When I die, I want to go like my Grandfather who
>> Shoreline, \ died peacefully in his sleep. Not screaming like
>> Washington, USA \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Try before you buy = See our experts in action!
>> The most comprehensive online learning library for Microsoft developers
>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>> Metro Style Apps, more. Free future releases when you subscribe now!
>> http://p.sf.net/sfu/learndevnow-dev2
>> _______________________________________________
>> Shorewall-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>>
> Sorry for the top post last time.
>
> I've been thinking some more about your reply and I've been studying the
> netfilter diagram you referenced and the shorewall-accounting documentation.
>
> From that I can definitely say that I am doing accounting in the netfilter
> table.
>
> According to the diagram the last chain that /etc/shorewall/accounting
> would see is FORWARD. So my tcrules that apply mark 3 cannot be accounted
> for because they have not been applied yet.
>
> 3:T 0.0.0.0/0 0.0.0.0/0 udp 1194 # openvpn
>
> So then to mark the openvpn traffic that is generated on the firewall
> (since it hosts openvpn) I would need a tcrule like this:
> 3 fw 0.0.0.0/0 udp 1194 #openvpn
> As I understand it, this would mark in the OUTPUT chain, which is part of
> the filter table.
>
> Is that reasoning correct?
>
> Thanks again.
>
> david.
>
Well that change did the trick for mark 3. But is exposed a flaw in my
plans. Since /etc/accounting is only seeing MARK values prior to
POSTROUTING, then my stats may not reflect the reality of what is going out
eth0 since MARK could change.
So you mentioned that accounting can be done in mangle. A quick google
search revealed the ACCOUNTING_TABLE=mangle directive. Looks like I need a
shorewall upgrade to take advantage of that.
Even though I think I've found the answers based on your comments, please
do reply if you can. I'd like to be sure I am understanding this correctly.
david.
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
