as seems typical in my life, my first need is whats almost considered the exceptional or hard case...
first, as the dump shows, I'm 3.4.4 ubuntu gutsy uname -a -> Linux hq.tarbox.org 2.6.22-14-server #1 SMP Sun Oct 14 22:09:15 GMT 2007 x86_64 GNU/Linux I have a central server and want to do multi-provider shaping / routing and have services on the firewall (the server is hefty) which need to talk to the network and local servers and be shaped (in particular for asterisk voip and ssh like I see often discussed) ... so I have badness all around... shaping, multiISP, and services on the firewall.... ugh... So, reading the information on the pages and searching yield information... but I don't know what to do with some of it and definitely can't tell if its working. its kinda working... things are flowing... I've effectively undone balancing... which I should be able to do..(getting balancing working was the easy part... funny that way... turning it off, now thats another thing entirely :-) I've included a dump as requested... its pretty huge so I figure that just about anything you might need is in there... So, the dump is for the simple case. I have a couplea rules to define how I want internal traffic routed to providers. I have other rules to provide bandwidth control in later chains through classification / prioritization / queues... (of course, this didn't really make sense to me... seems like with HIGH_MARKS one could "or" the low bits used for prioritization and get it all done in prefilter in one shot... but whatever... I'm sure theres a reason) but, then comes the question of whats happening with multi-provider priority assignment. Looking at the mangle table, it almost looks like it wants to classify... but none of the packets appear to be getting to the queues in tcpost... at least from what I can tell... so, it could be working, I guess, but I have no real way of knowing... so, do I need to somehow use the "connection" marking stuff? There's no explanation as to what that really is... conntrack really wants to use it (its reporting something... but not my stuff... at least a lot of the time)... but I've played around some with it and it didn't appear to help... perhaps by not doing the "save" and "restore" in tcrules I'm not saving state between the prefilter / tcout / tcfor / tcpost... I see some reference to this being all "connection" based... but that can't be right... we still need the data to end up in the queues to be processed in a prioritized fashion... but, while some traffic appears to get "classified" there... its nowhere near what I'm pumping... of course, the connection stuff seems related to prefilter (meaning our prefilter rules won't get run to insure that stuff gets routed back correctly... ok, I'm cool with that)... after which we still should be packet based... but then I read that just the first packet identifies a connection... and there's other stuff doing save / restore (e.g. conntrack) so I don't know if thats in the way... are my marks geting cleared before getting to the next chain? Perhaps going to the default queue at the root? looks that way... but, who knows... and, furthermore, while I can set rules in the prefilter, forward, and post chains, the $FW stuff gets done in output... so, if I needed to do a restore or save (again, whatever they are and why one might need to use them) with that packet information... how would I reference the tcout table to execute the store (only have :P, :F, :T)? so, I can't route properly there perhaps due to strangeness with iptables... ok, I set the bindaddr in asterisk... but I still need it prioritized... doesn't appear to be happening even though it looks like the marks want to be set in the tcout chain Then I search and find these wonderful tools like IPTstate... which, unfortunately, fall just shy of usefulness here... sure, iptstate shows connections... and that's great... but, all I see is source and destination... what about how its going through the firewall? like, what interface is the data going out on? I'm really surprised there's no method to define which interface one might be interested in in such an outstanding tool... of course, i have bmon and all the other similar tools... so I know when bulk data going out the right interface... but no idea of the relationships back to connections... or source / destination... I could use wireshark... but I still won't see the queueing used to put the packets out... only by inferring that things are "better"... but that seems kinda out there... I have read about trace... and even thought about using accounting... but that didn't seem a no brainer either.. Also, the docs are pretty thin in explaining what really goes on in the flow. i've read all the shorewall docs, and just about everything referenced... but when it comes to actually explaining what the routing is, how packet marketing is supposed to work between chains in various tables, what a connection mark is, why it matters, how one might use it... I'm baffled... of course, much of this is an issue with iptables... Generally, I wouldn't need to know all this at the beginning... but, it doesn't seem to be working... and I can't figure out what tests to run to determine inter-chain behavior given that the packet counts don't seem right... So, I'm hugely impressed with iptables, shorewall as a kinda rule based generator to simplify... and some of neat things which I'd like to do eventually in user space to really twiddle the bits live to give real-time fine grained control.. (perhaps not tonight :-)... but wow, even the easy stuff is hard... I can just imagine how wild the hard stuff is... thanks for listening and hopefully you can help. -glenn -- Glenn H. Tarbox, PhD
shorewall.dump.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
