On Mon, 2007-12-03 at 02:58 -0800, Glenn Tarbox, PhD wrote: > > I've included a dump as requested... its pretty huge so I figure that > just about anything you might need is in there... > > So, the dump is for the simple case. I have a couplea rules to define how I > want internal traffic routed to providers.
Here's what I see:
Chain tcfor (1 references)
pkts bytes target prot opt in out source destination
0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:9998 MARK set 0xa
0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:9999 MARK set 0xa
1925 101K MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 MARK set 0x1e
0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:8802 MARK set 0x32
The first two rules could be combined by using a port range.
In /etc/shorewall/tcrules:
0xa 0.0.0.0/0 0.0.0.0/0 udp 9998:9999
19955 packets were forwarded during the period covered by the dump:
Chain FORWARD (policy ACCEPT 19956 packets, 13M bytes)
19955 13M tcfor 0 -- * * 0.0.0.0/0 0.0.0.0/0
So you are only marking about 10 percent of them (1925 out of 19955).
For OUTPUT, you are mistakenly trying to set traffic control marks in
the tcout chain. This is actually a bug in Shorewall-shell (all versions
including 4.0.6). The tcout chain should have the same restriction as
the PREROUTING chain -- namely that with HIGH_ROUTE_MARKS=Yes, only high
mark values can be assigned in that chain. Shorewall-shell doesn't
enforce that.
At any rate, none of the traffic matched any of your rules. The
requirements seem similar enough that you might must move all of the
rules to POSTROUTING and only have to code them once.
In summary, you marked only 10% of the forwarded traffic and none of the
OUTPUT traffic. This leads, of course, to most of the traffic going into
the default classes.
Chain tcpost (1 references)
pkts bytes target prot opt in out source destination
0 0 CLASSIFY 0 -- * eth0 0.0.0.0/0 0.0.0.0/0
MARK match 0xa/0xff CLASSIFY set 1:110
0 0 CLASSIFY 0 -- * eth0 0.0.0.0/0 0.0.0.0/0
MARK match 0x14/0xff CLASSIFY set 1:120
1922 100K CLASSIFY 0 -- * eth0 0.0.0.0/0 0.0.0.0/0
MARK match 0x1e/0xff CLASSIFY set 1:130
0 0 CLASSIFY 0 -- * eth0 0.0.0.0/0 0.0.0.0/0
MARK match 0x28/0xff CLASSIFY set 1:140
0 0 CLASSIFY 0 -- * eth0 0.0.0.0/0 0.0.0.0/0
MARK match 0x32/0xff CLASSIFY set 1:150
0 0 CLASSIFY 0 -- * eth2 0.0.0.0/0 0.0.0.0/0
MARK match 0xa/0xff CLASSIFY set 2:110
0 0 CLASSIFY 0 -- * eth2 0.0.0.0/0 0.0.0.0/0
MARK match 0x14/0xff CLASSIFY set 2:120
2 104 CLASSIFY 0 -- * eth2 0.0.0.0/0 0.0.0.0/0
MARK match 0x1e/0xff CLASSIFY set 2:130
0 0 CLASSIFY 0 -- * eth2 0.0.0.0/0 0.0.0.0/0
MARK match 0x28/0xff CLASSIFY set 2:140
0 0 CLASSIFY 0 -- * eth2 0.0.0.0/0 0.0.0.0/0
MARK match 0x32/0xff CLASSIFY set 2:150
Looking at the Traffic control part of the dump, here is the interesting
part of eth0:
class htb 1:130 parent 1:1 leaf 130: prio 3 quantum 1500 rate 100000bit ceil
1000Kbit burst 1624b/8 mpu 0b overhead 0b cburst 2749b/8 mpu 0b overhead 0b
level 0
Sent 423522 bytes 6419 pkt (dropped 0, overlimits 0 requeues 0)
rate 496bit 0pps backlog 0b 0p requeues 0
lended: 4299 borrowed: 2120 giants: 0
tokens: 121953 ctokens: 20984
class htb 1:140 parent 1:1 leaf 140: prio 4 quantum 1500 rate 100000bit ceil
1000Kbit burst 1624b/8 mpu 0b overhead 0b cburst 2749b/8 mpu 0b overhead 0b
level 0
Sent 2258870 bytes 2519 pkt (dropped 0, overlimits 0 requeues 0)
rate 2232bit 0pps backlog 0b 0p requeues 0
lended: 1523 borrowed: 996 giants: 0
tokens: 14453 ctokens: 10234
These two classes are identically defined from the point of view of HTB
except that 1:140 appears to be the default. These two are getting all
of the traffic.
For eth4:
class htb 2:130 parent 2:1 leaf 130: prio 3 quantum 1500 rate 60000bit ceil
600000bit burst 1574b/8 mpu 0b overhead 0b cburst 2249b/8 mpu 0b overhead 0b
level 0
Sent 132 bytes 2 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
lended: 2 borrowed: 0 giants: 0
tokens: 188422 ctokens: 27640
class htb 2:140 parent 2:1 leaf 140: prio 4 quantum 1500 rate 60000bit ceil
600000bit burst 1574b/8 mpu 0b overhead 0b cburst 2249b/8 mpu 0b overhead 0b
level 0
Sent 11250307 bytes 142912 pkt (dropped 0, overlimits 0 requeues 0)
rate 80bit 0pps backlog 0b 0p requeues 0
lended: 142912 borrowed: 0 giants: 0
tokens: 198828 ctokens: 28671
Note that the lonely two packets that were classified to 2:130 were
actually sent through that class. The rest went into the default class.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
