Re: [Shorewall-users] mangle chain created in /tcstart-invoked QoS script is cleared by end of complete 'firewall' reload?

Fri, 22 Aug 2014 07:56:44 -0700 


On Fri, Aug 22, 2014, at 07:42 AM, Tom Eastep wrote:
> ... if you populate the mangle table in the tcstart script, then 
> iptables-restore will replace your rules.

Noted.  And avoided.

> for what you are doing, 'start' is preferred.

Noted. Moved.

> > atm, moving the ENTIRE script to 'started' results in the mangle 
> > chain being preserved ... although the classification of traffic is 
> > NOT working as intended (yet).

Found the problem -- a MARK collision in mangle.

My QoS script's creating class numbering, starting with a "low latency" class 
at classid == 1:2

        /lib.private

                qos_control() {
                        ...
                        CLASS_LOW_LATENCY=2  # 1:2 Low latency (VoIP)
                        ...
                        ${TC_BIN} class add dev ${intfc} parent 1:1  classid 
1:${CLASS_LOW_LATENCY} hfsc \
                          sc m1 ${uplink}kbit d 200ms m2 $((10*$uplink/10))kbit 
\
                          ul rate ${uplink}kbit
                        ...
                }

Checking the mangle table, this conflicts directly with my MultiISP config's 
'prov2' "MARK set 0x2",

        /provider
                ...
                prov2    2    2    main    EXTIF2    10.0.0.1    track,fallback 
   INTIF

        /mangle
                ...
                MARK(2):P    INTIF:xx.xx.xx.xx    -    tcp    ...
                ...

Changing the qos_script's class numbering to avoid the collision,

        /lib.private

                qos_control() {
                        ...
-                       CLASS_LOW_LATENCY=2  # 1:2  Low latency (VoIP)
+                       CLASS_LOW_LATENCY=10 # 1:10 Low latency (VoIP)
                        ...
                        ${TC_BIN} class add dev ${intfc} parent 1:1  classid 
1:${CLASS_LOW_LATENCY} hfsc \
                          sc m1 ${uplink}kbit d 200ms m2 $((10*$uplink/10))kbit 
\
                          ul rate ${uplink}kbit
                        ...
                }

Now classification is occurring as expected for VOIP traffic

        tc -s -d class show dev eth0
                ...
                class hfsc 1:10 parent 1:1 leaf 10: sc m1 5400Kbit d 200.0ms m2 
5400Kbit ul m1 0bit d 0us m2 5400Kbit
                 Sent 232651 bytes 780 pkt (dropped 0, overlimits 0 requeues 0)
                 backlog 0b 0p requeues 0
                 period 780 work 232651 bytes rtwork 232651 bytes level 0
                ...

VOIP still *sounds* lousy, but that's a different issue.


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to