On 11/06/2012 05:30 AM, Simon Hobson wrote: > Tom Eastep wrote: > >> > In particular, I'm thinking about the case where I might have <some >>> number> of IP addresses to include in one set of classes - so >>> potentially duplicating "address <something> and port <something>" >>> rules many times in tcfilters. The particular group that's in mind at >> > the moment is about 16 discrete IPs (not a simple address/mask set). > >> With your tcrules approach, you only have to evaluate the long list of >> tcrules once for any given connections (because you are using >> SAVE/RESTORE). With tcfilters, you have to evaluate them on every >> packet. So the tcrules approach is definitely a win from a CPU >> utilization perspective. > > So I decided on the TC rules option in the end, and hit a few > "gotchas" along the way - at least one of which was of my own making ! > > The first was a simple typo : > 12 192.168.2.123/32 0.0.0.0/0 all - - - !0 > €doesn't match packets with a mark value of zero. Doh. > > Then, next issue I found was that my classifier rules weren't working > - because it seems that mark values don't get preserved between tcpre > and tcpost. In hindsight, and once I'd realised that, it makes sense > - the packet will have been through the routing process, so it's no > longer the same packet, and hence will have lost it's packet mark in > the process.
Actually, that is the result of setting FORWARD_CLEAR_MARK=Yes in shorewall.conf. If you set FORWARD_CLEAR_MARK=No, then the packet marks established in tcpre are preserved. > Putting the restore on the start of the post-routing chain restores > the connection mark I've saved earlier, and it works just fine. And is efficient. > Of course, I'd also forgotten that I need rules to classify both the > inbound and outbound traffic - hence two classify rules per mark > value. I noticed that Shorewall automatically substitutes the > destination interface if the destination is 0.0.0.0/0 which saves a > little more effort. > > > So now to duplicate the existing rules, and find a quiet time to test > it in the live network. > > > I do have one further question though, about the mark column in tcclasses. > The manpage says "Must be specified as '-' if the classify option is > given for the interface". > > If I put a number in that column, then I get "WARNING: Class NUMBER > ignored -- INTERFACE ethint does not have the 'classify' option > /etc/shorewall/tcclasses€". > I was looking to see just what Shorewall does with it - ie if it > would automate the latter part of my tcrules. > That warning is bogus; a filter is still generated that classifies packets using the packet mark. I'll remove the warning in 4.5.9.1. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
