Hello. I have been experimenting with complex traffic shaping and ifb
devices following Tom's example at the bottom of
http://shorewall.net/traffic_shaping.htm#IFB From a purely IPv4
perspective it is working well. It gets a little more complicated when
I consider IPv6 traffic which is routed out a 6in4 tunnel. Right now, I
treat the tunnel as a separate external interface with its own bandwidth
limit, and I also use a second ifb interface to police the incoming
traffic. Internally I have 4 separate lan segments that have unique
traffic limitations. I would like segment A to have at most 60% of the
bandwidth whether or not it is ipv4 or ipv6, but because my firewall has
separate interfaces for ipv4 and ipv6, I don't think it can be done.
Now, I have found the following directions for using u32 filters to peer
inside a protocol 41 packet to determine the ipv6 addressing: (from
http://lartc.org/howto/lartc.adv-filter.ipv6.html)
The following filter matches on the destination address
3ffe:202c:ffff:32:230:4fff:fe08:358d:
# tc filter add dev $DEV parent 10:0 protocol ip prio 10 u32 \
match ip protocol 41 0xff \
match u8 0x05 0x0f at 0 \
match u8 0x3f 0xff at 44 \
match u8 0xfe 0xff at 45 \
match u8 0x20 0xff at 46 \
match u8 0x2c 0xff at 47 \
match u8 0xff 0xff at 48 \
match u8 0xff 0xff at 49 \
match u8 0x00 0xff at 50 \
match u8 0x32 0xff at 51 \
match u8 0x02 0xff at 52 \
match u8 0x30 0xff at 53 \
match u8 0x4f 0xff at 54 \
match u8 0xff 0xff at 55 \
match u8 0xfe 0xff at 56 \
match u8 0x08 0xff at 57 \
match u8 0x35 0xff at 58 \
match u8 0x8d 0xff at 59 \
If I could use this technique with shorewall, then I wouldn't have to
have separate interfaces and rules for ipv6 (from a traffic shaping
perspective). Is there a way to input this into tcfilters, or run
additional tc commands after shorewall has loaded?
--
Jeremy Baker <[email protected]>
GnuPGP fingerprint =
EE66 AC49 E008 E09A 7A2A 0195 50EF 580B EDBB 95B6
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
