On Apr 30, 2011, at 8:56 PM, Mr Dash Four wrote: > >>>> 4. >>>> A:eth0 - 1mbit classify,hfsc (tcdevices) >>>> >> >> That syntax is completely wacky. What piece of the documentation led you to >> that one? >> > "man shorewall-tcdevices" states that I could use hex numbers (A is a hex = > 10 decimal, right?). So, strictly speaking, it should be able to accept that > value. It gives an error instead.
The error is being presented on the tcclasses record, not the tcdevices record. So it is in the processing of that record that the error is being generated. I'm still mulling over how to fix that, but I'm leaning toward requiring the hex value to be preceded by '0x', when the value doesn't start with a digit. > > Anyway, it looks as though I cannot force traffic-shaping on incoming traffic > by using tcrules AND use it on my INPUT chain AND use ipsets AND use user id > - it seems impossible. That's correct. There is *no* netfilter hook between the time that a packet enters the box and when it gets redirected to an IFB. That is the entire reason that /etc/shorewall/tcfilters was originally invented. At http://www.shorewall.net/traffic_shaping.htm#IFB, it clearly states that: "Entries in /etc/shorewall/tcrules have no effect on shaping traffic through an IFB. To allow classification of such traffic, the /etc/shorewall/tcfilters file has been added. Entries in that file create u32 classification rules." > > The documentation on tcrules is, well lets just say, there is a lot to be > desired from it (where and in what circumstances am I allowed to use "I" and > "CI" for example?) :I and :CI are included for completeness (the tcrules file is the only way to mark packets using Shorewall and packet marks are the "Swiss Army Knife" of Netfilter). Neither affect either policy routing or traffic shaping and I've made that clear in the online copies of the tcrules man pages. > - I started by using classes, but gave up soon after as they work only on the > postrouting chain, Completely not true. But then, it you are trying to shape incoming traffic with tcrules, I can understand your confusion. > which is not what I am after as I don't seem to be able to control incoming > traffic at all. I then tried simple marking, but then I seem to be unable to > specify the "I" flag anywhere in my tcrules to force it to shape the incoming > traffic, so there... See above. > > Finally there is, what I think a bug, in the latest shorewall version: > > eth0:1 - 10*full/100:50ms 20*full/100 1 tcp-ack > eth0:2 - 80*full/100 full 2 > eth0:2:21 - 20*full/100 full 3 > eth0:2:22 - 20*full/100 full 4 > eth0:2:23 - 20*full/100 full 5 > eth0:2:24 - 20*full/100 full 6 > eth0:2:25 - 20*full/100 full 7 > eth0:3 - 10*full/100 full 8 default > > shorewall compile passes, but service shorewall (re)start ultimately fails > with: > > The culprit seems to be the use of "1" (when replaced with "12" for example > all seems OK) - this should have been caught during the shorewall compilation. Yes, it is the use of '1'; in that case, the compiler is not catching that duplication but the kernel is. > > One other thing which I found in man shorewall-tcrules: in the classid > section it states that "the major class is the device number (the first > device in shorewall-tcdevices[3](5) is major class 1, the second device is > major class 2, and so on) and the minor class is the class's MARK value in > shorewall-tcclasses[4](5) preceded by the number 1 (MARK 1 corresponds to > minor class 11, MARK 5 corresponds to minor class 15, MARK 22 corresponds to > minor class 122, etc.)." > > So, following that if I have a device with major 1, then a class defined in > tcclasses as, say, 21, I should therefore use 121 in my tcrules file (as > "1:121" in this case). That does not work and it gives me "Unknown Class" > error. That only applies if you let Shorewall pick the class numbers; you are specifying them explicitly in tcclasses. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
PGP.sig
Description: This is a digitally signed message part
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
