On 24 May 2016 at 11:36, Jeremy Baker wrote: > Hello. I have been experimenting with complex traffic shaping and ifb > devices following Tom's example at the bottom of > http://shorewall.net/traffic_shaping.htm#IFB From a purely IPv4 > perspective it is working well. It gets a little more complicated when > I consider IPv6 traffic which is routed out a 6in4 tunnel. Right now, I > treat the tunnel as a separate external interface with its own bandwidth > limit, and I also use a second ifb interface to police the incoming > traffic. Internally I have 4 separate lan segments that have unique > traffic limitations. I would like segment A to have at most 60% of the > bandwidth whether or not it is ipv4 or ipv6, but because my firewall has > separate interfaces for ipv4 and ipv6, I don't think it can be done. > Now, I have found the following directions for using u32 filters to peer > inside a protocol 41 packet to determine the ipv6 addressing: (from > http://lartc.org/howto/lartc.adv-filter.ipv6.html) > > The following filter matches on the destination address > 3ffe:202c:ffff:32:230:4fff:fe08:358d: > > # tc filter add dev $DEV parent 10:0 protocol ip prio 10 u32 \ > match ip protocol 41 0xff \ > match u8 0x05 0x0f at 0 \ > match u8 0x3f 0xff at 44 \ > match u8 0xfe 0xff at 45 \ > match u8 0x20 0xff at 46 \ > match u8 0x2c 0xff at 47 \ > match u8 0xff 0xff at 48 \ > match u8 0xff 0xff at 49 \ > match u8 0x00 0xff at 50 \ > match u8 0x32 0xff at 51 \ > match u8 0x02 0xff at 52 \ > match u8 0x30 0xff at 53 \ > match u8 0x4f 0xff at 54 \ > match u8 0xff 0xff at 55 \ > match u8 0xfe 0xff at 56 \ > match u8 0x08 0xff at 57 \ > match u8 0x35 0xff at 58 \ > match u8 0x8d 0xff at 59 \ > > If I could use this technique with shorewall, then I wouldn't have to > have separate interfaces and rules for ipv6 (from a traffic shaping > perspective). Is there a way to input this into tcfilters, or run > additional tc commands after shorewall has loaded? >
Can't you use one of those: http://shorewall.net/shorewall_extension_scripts.htm -Matt ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
