On 8/22/2014 8:25 AM, PGNd wrote: > On Fri, Aug 22, 2014, at 08:07 AM, Tom Eastep wrote: >> I recommend setting PROVIDER_OFFSET=8 and using mark values 0x100, >> 0x200, ... for your provider marks. That way, TC will be using a >> different part of the mark from multi-ISP. See > > Hadn't gotten to that yet. Done, thx. > >> for what you are doing, 'start' is preferred. > > After a complete system reboot for sanity-check, the mangle chain's missing > again. > > A bit of testing -- making sure that everything's cleare/restarted/reloaded > correctly -- determines that if invoked in 'start' -- mangle chain's > cleared/missing on start. > > Moving it to 'started' cures the problem -- chain's there, anv classification > works.
The code near the end of your define_firewall() function should look
similar to this:
run_start_exit <========================
do_iptables -N shorewall
do_iptables -A shorewall -m recent --set --name %CURRENTTIME
set_state Started /etc/shorewall/
my_pathname=$(my_pathname)
[ $my_pathname = ${VARDIR}/firewall ] || \
cp -f $my_pathname ${VARDIR}/firewall
run_started_exit <======================
fi
date > ${VARDIR}/restarted
case $COMMAND in
start)
logger -p kern.info "$g_product started"
;;
restart)
logger -p kern.info "$g_product restarted"
;;
refresh)
logger -p kern.info "$g_product refreshed"
;;
restore)
logger -p kern.info "$g_product restored"
;;
esac
}
I've pointed out where 'start' and 'started' are executed.
The two 'do_iptables' commands create and populate a chain named
'shorewall'. The presense of that chain tells /sbin/shorewall that the
firewall is in the started state. The rule in that chain is useful for
debugging recent-set issues.
Here's 'set_state':
set_state () # $1 = state
{
if [ $# -gt 1 ]; then
echo "$1 ($(date)) from $2" > ${VARDIR}/state
else
echo "$1 ($(date))" > ${VARDIR}/state
fi
}
So it is difficult to understand why your code would work in 'started'
but would fail in 'start'.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
