Tom Eastep wrote: > > In particular, I'm thinking about the case where I might have <some >> number> of IP addresses to include in one set of classes - so >> potentially duplicating "address <something> and port <something>" >> rules many times in tcfilters. The particular group that's in mind at > > the moment is about 16 discrete IPs (not a simple address/mask set).
>With your tcrules approach, you only have to evaluate the long list of >tcrules once for any given connections (because you are using >SAVE/RESTORE). With tcfilters, you have to evaluate them on every >packet. So the tcrules approach is definitely a win from a CPU >utilization perspective. So I decided on the TC rules option in the end, and hit a few "gotchas" along the way - at least one of which was of my own making ! The first was a simple typo : 12 192.168.2.123/32 0.0.0.0/0 all - - - !0 �doesn't match packets with a mark value of zero. Doh. Then, next issue I found was that my classifier rules weren't working - because it seems that mark values don't get preserved between tcpre and tcpost. In hindsight, and once I'd realised that, it makes sense - the packet will have been through the routing process, so it's no longer the same packet, and hence will have lost it's packet mark in the process. So, thinks I, I'll just move the whole filter to the post-routing chain. Doh again. CONTINUE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0 �neatly skips all the classifier rules as well as the ones I want it to skip. So this is what I've ended up with : # If the connection already has a mark, use it and skip the rest of the rules RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 # Customer/group A 12 192.168.2.123/32 0.0.0.0/0 all - - - 0 12 0.0.0.0/0 192.168.2.123/32 all - - - 0 12 192.168.2.111/32 0.0.0.0/0 all - - - 0 12 0.0.0.0/0 192.168.2.111/32 all - - - 0 11 0.0.0.0/0 0.0.0.0/0 icmp echo-request - - 12 11 0.0.0.0/0 0.0.0.0/0 icmp echo-reply - - 12 13 0.0.0.0/0 0.0.0.0/0 tcp 110 - - 12 13 0.0.0.0/0 0.0.0.0/0 tcp - 110 - 12 13 0.0.0.0/0 0.0.0.0/0 tcp 143 - - 12 13 0.0.0.0/0 0.0.0.0/0 tcp - 143 - 12 14 0.0.0.0/0 0.0.0.0/0 tcp 25 - - 12 14 0.0.0.0/0 0.0.0.0/0 tcp - 25 - 12 � # More groups go here # Assuming we've marked the packet, now save the mark to the connection SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 # Convert marks to classes RESTORE:T 0.0.0.0/0 0.0.0.0/0 all - - - 0 1:11:T 0.0.0.0/0 0.0.0.0/0 all - - - 11 2:11:T 0.0.0.0/0 0.0.0.0/0 all - - - 11 CONTINUE:T 0.0.0.0/0 0.0.0.0/0 all - - - 11 1:12:T 0.0.0.0/0 0.0.0.0/0 all - - - 12 2:12:T 0.0.0.0/0 0.0.0.0/0 all - - - 12 CONTINUE:T 0.0.0.0/0 0.0.0.0/0 all - - - 12 1:13:T 0.0.0.0/0 0.0.0.0/0 all - - - 13 2:13:T 0.0.0.0/0 0.0.0.0/0 all - - - 13 CONTINUE:T 0.0.0.0/0 0.0.0.0/0 all - - - 13 1:14:T 0.0.0.0/0 0.0.0.0/0 all - - - 14 2:14:T 0.0.0.0/0 0.0.0.0/0 all - - - 14 CONTINUE:T 0.0.0.0/0 0.0.0.0/0 all - - - 14 � Putting the restore on the start of the post-routing chain restores the connection mark I've saved earlier, and it works just fine. Of course, I'd also forgotten that I need rules to classify both the inbound and outbound traffic - hence two classify rules per mark value. I noticed that Shorewall automatically substitutes the destination interface if the destination is 0.0.0.0/0 which saves a little more effort. So now to duplicate the existing rules, and find a quiet time to test it in the live network. I do have one further question though, about the mark column in tcclasses. The manpage says "Must be specified as '-' if the classify option is given for the interface�". If I put a number in that column, then I get "WARNING: Class NUMBER ignored -- INTERFACE ethint does not have the 'classify' option /etc/shorewall/tcclasses�". I was looking to see just what Shorewall does with it - ie if it would automate the latter part of my tcrules. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
