On 6/4/2015 7:38 AM, Jean-Marc Liotier wrote: > Greetings, fellow Shorewall users ! After years of scripting ipfwadm, > ipchains and iptables, I stumbled upon Shorewall and finally found a > higher level tool to my liking... I now manage configurations more > complicated than anything I could hope to keep control of with my own > scripts - and I haven't looked back since then... So, for my first > message here I'll start with a big thank you to the developers ! > > Now, I wish to take advantage of Shorewall's Traffic Control abilities > to achieve something approaching what my old modified Wondershaper used > to do... But meanwhile, IPv6 has become a large part of my traffic - so > I have read the documentation and I think I mostly understand the simple > configuration variant of shorewall & shorewall6 tc, except for one > important detail: how these two interact... Hence my question: > > The upstream interface for IPv4 is Ethernet, but the IPv6 one is a 6in4 > tunnel built over the IPv4 interface. How is Shorewall aware that the > in-bandwidth of the IPv6 tunnel can't be defined because it is actually > nested in the total in-bandwidth of the IPv4 interface ? The 'Combined > IPv4/IPv6 Simple TC Configuration' seems to suppose that both IPv4 and > IPv6 share a single physical interface. Is the definition of a 6in4 > tunnel in /etc/shorewall/tunnels with an IPv4 gateway what tells > Shorewall that IPv4 bears IPv6 ? So is one supposed to eschew declaring > the IPv6 interface in /etc/shorewall/tcdevices ? But then how is one > supposed to express /etc/shorewall/tcclasses ? Only for the physical > interface ? > > If this scenario is not covered by Shorewall's current functionality, I > have thought about a workaround: inserting a two-interface router > between my main (eight-interface) router and the outside. That way, the > 6in4 tunnel would terminate on the two-interface router so that on the > main router I would be able to configure the same outside Ethernet port > for both IPv4 and Ipv6 - and therefore fall back into Shorewall's well > documented IPv4/IPv6 tc use-case. > > What do you people think ? You can, of course, control the *total* IPv6 outbound traffic by controlling protocol 41 on the Ethernet interface. If you want to control the individual IPv6 application streams, then you need do that by defining traffic shaping on the SIT interface.
-Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
