On 5/24/2016 8:36 AM, Jeremy Baker wrote: > Hello. I have been experimenting with complex traffic shaping and ifb > devices following Tom's example at the bottom of > http://shorewall.net/traffic_shaping.htm#IFB From a purely IPv4 > perspective it is working well. It gets a little more complicated when > I consider IPv6 traffic which is routed out a 6in4 tunnel. Right now, I > treat the tunnel as a separate external interface with its own bandwidth > limit, and I also use a second ifb interface to police the incoming > traffic. Internally I have 4 separate lan segments that have unique > traffic limitations. I would like segment A to have at most 60% of the > bandwidth whether or not it is ipv4 or ipv6, but because my firewall has > separate interfaces for ipv4 and ipv6, I don't think it can be done. > Now, I have found the following directions for using u32 filters to peer > inside a protocol 41 packet to determine the ipv6 addressing: (from > http://lartc.org/howto/lartc.adv-filter.ipv6.html) > > The following filter matches on the destination address > 3ffe:202c:ffff:32:230:4fff:fe08:358d: > > # tc filter add dev $DEV parent 10:0 protocol ip prio 10 u32 \ > match ip protocol 41 0xff \ > match u8 0x05 0x0f at 0 \ > match u8 0x3f 0xff at 44 \ > match u8 0xfe 0xff at 45 \ > match u8 0x20 0xff at 46 \ > match u8 0x2c 0xff at 47 \ > match u8 0xff 0xff at 48 \ > match u8 0xff 0xff at 49 \ > match u8 0x00 0xff at 50 \ > match u8 0x32 0xff at 51 \ > match u8 0x02 0xff at 52 \ > match u8 0x30 0xff at 53 \ > match u8 0x4f 0xff at 54 \ > match u8 0xff 0xff at 55 \ > match u8 0xfe 0xff at 56 \ > match u8 0x08 0xff at 57 \ > match u8 0x35 0xff at 58 \ > match u8 0x8d 0xff at 59 \ > > If I could use this technique with shorewall, then I wouldn't have to > have separate interfaces and rules for ipv6 (from a traffic shaping > perspective). Is there a way to input this into tcfilters, or run > additional tc commands after shorewall has loaded? >
If you are running Shorewall 4.4.15 or later, the tcfilters file can have both IPv4 and IPv6 sections. And using TC_ENABLED=Shared allows you to have a single configuration that handles both IPv4 and IPv6. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
