Re: [Shorewall-users] mangle chain created in /tcstart-invoked QoS script is cleared by end of complete 'firewall' reload?

Thu, 21 Aug 2014 20:26:20 -0700 

crude single-stepping again, I mod'd 'setup_netfilter()'

        ...
        echo "DEBUG a8" && shorewall show mangle | grep SHAPER
            progress_message2 "Running $command..."  
        echo "DEBUG a9" && shorewall show mangle | grep SHAPER
            cat ${VARDIR}/.iptables-restore-input | $command # Use this 
nonsensical form to appease SELinux
        echo "DEBUG a10" && shorewall show mangle | grep SHAPER
            if [ $? != 0 ]; then
        echo "DEBUG a11" && shorewall show mangle | grep SHAPER
            fatal_error "iptables-restore Failed. Input is in 
${VARDIR}/.iptables-restore-input"
        echo "DEBUG a12" && shorewall show mangle | grep SHAPER
            fi
        echo "DEBUG a13" && shorewall show mangle | grep SHAPER

        }
        ...


Which on exec of 

        firewall restart

outputs

        ...
        DEBUG a8
            3   337 SHAPER_EGRESS_PRE  all  --  *      eth0    0.0.0.0/0        
    0.0.0.0/0           
            0     0 SHAPER_EGRESS  all  --  *      eth0    0.0.0.0/0            
0.0.0.0/0           
        Chain SHAPER_EGRESS (1 references)
        Chain SHAPER_EGRESS_PRE (1 references)
        DEBUG a9
            3   337 SHAPER_EGRESS_PRE  all  --  *      eth0    0.0.0.0/0        
    0.0.0.0/0           
            0     0 SHAPER_EGRESS  all  --  *      eth0    0.0.0.0/0            
0.0.0.0/0           
        Chain SHAPER_EGRESS (1 references)
        Chain SHAPER_EGRESS_PRE (1 references)
        DEBUG a10
        DEBUG a11
           ERROR: iptables-restore Failed. Input is in 
/var/lib/shorewall-lite/.iptables-restore-input
        Restoring Shorewall Lite...
          OK ping @ INTFC=eth0
          OK ping @ INTFC=tun1
        Ingress shaping applied on eth0 uplink
        Ingress shaping applied on eth0 downlink.
        done.
        Shorewall Lite restored from /var/lib/shorewall-lite/restore
        Terminated
        ...

this

        cat ${VARDIR}/.iptables-restore-input | $command # Use this nonsensical 
form to appease SELinux

appears to be the culprit that causes the mangle chain clear

checking, it's recently created

        ls -al /var/lib/shorewall-lite/.iptables-restore-input 
                -rw------- 1 root root 48K Aug 21 19:57 
/var/lib/shorewall-lite/.iptables-restore-input

and does not contain trace of my SHAPER_EGRESS chain

        egrep "SHAPER" /var/lib/shorewall-lite/.iptables-restore-input
                (empty)


I'm currrently suspicious of, and reading up on, SW's use of 
tcpre/tcfor/tcout/tcpost chains, per

        http://shorewall.net/PacketMarking.html#Shorewall

whereas in my script ip I'm using the 'main' POSTROUTING

                /usr/sbin/iptables -t mangle -N SHAPER_EGRESS
                /usr/sbin/iptables -t mangle -I POSTROUTING -o eth0 -j 
SHAPER_EGRESS

Simplifying now to see if I can get a clear test case.



p.s. Oops, sry.  Just noticed your request for the whole compiled script ...  
Sending *this* along now, just in case something's enlightening.



------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to