Hi,
Long time shorewall user, but new to traffic shaping. My reason for using traffic control is in order to make VOIP calling work reliably. My VOIP devices mark the packets with TOS information and I'm using that as my basis in the tcclasses rules. For the most part this has solved my VOIP woes, but after a recent firewall upgrade I am getting some new syslog messages I have not seen before. Specifcally:
kernel: [1595740.759044] nf_ct_Q.931: dropping packet: cannot process Q.931 message IN= OUT= SRC="" DST=192.168.6.96 LEN=190 TOS=0x00 PREC=0x00 TTL=97 ID=46108 PROTO=TCP SPT=1720 DPT=4254 SEQ=2035679657 ACK=2378695115 WINDOW=4369 RES=0x00 ACK FIN URGP=0
I've been doing a lot of reasearch bit have yet to find much detail about this kernel message. Therefore, I was hoping someone on the list might steer me in right direction.
More about my setup, I'm running Shorewall 4.5.21.6 on Ubuntu 14.04.3. Below are my tc configuration files:
tcdevices:
1:eth0 - 6mbit # ISP
2:eth1 - 1000mbit # Internal
2:eth1 - 1000mbit # Internal
tcclasses:
eth0 1 120kbps 220kbps 1 tos=0x88/0xfc,tos=0xb8/0xfc
eth0 2 full/2 full 2 default
eth1 1 120kbps 220kbps 1 tos=0x88/0xfc,tos=0xb8/0xfc
eth1 2 full/4 full 2 default
eth0 2 full/2 full 2 default
eth1 1 120kbps 220kbps 1 tos=0x88/0xfc,tos=0xb8/0xfc
eth1 2 full/4 full 2 default
tcrules:
1 $FW 0.0.0.0/0 udp 1194 - - - - 0xb8
1 $FW 0.0.0.0/0 udp 1194 - - - - 0x88
1 0.0.0.0/0 $FW udp 1194 - - - - 0xb8
1 0.0.0.0/0 $FW udp 1194 - - - - 0x88
1:F 0.0.0.0/0 0.0.0.0/0 all - - - - - 0xb8
1:F 0.0.0.0/0 0.0.0.0/0 all - - - - - 0x88
1 $FW 0.0.0.0/0 udp 1194 - - - - 0x88
1 0.0.0.0/0 $FW udp 1194 - - - - 0xb8
1 0.0.0.0/0 $FW udp 1194 - - - - 0x88
1:F 0.0.0.0/0 0.0.0.0/0 all - - - - - 0xb8
1:F 0.0.0.0/0 0.0.0.0/0 all - - - - - 0x88
I am using the "stock" conntrack file as well and all the relevant netfilter modules appear to be loaded. eg:
nf_conntrack_sip 28672 2
nf_conntrack_h323 77824 4
nf_conntrack_h323 77824 4
nf_conntrack 106496 24 nf_nat_ftp,xt_CT,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_helper,nf_nat,xt_state,xt_connlimit,nf_nat_ipv4,xt_conntrack,nf_conntrack_amanda,nf_nat_masquerade_ipv4,ipt_CLUSTERIP,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,nf_conntrack_h323,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp
Any help or advice is much appreciated.
Rick
------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
