On 5/24/2014 11:18 AM, Lee Brown wrote: > On Fri, May 23, 2014 at 9:19 AM, Tom Eastep <[email protected]> wrote: >> On 5/22/2014 7:35 PM, Lee Brown wrote: >>> Hi list, >>> >>> I recently installed shorewall 4.5.21.9 on Centos6.5 (2.6.32) on metal >>> and another install of 4.6.0 on Slackware 14.1 (3.10.17) in a KVM under >>> it. I notice that on both these systems shorewall show filters iterates >>> the devices but provides no output. I believe the 'tc' tool may have >>> changed behaviour. >>> >>> I can see tc filters being added via 'tc monitor', but a 'tc show >>> filters dev eth0' produces no output. 'tc show filters dev eth0 root' >>> provides some output and if you know all the parent id's, 'tc show >>> filters dev eth0 parent xxx:' gets output. >>> >>> From the slack KVM, I've included a tar of the /etc/shorewall directory, >>> which includes a file called dump.txt which is the output from shorewall >>> dump, plus a file called console to illustrate the problem. It's very >>> small. >>> >>> I used no filters on my previous systems which were Centos5.9 (2.6.18), >>> so I've no basis for when this may have been introduced. >> >> It looks to me as though 'tc filter ls' is broken. The manpage only >> shows 'tc filter show' as a valid command (where 'ls' is a synonym for >> 'show'). 'tc filter show [ parent ] root' works as you have observed, >> but 'tc filter show parent 1' does not, even though there are filters >> defined for qdisc 1. Similarly 'tc filter show parent ffff' doesn't >> work, even though 'ffff' is equivalent to 'root'. >> >> Attached is a hack that improves the output of 'shorewall show filters', >> but it's only a band-aid. > > Thanks Tom, > > I found this, right after the statement starting qt, line 256 or so > gets non-root filters for my particular example, but it feels pretty > distasteful. The awk code can be improved not to assume field 7, but > this is a hack anyway...maybe introduces awk as a dependency as well? > > tc class show dev $device | awk '{print "echo && echo Node ",$7," && > tc -s filter show dev '$device' parent ",$7}'|sh
That works for Simple TC but fails miserably with complex TC.
The following disgusting hack seems to work for both:
if [ -n "$qdisc" ]; then
echo Device $device:
qt tc -s filter ls root dev $device && tc -s filter ls root dev
$device | grep -v '^$'
tc filter show dev $device
tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed
's/^.*leaf //;s/ .*//' | while read class; do
if [ -n "$class" ]; then
echo
echo Node $class
tc filter show dev $device parent $class
fi
done
echo
fi
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
