On 8/22/2014 7:25 AM, PGNd wrote: > > > On Fri, Aug 22, 2014, at 07:14 AM, Tom Eastep wrote: >> You will need to set up your iptables rules in the 'start' script, >> not in tcstart. The tcstart mechanism is only designed for >> configuring qdiscs and classes, but not any packet marking that >> goes along with it. > > Yep, *just* stumbled on same result ... moving the invocation of the > entire script to 'started' seems to do the trick ... without yet > realizing WHY.
The generated script configures qdiscs and classes before it configures iptables. So when you use a tcstart script, it gets invoked prior to the configuration of iptables. The generated script uses iptables-restore and restores *all* of the tables. So if you populate the mangle table in the tcstart script, then iptables-restore will replace your rules. > > (1) is 'start' recommended over 'started'? The 'started' script runs after the generated script has done all of it's work, including issuing a log message stating that the 'start' or 'restart' operation was a success. The 'start' script is invoked prior to that; for what you are doing, 'start' is preferred. > (2) given "tcstart mechanism is only designed for configuring qdiscs > and classes" -- is that a MUST or a MAY? should I necessarily *split* > the script -- 'qdiscs/classes' setup invoked from tcstart, and the > packet marking invoked from 'start(ed)' ? No. > > atm, moving the ENTIRE script to 'started' results in the mangle > chain being preserved ... although the classification of traffic is > NOT working as intended (yet). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
