[leaf-user] iptables errors when trying to Shorewall traffic shape with ipp2p

Bob Ramstad Thu, 11 May 2006 13:42:04 -0700

Hi there.  I'm using Bering-uClibc 2.4.1 from CD with configs saved to
floppy and have run into a bit of a snag.


I want to traffic shape p2p properly and have tried a couple of
different things, to no avail.  I do have basic traffic shaping
working.  I started out with the recipe given in the Shorewall
documentation editing /etc/shorewall/tcrules to mark all ipp2p traffic
with 50

RESTORE  0.0.0.0/0       0.0.0.0/0      all     -       -       -       0
CONTINUE 0.0.0.0/0       0.0.0.0/0      all     -       -       -       !0
50       0.0.0.0/0       0.0.0.0/0      ipp2p:all
SAVE     0.0.0.0/0       0.0.0.0/0      all     -       -       -       !0

but I get this error when I restart Shorewall.

iptables: Unknown error -1
   ERROR: Command "/sbin/iptables -t mangle -A tcpre -s 0.0.0.0/0 -m
mark --mark 0/255 -d 0.0.0.0/0 -j CONNMARK --restore-mark --mask 255"
Failed

I suspect the problem is due to Shorewall not recognizing that
connmark is available, when I start up Shorewall I get the output:

Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Not available
   Connection Tracking Match: Not available
   Packet Type Match: Available
   Policy Match: Not available
   Physdev Match: Not available
   IP range Match: Not available
   Recent Match: Not available
   Owner Match: Not available
   Ipset Match: Not available
   CONNMARK Target: Not available
   Connmark Match: Not available
   Raw Table: Not available
   CLASSIFY Target: Not available

Weirdly lsmod indicates that the appropriate modules are loaded:

Module                  Size  Used by    Not tainted
tun                     2944   3
sch_teql                3020   0 (unused)
sch_tbf                 2208   0 (unused)
sch_sfq                 2752   5
sch_red                 2008   0 (unused)
sch_prio                1824   0 (unused)
sch_netem               2636   0 (unused)
sch_ingress             1152   1
sch_htb                17344   1
sch_hfsc               12000   0 (unused)
sch_gred                4096   0 (unused)
sch_dsmark              3256   0 (unused)
sch_csz                 3180   0 (unused)
sch_cbq                10456   0 (unused)
cls_u32                 3896   2
cls_tcindex             3548   0 (unused)
cls_rsvp6               3672   0 (unused)
cls_rsvp                3512   0 (unused)
cls_route               3356   0 (unused)
cls_fw                  1972   1
tulip                  36108   2
sis900                 10880   1
crc32                   2620   0 [tulip sis900]
softdog                 1360   1
ipt_ipp2p               5624   0
ipt_state                272  23
ipt_helper               400   0 (unused)
ipt_conntrack            692   0
ipt_REDIRECT             480   0 (unused)
ipt_MASQUERADE          1024   1
ip_nat_irc              1704   0 (unused)
ip_nat_ftp              2152   0 (unused)
iptable_nat            14452   3 [ipt_REDIRECT ipt_MASQUERADE
ip_nat_irc ip_nat_ftp]
ip_conntrack_irc        2484   1
ip_conntrack_ftp        3132   1
ip_conntrack           16516   2 [ipt_state ipt_helper ipt_conntrack
ipt_REDIRECT ipt_MASQUERADE ip_nat_irc ip_nat_ftp iptable_nat
ip_conntrack_irc ip_conntrack_ftp]
vfat                    8492   0 (unused)
isofs                  15700   0
ide-detect               132   0 (unused)
ide-cd                 26748   0
ide-disk               11308   0
ide-core               80476   0 [ide-detect ide-cd ide-disk]
cdrom                  25344   0 [ide-cd]

So, I'm a bit baffled.  I also tried taking my rules in
/etc/shorewall/tcrules that read

50:F    0.0.0.0/0       0.0.0.0/0       tcp     11111
50:F    0.0.0.0/0       0.0.0.0/0       tcp     -       11111

and changed them to

50:CF    0.0.0.0/0       0.0.0.0/0       tcp     11111
50:CF    0.0.0.0/0       0.0.0.0/0       tcp     -       11111

Shorewall fails to restart and gives the error:

iptables: Unknown error -1
   ERROR: Command "/sbin/iptables -t mangle -A tcfor -s 0.0.0.0/0 -d
0.0.0.0/0 -p tcp --dport 11111 -j CONNMARK --set-mark 50" Failed

The only other thing I could think of was maybe there is a sequence
that needs to be followed in the package loading, so I changed in
LEAF.CFG

LRP="root config etc local modules iptables shorwall ulogd dnsmasq
dropbear mhttpd webconf libm tc openvpnz liblzo libssl libcrpto
ntpsimpl"

to

LRP="root config etc local modules libm tc iptables shorwall ulogd
dnsmasq dropbear mhttpd webconf openvpnz liblzo libssl libcrpto
ntpsimpl"

but that had no effect.

So, I guess I'm asking LEAF users because I figure *someone* out there
must be doing traffic shaping using persistent marking of
connections... or even better, is using the ipp2p stuff with success.
It strikes me as weird (and an indication of a problem that has
nothing to do with Shorewall) that the modules are being loaded and
yet the iptables commands fail.

I've read documentation until my eyes are about to fall out... and
done quite a few Internet searches, all to no avail.  Help gratefully
received!  (I'm in digest mode, so please reply to me and to the list,
so I see your reply soonest.  Thanks!)

-- Bob


------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] iptables errors when trying to Shorewall traffic shape with ipp2p

Reply via email to