On 8/21/2014 8:18 PM, PGNd wrote:
> crude single-stepping again, I mod'd 'setup_netfilter()'
>
> ...
> echo "DEBUG a8" && shorewall show mangle | grep SHAPER
> progress_message2 "Running $command..."
> echo "DEBUG a9" && shorewall show mangle | grep SHAPER
> cat ${VARDIR}/.iptables-restore-input | $command # Use this
> nonsensical form to appease SELinux
> echo "DEBUG a10" && shorewall show mangle | grep SHAPER
> if [ $? != 0 ]; then
> echo "DEBUG a11" && shorewall show mangle | grep SHAPER
> fatal_error "iptables-restore Failed. Input is in
> ${VARDIR}/.iptables-restore-input"
> echo "DEBUG a12" && shorewall show mangle | grep SHAPER
> fi
> echo "DEBUG a13" && shorewall show mangle | grep SHAPER
>
> }
> ...
>
>
> Which on exec of
>
> firewall restart
>
> outputs
>
> ...
> DEBUG a8
> 3 337 SHAPER_EGRESS_PRE all -- * eth0 0.0.0.0/0
> 0.0.0.0/0
> 0 0 SHAPER_EGRESS all -- * eth0 0.0.0.0/0
> 0.0.0.0/0
> Chain SHAPER_EGRESS (1 references)
> Chain SHAPER_EGRESS_PRE (1 references)
> DEBUG a9
> 3 337 SHAPER_EGRESS_PRE all -- * eth0 0.0.0.0/0
> 0.0.0.0/0
> 0 0 SHAPER_EGRESS all -- * eth0 0.0.0.0/0
> 0.0.0.0/0
> Chain SHAPER_EGRESS (1 references)
> Chain SHAPER_EGRESS_PRE (1 references)
> DEBUG a10
> DEBUG a11
> ERROR: iptables-restore Failed. Input is in
> /var/lib/shorewall-lite/.iptables-restore-input
> Restoring Shorewall Lite...
> OK ping @ INTFC=eth0
> OK ping @ INTFC=tun1
> Ingress shaping applied on eth0 uplink
> Ingress shaping applied on eth0 downlink.
> done.
> Shorewall Lite restored from /var/lib/shorewall-lite/restore
> Terminated
> ...
>
> this
>
> cat ${VARDIR}/.iptables-restore-input | $command # Use this nonsensical
> form to appease SELinux
>
> appears to be the culprit that causes the mangle chain clear
>
> checking, it's recently created
>
> ls -al /var/lib/shorewall-lite/.iptables-restore-input
> -rw------- 1 root root 48K Aug 21 19:57
> /var/lib/shorewall-lite/.iptables-restore-input
>
> and does not contain trace of my SHAPER_EGRESS chain
>
> egrep "SHAPER" /var/lib/shorewall-lite/.iptables-restore-input
> (empty)
>
>
> I'm currrently suspicious of, and reading up on, SW's use of
> tcpre/tcfor/tcout/tcpost chains, per
>
> http://shorewall.net/PacketMarking.html#Shorewall
>
> whereas in my script ip I'm using the 'main' POSTROUTING
>
> /usr/sbin/iptables -t mangle -N SHAPER_EGRESS
> /usr/sbin/iptables -t mangle -I POSTROUTING -o eth0 -j
> SHAPER_EGRESS
>
> Simplifying now to see if I can get a clear test case.You will need to set up your iptables rules in the 'start' script, not in tcstart. The tcstart mechanism is only designed for configuring qdiscs and classes, but not any packet marking that goes along with it. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
