Tom Eastep wrote: > > Am I right in thinking that this would translate to the following in > > tcclasses ? > > ... > >Yes.
Champion.� >Yes, assuming that you can classify incoming traffic based on packets as >they look on the wire. I'm currently using loads of tc filters like this : run_tc filter add dev ethint parent 100:0 protocol ip prio 1 u32 match ip dst a.b.c.x/32 flowid 100:117 run_tc filter add dev ethext parent 1:0 protocol ip prio 1 u32 match ip src a.b.c.x/32 flowid 1:17 run_tc filter add dev ethint parent 100:0 protocol ip prio 1 u32 match ip dst a.b.c.x/32 match ip dport 25 0xffff flowid 100:118 run_tc filter add dev ethext parent 1:0 protocol ip prio 1 u32 match ip src a.b.c.x/32 match ip dport 25 0xffff flowid 1:18 It's not too bad where there's a separate bandwidth allocation for a single customer or device, but in some cases there are multiple customers/devices sharing one allocation - so it's gets somewhat repetitive and I suspect inefficient. I still haven't fully got my head around http://shorewall.net/traffic_shaping.htm�, but as I read it, I should be able to do something like this : #MARK SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST # PORT(S) GROUP # If the connection already has a mark, use it and skip the rest of the rules RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 # Customer/group A 12 a.b.c.x/32 0.0.0.0/0 all - - - !0 12 a.b.c.y/32 0.0.0.0/0 all - - - !0 12 a.b.c.z/32 0.0.0.0/0 all - - - !0 11 0.0.0.0/0 0.0.0.0/0 icmp echo-request - - 12 11 0.0.0.0/0 0.0.0.0/0 icmp echo-reply - - 12 13 0.0.0.0/0 0.0.0.0/0 tcp 110 - - 12 13 0.0.0.0/0 0.0.0.0/0 tcp - 110 - 12 13 0.0.0.0/0 0.0.0.0/0 tcp 143 - - 12 13 0.0.0.0/0 0.0.0.0/0 tcp - 143 - 12 14 0.0.0.0/0 0.0.0.0/0 tcp 25 - - 12 14 0.0.0.0/0 0.0.0.0/0 tcp - 25 - 12 # Repeat above for each group of hosts ... # Assuming we've marked the packet, now save the mark to the connection SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 One aspect I'm unclear about ... From the above page, I see these two bits of information : >classify >If specified, classification of traffic into the various classes is >done by CLASSIFY entries in /etc/shorewall/tcrules or by entries in >/etc/shorewall/tcfilters. No MARK value will be associated with >classes on this interface. >IFB devices automatically get the classify option. �So as I read that, because I'm using an IFB device, I can't use the packet marks as above. So would this work to then 'convert' marks to flows : 1:11 0.0.0.0/0 0.0.0.0/0 all - - - 11 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - 11 1:12 0.0.0.0/0 0.0.0.0/0 all - - - 12 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - 12 1:13 0.0.0.0/0 0.0.0.0/0 all - - - 13 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - 13 1:14 0.0.0.0/0 0.0.0.0/0 all - - - 14 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - 14 Or is there a more efficient way of doing things ? NB - I'm hoping to script at least part of this - at least tcclasses, and possibly the host matching rules of tcrules. This is because I have three systems to keep in sync : two routers (active and standby), both firewall rules and data collection scripts data collection and graphing (rrd) on third machine The idea is to have a text file with a list of class groups with their traffic rates, and a list of hosts and the class group they should be in. Then a script can build part of the config for both routers and the graphing from these lists. PS - while I'm struggling to get my head round the user end of this, I am in awe that you can keep track of how this works behind the scenes ! -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
