Re: [leaf-user] iptables errors when trying to Shorewall traffic shape with ipp2p

Thu, 11 May 2006 16:18:22 -0700 

On 5/11/06, Tom Eastep <[EMAIL PROTECTED]> wrote:
> Bob Ramstad wrote:
> > On 5/11/06, Tom Eastep <[EMAIL PROTECTED]> wrote:
>
> >>>
> >>
> >>Now load the ipt_CLASSIFY module....
> >>
> > Bering doesn't seem to have an ipt_CLASSIFY module.
>
> Then you will have to use firewall mark classifiers rather than the
> CLASSIFY target directly.
>
> As described in the Shorewall web-site documentation of the
> MARK/CLASSIFY column, when you enter <number>:<number>, you are
> specifying a class directly (first number is the entry number in
> /etc/shorewall/tcdevices, and the second number is 100+<mark value>). So
> rather than do that, you simply need to specify the appropriate mark
> value in this column.
>
> Hope this helps,
>
> -Tom

I think I'm going in circles, but still somehow making slight progress.

The class I want to use is class 50.  I only have one device.

So from my end, this looks like it should be fine, as I don't need the
1: cruft at all.

RESTORE:F   -           -               tcp
CONTINUE:F  -           -               tcp     -       -       -       !0
1:F         -           -               ipp2p   ipp2p
SAVE:F      -           -               tcp     -       -       -       1
50          -           eth0            -       -       -       -       1
50          -           eth1            -       -       -       -       1

Now, I restart, and get this error

ERROR: Destination interface is not allowed in the PREROUTING chain

So then, I change this around to use F instead:

RESTORE:F   -           -               tcp
CONTINUE:F  -           -               tcp     -       -       -       !0
1:F         -           -               ipp2p   ipp2p
SAVE:F      -           -               tcp     -       -       -       1
50:F          -           eth0            -       -       -       -       1
50:F          -           eth1            -       -       -       -       1

and this now loads and runs, but I don't get anything classified as
150 when I look at the queues.  (Well, very very little, apparently
just the initial connections or similar.)

Am I supposed to be assigning it to 150 here?  That makes very little
sense to me given that earlier I'm using rules like:

10:F    -               10.11.1.0/24    tcp     http

and by 10 here I mean 10.

I've got this uncanny feeling that :F on these two rules is a bad
thing -- that they are supposed to be tagged prerouting, given how the
example carefully shows four rules with :F on them and two without...
but of course I can't use eth0 and eth1 in a prerouting rule.

-- Bob


------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Reply via email to