On May 3, 2011, at 5:13 PM, Mr Dash Four wrote: > >> They are 4 digits but iproute2 reserves the "upper half" (those values where >> value LAND 0X8000 is non-zero). Shorewall currently does not enforce that >> restriction. >> > I am not sure I understand this - what range of values for the hex are > accepted then?
Thinking about this some more, Shorewall assumes a maximum of 255 devices with the similar assumption that device numbers will have a (decimal) value of 255 or less. So the maximum acceptable size is two hex digits. I will add enforcement of that limit before I release 4.4.19.2. > > Also, I've asked about the event-triggers in shorewall as I intend to run a > script which creates my tcfilters file to be compiled by shorewall - I > intended to use "init", but you mentioned in one of your previous posts that > a "compile" script/file may be what is needed. In that script I have to load > all my ipsets (which is what I am currently doing in "init") and then > substitute the values in my tcfilters template with the actual ipset values > and then pass the resulting file to shorewall for compilation. > > I know this is quite ugly, but I cannot see a better solution at present. Nor can I. Note that the 'compile' script must be written in Perl since it is executed directly in the compiler. > > Finally, one more query before I delve into this - is it possible to enforce > "traffic shaping" on a lo (loopback) device? I know it may sound/look a bit > idiotic, but I am using this device to run quite a lot of "services" (mainly > as a tunnel via the ssh server) and would like to prioritise these. Is there > actually a limit on the lo device? If so, how much is it? The lo device is > already in use by shorewall (i.e. it is defined/used in zones as well as > rules and secmarks files). You are on your own there. I haven't experimented with trying to shape traffic exiting on 'lo'. One thing I can tell you is that TCO and GCO are enabled on 'lo' in recent kernels. So you need to use the "minburst" setting when specifying the OUT-BANDWIDTH. See http://www.shorewall.net/LennyToSqueeze.html#SimpleTC. Don't be mislead by the fact that only simple TC is mentioned at that URL; the same applies to Complex TC. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
PGP.sig
Description: This is a digitally signed message part
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
